Is your risk assessment up to date? This is a question that should regularly be asked within any financial institution. Unfortunately, in most cases, the answer is postponed or even ignored, up until the moment when a government agent needs to evaluate that company’s compliance program.
The most essential anti-corruption guides around the world certainly include risk assessment as one of the items needed to consolidate a robust compliance program. And this is one of the first points to be evaluated by a government agent when identifying whether a company’s compliance program is effective. It is important to note that when the US Department of Justice (USDOJ) prosecutors, for example, are instructed to evaluate a compliance program, they begin with risk assessment. After all, the risk assessment is the one component that enables a compliance program to be customized to the company’s business, based on its risk profile and the degree to which the program dedicates analysis and resources appropriate to its risk range.
Risk assessment refers to the process through which threats that could negatively impact the company and estimated frequency with which they could occur are identified, followed by the identification of measures the company could take to prevent or remedy such occurrences. The hazard becomes a risk once the real possibility that it could negatively impact the company’s business is identified.
The analysis and identification of threats must take into account:
(i) the company’s risk history;
(ii) the country’s risk history;
(iii) the location of the company’s operations;
(iv)the industrial sector in which the company operates;
(v) how robust its compliance program is;
(vi) the degree of market competitiveness;
(vii) how aggressive the goals imposed by top management are;
(viii) the regulatory scenario;
(ix) potential customers and business partners;
(x) transactions with national or foreign governments;
(xi) payments to national or foreign government officials;
(xii) use of third parties in the business of the company;
(xiii) meals with third parties;
(xiv) gifts for or from third parties;
(xv) travel paid to third parties;
(xvi) entertainment expenses, and charitable and political donations.
The result of a risk assessment process allows the company to:
A risk assessment must always evaluate this potentially contradictory trade-off: severity of impact versus probability of occurrence. Regardless of the risk matrix model to be used, the classification of the risk level will always consider both factors and prioritize the prevention or remediation of risks. Heat maps are usually an excellent heuristic to facilitate the visualization of the identified risks and their respective classification.
The periodicity of risk assessments must be determined by each company in their respective policies, considering aspects such as the changing competitive scenario, the changing legal framework, and the history of risks and costs. But it should never exceed three (3) years because imminent hazards not previously identified could significantly affect the business.
The question remains whether risk assessments should be carried out internally by compliance officers or by external experts hired for this purpose. The answer is not complicated since it is necessary to have the appropriate expertise to execute such a project. While there are systems being sold on the market that offer the possibility of being customized, most are unlikely to achieve the desired results. Another aspect to be considered is the time required for this project, which is not always compatible with an internal compliance officer’s working hours, especially in companies operating with reduced personnel.
The question then remains: Is your risk assessment up to date?