Home > Risk > Compliance Week round table discussed risk assessment. Did they get it right?

Compliance Week round table discussed risk assessment. Did they get it right?

Matt Kelly of Compliance Week is somebody I follow for his application of intelligence and wit to the topics of risk management, compliance, and governance.

He just posted a blog on The Elusive Art of Risk Assessment where the topic was risk assessments as they relate to anti-corruption programs.

The question that interested Matt was how to perform a risk assessment. Should it be based on the input of employees bottoms-up or top-down?

His conclusion, with which I agree, is that you need some combination of views from the top and also from the people in the front lines.

But, where I differ is the inferred conclusion that a periodic risk assessment involving a workshop, survey, or similar is sufficient.

If you want to manage the risks of corruption, and their impact on reputation, loss of assets, etc., you need a continuing program of monitoring and responding to risks.

Risks change as factors like these change: your management and other personnel, the use of agents and channels, the volume of business, economic conditions, the level of regulatory and press attention, etc.

My point: if you want to manage corruption risk, whether for US FCPA, UK Bribery Act, or just because it makes good sense, you need both periodic intensive reviews and a continuing monitoring program.

Risk officers and compliance officers need to work together, using their combined expertise to do this right.

What do you think?

  1. Richard Fowler
    June 20, 2011 at 10:01 AM

    I’m not sure I agree, Norman. A periodic risk assessment, whether for anti-corruption activities or other GRC issues, will help the GRC team focus their efforts on the higher risk areas. The output of the risk assessment is the work plan, and if you are constantly reassessing the risks then you may be adjusting your risk mitigation activities too frequently for them to be effective. That’s not to say that the risk officers and compliance officers ignore organizational changes — that should be a part of the routine. But not so much that they are reperforming the full risk assessment on a continuing basis. Especially where anti-corruption activities are concerned, as they typically take significant time to identify, investigate, prosecute and correct instances of corruption. It’s never wise to change horses mid-stream.

  2. Norman Marks
    June 20, 2011 at 10:23 AM

    Richard, I am not suggesting that you should be constantly performing a full risk assessment – only that looking at the risk once a quarter or so may not be enough. Put monitoring in place for the areas that could hurt you more and quickly. Does that make sense?

  3. Ck6
    June 20, 2011 at 11:30 AM

    All risk management programs should be dynamic. Anti-corruption reviews are no different than cash flows or logistic management from a risk standpoint. Reputation issues arise when something goes wrong and the fact that a certain process is valued differently from other processes in the organization.

  4. June 20, 2011 at 7:50 PM

    Norman, I agree. To manage corruption risk, you need both periodic intensive reviews and a continuing monitoring program, such as an aggressively upbeat employee outreach program and enterprise-wide employee feedback loop that acquires risk intelligence from middle managers and employees.

  5. Christian Bistaffa
    June 21, 2011 at 5:05 AM

    Norman, as you know: the business is always involving, it’s dynamic, certainly not static, in the same way the risks follow the business. Thus, you need constantly monitor your flows, processes, automatically (if possible) survey your business to evaluate & try to decrease as right as possible any risk(s) of disruption or fraud or any security issues to keep always on tracks.
    It’s an evidence but it’s no so easy to put in place. the more you monitor your business, the more you put in place controls & procedures the more you decrease the risk to be in trouble. Due to the fact it’s a cyclic process, I am convince, on regular basis (it’s like an engine in your car, regurarly you need a preventive maintenance to avoid to break it), it’s exactly the same for your critical processes, regurarly you need to verify they are still robust & still working and perhaeps you need to update the controls to be more robust & continue your business to be in good shape.

  6. Alfred John Bacon
    June 21, 2011 at 11:42 AM

    Most large companies have spent a lot of money installing large ERP systems, where there is whole lot of information available that can help indentify risks about to materialize. Delayed plant maintenance, due to budget cuts, may indicate a higher possibility of equipment faliure. Lower employee training hours, also due to budget cuts, may indicate a higher probability of accidents, in hazard-prone industries. Aggregate credit risk in multiple business units may not be noticed by upper management and the various business units may feel that the situation is normal in relation to the same supplier, who may be about to default.

    There are several suppliers of GRC systems on the market which are able to monitor KRIs in a proactive manner and automatically send managers alarm signals of KRIs that have gone above their configured thresholds, so that the information can be checked and delt with before the situation turns into a loss event. But very few companies have actually invested in these automated risk identification systems.

    Regular reviews, done via questionaires, depend on how knowledgeable managers are on what is really are about the facts in their jurisdiction and how ready they are to point out their own mistakes – personally I prefer automated detection systems that work on real data in the ERP, which removes the human factor.

    Of course, the existence of automated solutions does not invalidate regular reviews via questionaires, both can coexist, with different functionalities.

  7. Norman Marks
    June 21, 2011 at 12:07 PM

    Alfred, I assume you meant ‘risk management’ systems rather than ‘GRC systems’. 🙂

    • Alfred John Bacon
      June 21, 2011 at 12:14 PM

      Well, the term GRC is a generic industry term for Governance, Risk and Compliance, which includes Risk Management but in a broader view, including automated control monitoring to identify risks. I am not making any reference to a particular product that may have adopted the term GRC…

  8. July 16, 2011 at 12:34 PM

    Interesting post, thanks.

    Different risk categories will require different approaches but there are similarities too IMO.

    In the world of InfoSec risk, one would certainly want to involve front-line people who know first-hand about technical and administrative risks. In fact, not only should they be involved. Risks should be owned and treated locally, when possible. Some will have to be escalated. All should be reported. And monitored, of course. Having a creative workshop once a year is not enough, one has to keep an eye on the ball and follow-up on risk treatment.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: