I’m listening now to two great people—Tom Fox and Scott Moritz—talk about a subject that’s much talked about but normally done very badly: risk assessments.
Both agree that your compliance program should be informed by your risk assessment, and not vice versa.
Tom gives (as always) a common sense approach: think first, then plan, then write, then implement, then validate, then improve.
Scott says, and rightly so, that programs are always in flux, and so to have a risk assessment as a photograph doesn’t make sense. You need a process to incorporate new information like changes in the law or regulatory trends. Also, you need to incorporate lessons learned from internal failures. “Intelligent Failure” as discussed in a recent Harvard Business Review.
Scott raises a good point: differentiate between the “must-haves” and the “nice-to-haves.” For each critical need, you must have a corresponding fix that is pending. [Howard comment: this list—needs and fixes—will form a large, important piece of your internal marketing efforts. This is what you’ll socialize, and what you’ll track in monthly updates with senior leaders, and what you’ll continually re-evaluate as new information arises. And by separating out must vs. want, you’ll gain credibility with those who control the budget that you’re going to be poaching from somebody.]
Both Tom and Scott acknowledge that geography is a key component of geographic risk. If you move to a new market, before you go in, you need to assess the risk. Another risk determinant is industry.
[Howard comment: they are really covering the basic elements of an assessment. But as basic as it is, you’d be amazed how many companies get it wrong. Getting it Wrong can include reverse-order problems, or having your program first, and then backing into your assessment. Or failing to plan; we all know that’s planning to fail.]
What the regulators want to see, more than any specific point in an assessment, is that you thought through the issues before you designed your controls. Every once in a while, you get a situation where the controls can be implemented blind. But those are few and far between. Can you show that you’ve thought through geography, industry, employee roles (government sales, e.g.), and others? And that after thinking it through, that you then designed controls?
Assess customers, asks the host? If the customer base adds risk (like if it’s a government JV, or SOE), then yes. You need to bifurcate between government and non-government, and make sure that all information is given to relevant employees through meaningful communincation. [Howard’s comment: he’s completely right about the communication needing to be meaningful. Through multiple channels and multiple audiences.]
Scott: tailor your training. To employee roles, to Finance, to Internal Audit, to Compliance. Given them all different training.
New topic: where do companies go wrong?
Scott: some organizations shy away from benchmarking. Fears of proprietary information. That’s a missed opportunity. [Howard comment: he’s right again.] People are very generous in this space with their time. And there are forums for sharing. Not having a mechanism to learn from your peers is a mistake. That’s low-hanging fruit, but you have to be willing to open up. [Howard comment: he’s right again…when you’re dealing with Scott, you should get used to hearing those three words].
Tom: Companies fail to discuss and clarify roles early on. You’ll fall into mission creep. [Howard comment: also, in my opinion, you should be careful not to let the perfect be the enemy of the good. You need to get this done. You can—and should—re-evaluate. Get it done.]
Scott: emphasize the positive. Cheer successes. Someone saves the company money by being vigilant? Recognize that.
Both: the assessor should be somewhat, if not completely, independent.
Now they’re answering questions.
My favorite question (other than the one I asked), is “Can risk assessments be outsourced?” Um, yes, and by Scott or Tom. Scott made a good point that it’s often outsourced because there’re no resources internally. I think he was talking about people free to do it. I’d also bring up that risk assessments need to be done by people who know how to do one. How to ask questions. How to evaluate answers. How to evaluate what’s really going on. If you don’t have that, you don’t have a usable assessment.
A great webinar, in my opinion.