The 10 steps of an effective ethics and compliance risk assessment
Use this checklist to confirm you’ve covered the essential activities that support a structured, defensible and effective risk assessment process.
1. Get leadership buy-in
Active and visible support from senior executives and the board of directors is a key component of a successful risk assessment.
Without it, risk assessments can lose momentum, avoid or inadequately deal with certain issues, or have their quality impaired by other executives and managers choosing not to participate.
2. Define roles and responsibilities
Define who should own the risk assessment and who needs to be involved. Clearly delineated roles and responsibilities should be communicated and understood.
3. Secure adequate resources
The function leading the risk assessment, whether it be compliance or another department, is unlikely to have expertise in every area. It will therefore require support from other functions including legal, risk management, internal audit, sales and marketing, procurement, finance, HR, supply chain and corporate affairs (this list is not exhaustive).
Stakeholders should discuss the implementation plan, timeframe, resources and any enhancements that could make the risk assessment more effective.
4. Establish your risk appetite and risk tolerance level
Determine your organization’s risk appetite and risk tolerances early in the risk assessment process.
- Risk appetite is the amount of risk an organization is willing to accept or retain and represents a broad view of risk.
- Risk tolerance is relative to specific risks and performance targets. It can be defined as the organization’s flexibility regarding specific risks.
5. Understand your environment
You should have a clear understanding of how your organization functions. An organization is expected to analyze and address its unique risks within the context of what it does, its geographic presence, industry sector, competition, regulatory landscape, clients and business partners.
By understanding the nature of operations and locations, you will be better able to grasp the types of risks specific to your organization, as well as the potential consequences should a violation occur.
6. Identify risk indicators
Risk indicators are metrics that can be used to measure risks affecting the organization. They can act as predictors and provide early signals of increasing risk exposures. The analysis of risk indicators should be holistic and include both internal and external resources.
7. Collect the data
Interviews, surveys, self-assessments, and brainstorming sessions are different methods to collect data and information on how and why compliance risks may occur in the organization. Understand the pros and cons of each method before choosing the one that will work best for your risk assessment objectives.
8. Identify the risks
Now that you understand the scope of the business and the risk indicators specific to the nature of its operations and locations, you should break the risks down to a reasonable level of detail. The objective of the risk identification is to create a comprehensive inventory of compliance and ethics risks facing your organization, industry and regions.
9. Rate the likelihood and impact
Rate both the likelihood that each risk might occur and the corresponding potential impact of that occurrence. The aim is to prioritize the responses to the identified risks in a logical format.
10. Develop your action plan
Once the risk assessment is complete, compile your findings and recommendations in a comprehensive report to be presented to the board for review and approval. However, the process should not stop there.
An action plan that prioritizes the recommendations from the risk assessment should then be developed to ensure that the necessary enhancements are implemented.
