Risk Assessments, Part II: Deciding What to Assess

Identify your key risk indicators

Key risk indicators (KRIs) are crucial for a successful compliance program and for compliance risk assessments because they tell you how well your compliance program is performing over time. If your KRIs rise into a danger zone (say, a sudden spike in control violations), that tells you something is amiss – perhaps amiss enough to warrant a new compliance risk assessment. 

Typical KRIs might be metrics such as:

• Frequency of employees falling for phishing attacks. The risk here is a privacy or security violation, and the issue is that your security training might not be effective. 
• Number of payments sent to third parties with incomplete due diligence documentation. This is an indicator of bribery and corruption risk, and the issue is an internal control weakness. 
• Unaddressed audit findings. This is an indicator of “tone at the top” risk, since management isn’t leaning on business units strongly enough to get those issues addressed.

Your compliance risk assessment will help determine your compliance KRIs. For example, if your company’s business objective is to expand internationally into emerging markets, you might be at high risk for corruption or export control violations. Your KRIs might therefore focus on documenting third-party due diligence. 

Your KRIs can then inform your risk assessment by helping you understand the internal, qualitative risks we mentioned earlier. For example, if you see a steady climb in employees falling for phishing attacks, that’s a training risk that might cause any number of compliance failures (HIPAA, GDPR, and more). That insight helps you sharpen your risk assessment, which in turn helps you understand what remediation steps would make the most sense.

What do you do with your risk assessment’s findings

The findings from your risk assessment help you decide how to put your compliance program in motion: which policies and procedures to update, where to conduct training (and on which subjects), how to set long-term budget and staffing needs, and so forth. It will also help you understand which alliances across the enterprise you’ll need to nurture, such as with finance, HR and IT security.  

But those are only the internal benefits within your compliance department. A good risk assessment serves a larger purpose, too. It connects the work you do to the story you tell others.  

For example, a good risk assessment will help you explain your work to regulators; it shows them the logic behind your program activities and how those activities tie to the company’s risks. That’s what the U.S. Justice Department wants to see, per its guidelines for an effective compliance program: Is the program well-designed? Is it well-resourced and empowered? Does the program work in practice? A good compliance risk assessment will help you to answer all three questions. 

A good risk assessment also helps you explain your actions and budget requests to senior management. It helps you tell the story of why you want certain changes, investments, or commitments of time; and connects those requests to the company’s strategy, risks and operations.  

The ultimate goal is a compliance program that is responsive to business risks, even as those risks change over time; a program that helps the organization pursue its business objectives in a durable, risk-aware manner, rather than stopping over and over to repair compliance, ethics, or technology failures.  

That’s a story management teams want to hear. A good risk assessment helps you tell it.