On Thursday, June 30 NAVEX is hosting the master class, “Measuring Compliance in the New Normal”. This post, originally written by co-host for the first session, Kristy Grant-Hart, CEO of Spark Compliance Consulting, shares a preview into some of the findings and insights this master class has to offer.
This post was originally featured on Kristy Grant-Hart’s blog.
Coming up this Thursday, June 30, I have the honor to co-host 90 minutes of NAVEX’s deep dive into the results of its recent survey of over 1,100 compliance professionals on the state of the profession. Oh my, there’s SO MUCH there to digest. But as I did my review of the 70+ slides of data we’ll be discussing during the masterclass, one theme came up in technicolor: performing risk assessments well enough to facilitate a risk-based approach to the compliance program is rare indeed. Here’s the scoop.
A majority are doing it – but not well
First, the good news. When it comes to risk assessment, the survey found that 74% of respondents said that they had a current risk assessment and that it is subject to periodic review. That’s up 4% from last year, when 70% of respondents reported the same. Still, that means that one in four survey representatives does not have a risk assessment at all.
Next, the bad. Where does the information from the risk assessment come from? Less than half of respondents said that it was fed by continuous access to operations data across business functions. While this is up 7% from 2021, it’s still not great.
Last, the ugly. Only 46% of respondents stated that their risk assessment “has resulted in a risk-tailored resource allocation that devotes greater time and scrutiny to high-risk areas and transactions." It’s astonishing to think that of the 74% of respondents that have a current risk assessment, 28% don’t use the risk assessment results to inform the rest of the program.
A well-done risk assessment is the backbone of an effective program. Risk assessments pinpoint the areas of the business that need the most attention. Attention translates into focus. Focus leads to budgetary and human resource allocation that favors the areas that need the most care. A risk assessment that sits on a shelf and doesn’t inform further decision-making is still better than no risk assessment at all, but not by much.
The lack of reliance on risk assessment outcomes to create a risk-based approach was evident in other parts of the survey. For instance, when it comes to training, only 11% of respondents stated that they were doing an excellent job of “tailoring training for high-risk and control employees.” On the opposite end, 22% said they were doing a fair job of tailoring training for high-risk and control employees, and 15% said they were doing a poor job of it. That means over a third of respondents don’t focus on high-risk employees in the way they should. Ouch.
The lack of a good risk assessment flowing down to focus on high-risk employees is likely a key factor in these outcomes.
And third-party management – oh dear!
The results were worse in third-party management. 36% of respondents said they were poor or fair at “allocating varying degrees of resources to manage and mitigate third-party risk based on their level of risk.” Only 8% said they were excellent at this.
One in four said that “we apply the same approach to all third parties regardless of risk,” and only 24% were able to say that they stratify risk and apply different levels of due diligence based on that risk.
The risk-based approach is thoroughly endorsed
Taking a risk-based approach can be scary, but the regulators have strongly endorsed that approach. The DOJ’s 2020 Evaluation of Corporate Compliance guidance could not be clearer about this. It includes specific questions around resource allocation:
Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
Without a strong risk assessment that flows through to the allocation of time and monetary resources, these answers are difficult to find.
What to do now
If you have a risk assessment (I’m looking at you 74%), fantastic! Take it out, review the outcomes, and refocus your plan. Focus particularly on training, communications, policy drafting/updating, and approach to third parties. If you don’t have a risk assessment, there’s no time like the present.
The Thursday masterclass will be fascinating and there’s still time to sign up to join!