Compliance Week round table discussed risk assessment. Did they get it right?
Matt Kelly of Compliance Week is somebody I follow for his application of intelligence and wit to the topics of risk management, compliance, and governance.
He just posted a blog on The Elusive Art of Risk Assessment where the topic was risk assessments as they relate to anti-corruption programs.
The question that interested Matt was how to perform a risk assessment. Should it be based on the input of employees bottoms-up or top-down?
His conclusion, with which I agree, is that you need some combination of views from the top and also from the people in the front lines.
But, where I differ is the inferred conclusion that a periodic risk assessment involving a workshop, survey, or similar is sufficient.
If you want to manage the risks of corruption, and their impact on reputation, loss of assets, etc., you need a continuing program of monitoring and responding to risks.
Risks change as factors like these change: your management and other personnel, the use of agents and channels, the volume of business, economic conditions, the level of regulatory and press attention, etc.
My point: if you want to manage corruption risk, whether for US FCPA, UK Bribery Act, or just because it makes good sense, you need both periodic intensive reviews and a continuing monitoring program.
Risk officers and compliance officers need to work together, using their combined expertise to do this right.
What do you think?