The compliance risk assessment is typically an annual process or, at the very least, conducted every two years. We at Speeki believe that it should be done every year, and even validated every six months. We also believe that the way that risk assessments are done might need to be refreshed to change the company’s perspective of risk.
When assessing the impact of a risk, we think you should consider (alongside the traditional monetary or financial impact) the impact to people, your brand and the planet. We will look at each of these areas to explain our position and give some direction on this important process.
The annual risk assessment with a six-monthly check-in
The compliance risk assessment is an extraordinarily valuable tool to the compliance officer. It sets the priorities that you are going to focus on in the next period and distinctly sets out the areas of highest risk that you must consider.
Our view at Speeki is that risk assessments should be done at least annually, and preferably every six months. Here are three reasons why we take that position.
1. The speed of change in your industry
In most industries, the pandemic has changed things enormously. It has changed the way you sell, market and deliver to customers. Considering these changes is essential. Industry changes, coupled with changes in financing, funding, investment and cash flow, may also drive a different priority in your risk assessment. What is clear now is that things change very fast. Waiting a year to make that change to your risk assessment might be leaving it too long.
2. Community and stakeholder changes
Your stakeholders are voicing their opinions on your business and the state of the world. Listen to them – you might need to change your approach on certain issues based on their expectations. Social issues change with lightning speed, so observing them and getting ahead of them is a good approach. We have seen this in the near-instant renewed focus on racial issues in the workplace. There are many community issues that are being vocally highlighted and companies need to consider them very quickly as they evolve.
3. Technology changes
Technology is also changing rapidly. Before we knew it, we had 5G, AI, the cloud, driverless cars and drones in the skies. It is important to really think through how to comply with these changes and what these technology advances mean to your compliance initiatives. You will note from the above that changes in the law or the regulatory environment are typically not a reason to move to a more regular risk assessment. These are also important changes, but they tend to take longer. Cases seem to take years to work through the courts, and new legislation can take five years before it becomes law. While changes in the law should be top of mind at every review process, they may not be as time sensitive as some of the other matters above.
Your way of prioritising should change
We all know that listing the risks in a risk assessment is only half the challenge – you also need to determine the areas that need to be focused on. This is really a question of prioritisation. Companies have typically focused on areas where the impact is high and the likelihood of a negative event happening is high. As a general comment, this process should not change. What should change, however, is the definition of ‘impact’.
In the past, we have seen that impact has been determined substantially in line with the potential for monetary loss. This sort of loss could be from potential fines, investigation costs or loss of business through diminished sales. In most situations the impact assessment has been heavily weighed by the financial loss.
In our view, the calculation of ‘impact’ should be modified to include the following non-financial matters.
1. The impact on people
Rather than looking at the cost to the business in terms of financial risks, consider the cost to the people (including employees, partners and the community). The people risks are just as important as the financial risks. Anti-corruption fines, for example, might be the largest (alongside anti-trust breaches), and fines associated with harassment, discrimination and inequality issues might be miniscule in comparison. However, simply looking at only the financial issues is misleading. You have to consider the risks to people – to their physical and mental health and to their careers – alongside the financial risks to the business. At some stage in your annual risk assessment, you will need to make a decision on whether the value of your people overrides the value of reducing fines for major breaches.
2. The impact on brand and reputation
If you are not already thinking about brand risks when you conduct your assessment, then you might be missing key risks. For example, a bribe paid overseas may be somewhat brand affecting. However, something like a senior executive being involved in a harassment issue with a female employee under his management will undoubtedly affect the company’s reputation. Although the ‘direct costs’ associated with such an issue (investigation costs, fines etc.) might be low, the costs associated with negative brand, customer loss and ongoing brand damage might be much higher. When carrying out your risk assessment, it is important to keep thinking about the brand. What would the impact of a negative event be to the brand? You will usually find that long-term costs to the brand amount to far more than the direct costs.
3. The impact on society and our planet
The third and arguably the largest area of risk is the risk to our planet. These risks are most likely associated with commonly-known environmental and social risks. The risks of climate change and sustainability should be in the compliance risk assessment. Again, even though the cost of fines or investigations after a failure might be low, the impact to the business or the planet might be immeasurable. The risk of a factory fire, an oil leak from a company ship, or even the destruction of a sacred site or building could be significant and might actually have a detrimental impact to the business and the society that it operates within.
The message for all compliance people is to think again about how to measure compliance risks. A risk assessment could be considered annually or perhaps every six months, and the impact of a compliance breach should be looked at from several perspectives, namely people, brand and planet.