Creating an Effective Compliance Program: A Focus on Risk Assessment

Analiese Fusner

More than ever, the need to incorporate Enterprise Risk Management (ERM) is imperative to creating an effective compliance system. Why? Because organizations cannot possibly address every new issue simultaneously without negatively impacting potentially more important matters.

What is Risk Assessment?
Risk assessment refers to finding and evaluating operational and organizational risks and taking steps to minimize them. A risk is anything that might prevent an organization from meeting an objective. An effective risk assessment is the identification, measurement and prioritization of likely relevant events or risks that may have a material consequence on an organization’s ability to achieve its objective.

All federal agencies agree that organizations need to show a system of proactive planning and ongoing consistent responses. This all starts with a prioritization of risks, which reinforces strategic alignment with overall business goals instead of non-value added activity. Effective ERM is iterative and dynamic in its effort to identify potential areas of compliance risk or vulnerability.

The Office of Inspector General and the U.S. Department of Health and Human Services have recommended key questions that the company’s board governance must ask of the organization’s management team. These questions include the following:

• Does the compliance program address the significant risks of the organization?
• How were those risks determined?
• How are new compliance risks identified and incorporated into the program?

Furthermore, the U.S. Sentencing Guidelines (commentary) as amended in November 1, 2004 states:

• The organization shall…..(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
  • (i) The nature and seriousness of such criminal conduct…
  • (ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business…
  • (iii) The prior history of the organization…

As you begin the risk assessment process, there are several tools and frameworks you can use to assess risks, not only in compliance and ethics, but across the enterprise. One widely recognized framework was updated and released by the Commission of Sponsoring Organizations (COSO) in 2013. It outlines 17 principles dealing with internal controls – four are related to assessing risks. Clearly, strong internal controls are part of an effective compliance and ethics program.

Factors Impacting Risk

There are many factors that impact every organization’s risks including:

• Organizational ethics
• Financial demands
• Technology
• Innovation
• Competition
• Joint ventures/mergers and acquisitions
• Laws/rules/regulations
• Recent settlements
• Existence and sufficiency of policies covering an area
• Audit results
• Employee claims – hotline calls

Remember, your organization’s ERM can only be as sophisticated and comprehensive as the business model demands. The point is to tailor the risk assessment template to your operations.  In order to manage current prioritized risks and prevent scope creep while simultaneously addressing new risks, documenting the process is essential to effective compliance management.

Effective risk assessment is a critical element of any compliance initiative to ensure your organization is focusing your efforts where it will have the greatest impact.