#Article

The Big Compliance Issue for 2021: Risk Assessments


The Big Compliance Issue for 2021: Risk Assessments

Getting ahead of next year’s challenges should be top-of-mind for compliance officers

By Matt Kelly, Editor and CEO, RadicalCompliance.com

If 2020 offered compliance professionals one lesson to remember for 2021, it’s this: keep your risk assessment capabilities sharp.

Time and again, 2020 has hammered that message home to the corporate world. Sometime the message was delivered via geopolitical events, such as the pandemic or the social justice protests that wracked the United States. Other times the message arrived in pronouncements from regulators, such as the latest iteration of Justice Department guidance about effective compliance programs released in the summer.

Understand Your Risks

Organizations need to understand the compliance risks that arise from their operations and the larger business environment they face. 2020 underlined the importance of that point — three times over, in thick red ink — but the point will remain true in 2021 and beyond.

For example, many businesses will spend 2021 trying to return to “normal” work, even if that state of affairs doesn’t quite resemble what work was in 2019. Calls for more diversity and racial equity in large organizations will continue. Rock-bottom interest rates, which will last for years to come, mean mergers and acquisitions will keep coming. All of those forces will bring new risks to corporations.

Meanwhile, the Justice Department and other regulators are crystal clear that they want to see a risk-based approach to corporate compliance. Which means the company can assess its risks, and then build a compliance program that handles those risks thoughtfully.

That’s difficult enough to do under the best of circumstances. 2021 is likely to be some of the most tumultuous circumstances, instead.

Compliance officers can get ahead of that challenge in a few ways.

Create a Risk Profile for your Organization

An effective risk analysis crucial to your compliance program. This free webinar outlines the 10 essential steps to create your company's risk profile.


Watch the Webinar

Know the Business and its Environment

A compliance officer can’t assess risk effectively unless he or she understands the company’s place in the world. Which business units are seeing the most growth or decline, and why? Which operations does the board see as critical to the company’s future? Is your strategy to be highly acquisitive, aggressive for organic growth, or something else? What prior history has your business had with compliance success or failures? And so forth.

The point here is that you want to understand your company “in motion,” so to speak — to understand why it does what it does, almost regardless of regulatory compliance concerns. Only then can you understand how compliance issues and other risks might influence the company’s trajectory.

Have the Right Tools at Hand

Assessing risk requires information, so you’ll need tools both to collect that information and to process it all into something the executive brain can analyze and digest.

For example, assessing your anti-corruption risks might involve looking at due diligence completion rates for third parties or risk-rankings for customers around the world. Assessing harassment risks might involve employee surveys or focus groups, or crunching data from your internal complaints line. Assessing cybersecurity risk could mean penetration tests done by the CISO or security assessments provided by your vendors.

A thorough risk assessment could require many different tools and techniques. Consider the ones you’ll need and gather them early, rather than invent them during a crisis.

Risk Assessment Form and Matix

Need help conducting your risk assessment. Use this form and matrix to put your risks into perspective.


Risk Matrix Template

Work With Your Board to Clarify Risk Tolerance

Compliance programs mitigate risk so that it stays within acceptable levels; they don’t eradicate risk out of existence. But if your goal is to keep risk within acceptable levels, you need consensus on what those acceptable risks are — and the board is crucial to deciding that.

The pandemic is an excellent example of the challenges here. It has forced companies to confront questions around cybersecurity, fraud, harassment, and other risks; and most of those questions have no clear answers. Do too little, and you’re in a position of “under-compliance.” On the other hand, too many controls might create a state of “over-compliance,” where you’re doing more than makes sense.

As you move from risk assessment to risk mitigation plan, you’ll need consensus from the board and senior management about how much mitigation is appropriate. Have those conversations early, and often.

Document Your Changes

Despite the chaos of 2020, at some point in the future life will resume some semblance of normalcy: vaccines administered, people back in the office, recession fading, and the like. As that normalcy returns, most companies will need to revisit their policies and procedures again — so memorialize the changes you’re making now, to understand what might be necessary at that future time.

For example, some new policies or procedures might only need to be temporary; document that as part of a plan to let obsolete changes expire. Or if regulators come knocking years in the future, asking about conduct happening today, you can provide a record of the company’s decision-making process. Without a process to document your changes, none of that happens.

If you can hone those four skills, your ability to assess risk will be in much better shape. Which is good news, because no matter what 2021 may bring, you’ll need every bit of ability you can get.