Whether we like it or not, compliance and ethics management cannot be ignored when doing business locally and/or internationally. Successful compliance programs rest on a foundation of successful risk assessments.
No amount of policy, procedure, internal control or tone at the top will accomplish much, if those tools are addressing the wrong risks in the wrong way, because the risks themselves were misunderstood in the first place. That said, performing effective risk assessments can be a difficult art to master. The very phrase—“compliance risk assessment”—can encompass a dizzying range of risks:
■ anti-bribery;
■ whistle-blower retaliation;
■ data privacy;
■ workplace harassment;
■ cyber security and cybercrime; anticompetition;
■ product safety; and much more.
And within each of those risks are more risks to assess. Consider anti-bribery alone:
■ What are the company’s risks from third parties?
■ What are the risks of poor due diligence?
■ What are the risks that compensation schemes will lead sales agents to bribe their way to a performance bonus?
■ What are the risks that internal controls won’t detect bribery payments?
That complexity is now a permanent fixture of corporate compliance and risk-management programs. More risks will emerge in the future, whether they come from business operations, government regulation, or external forces (bad hackers, for instance). All of this drives the imperative for astute risk assessments—performed with rigor, following an efficient methodology and embracing flexibility to meet whatever new risk is barreling up the audit committee’s agenda.
As compliance technology improves, and we get closer to “automating” risk assessments—say, with sophisticated systems to manage regulatory change or to monitor internal controls—the lines may blur between formal compliance risk assessments; and more precise, rapid updates about compliance risk exposures on any given day. The goal for any risk assessment, however, is to articulate the amount of harm a risk can pose to the business and whether any internal controls the company has will work to prevent it. As articulated by the UK Ministry of Justice, “Procedures should be proportionate to the risks faced by an organization…. A risk-based approach will…serve to focus the effort where it is needed and will have most impact.”
This leads me to my favorite topic: Ethical hackers. They are also known as penetration testers or white hat hackers, who work to hack a client’s system to find their security vulnerabilities. These freelancers are familiar with common attack vectors, mitigation techniques and web- application vulnerabilities, and they also know how to fix these vulnerabilities.
It may be good for you to know that there are support organizations that offer a variety of services in the compliance field:
■ Gap analysis regarding data privacy protection and cyber security;
■ Software for the analysis, including the risk assessment mentioned above; and
■ Vulnerability and penetration testing/ethical hacker service.
****
If you need assistance, contact me under Schumacher@eitsc.com.
Image credits: Nuvolanevicata | Dreamstime.com