Compliance and ethics are a growing challenge and concern in organizations.
Faced with increasing regulatory change, enforcement actions, audits and exams, and liability and exposure, compliance and ethics is in the midst of evolution and maturing. Compliance and ethics is moving from the stigma of being ‘the corporate cop’ to being the bastion of the integrity of the organization as it aims to guide culture and conduct in the context of the obligations and values. I have stated for fifteen years that the Chief Compliance (CCO)/Chief Ethics & Compliance Officer (CECO) is really the Chief Integrity Officer of the organization.
Compliance and ethics is becoming more established as its own function, with its own budget, and direct reporting to senior executives and boards of directors. In many organizations across industries, compliance and ethics is being moved out of the bowels of the legal department to operate independently, but collaboratively, with legal.
As part of this process of growing and maturing, we are seeing an increased focus on what constitutes an effective compliance and ethics program. One element that is getting a lot of attention, but also produces a lot of confusion, is the requirement to take a risk-based approach to compliance and ethics. Most compliance professionals have a history of focusing on check-lists and requirements and are unfamiliar with how to do a risk assessment.
Consider the following . . .
- Principles/Outcome-Based Regulation. What started years ago in the UK FSA moved to the EU with their Better Regulatory Policy to strive for principle/outcome-based regulation. An approach that does not focus on prescriptive checklists of requirements but outcomes. The way one organization approaches compliance may be different from another, but it is the outcome that matters. This requires a risk-based approach to compliance, to identify, analyze, and manage the compliance risk.
- ISO 19600:2014 – Compliance Management Systems. The international standard for compliance takes a risk-based approach to compliance and requires a compliance risk assessment to identify, analyze, evaluate, and treat compliance risks.
- U.S.S.C. Sentencing of Organizations. The United States Sentencing Commission in their Organizational Sentencing guidelines lays out the elements of an effective compliance program for courts to use to measure the culpability and therefore penalties on an organization. It requires that “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”
- U.S. DoJ Evaluation of Compliance Programs. The most recent update to the U.S. Department of Justice guidance on the Evaluation of Compliance Programs keeps a risk-based approach to compliance front and center. Risk is mentioned 53 times in this guidance. Specifically, “Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”
In my Compliance Management by Design Workshops as well as inquiries, I am frequently asked by compliance and ethics professionals how they should manage and assess risk. Most of these professionals have a legal background and have not been trained in how to do a risk assessment. My recommendation, and an exercise I work on with attendees in workshops, is to do a bow-tie risk assessment.
I love bow-ties: both the kind you wear and the ones you use to assess risk. When most people think of risk management they think of numbers and complex models, and those are good and important. Myself, I am a visual person. My father was an accountant, my brother is an accountant, I went to law school. I like words and pictures over math. A bow-tie risk assessment provides a visual picture and assessment of risk that helps organizations think outside the box and engages both the left and right-brains. I am not downplaying the numbers side, that is still important and bow-ties can and do tie in the quantified analysis.
A bow-tie risk assessment gets its name as it takes the shape of a bow-tie:
- The knot is the risk. The center of the bow tie is the knot which is the risk you are evaluating. From a compliance and ethics point of view, this can be many things, so before you do a bow-tie you have to identify your risks (knots) that need to be evaluated. You can have separate knots for bribery/corruption, fraud, anti-trust, harassment, discrimination, privacy, money-laundering, and many more. The knot can be very specific, if you would like, such as the risk of bribery/corruption in a specific project or geography or it can be more general.
- The left-side of the tie is the source of the risk. Stemming off of the knot to the left you focus on the source of the risk or the causes. What can cause bribery/corruption? What could cause harassment/discrimination? You label each cause and connect it to the knot (risk). Then you identify detective and preventive controls to place between the cause and the knot that mitigate the exposure from that event happening.
- The right-side of the tie is the consequences of the risk. On this side, you identify the consequences/outcomes from an actual event happening. These can be regulatory fines, civil action, brand/reputation, loss of revenue, loss of employees, morale, and more. After identifying the consequences you then place detective and responsive controls to mitigate the damage and exposure of those outcomes to the risk.
There is a lot more detail I can go into here on how to do this, but it would go beyond the length of a blog to fully summarize. I am delighted to interact and discuss the benefits and use of bow-tie risk assessments. There are a range of technology solutions I cover in the market as part of my research and analysis that facilitate this format and approach to risk assessment.