P&B Compliance lawyer Henrique Starck writes a short article on “Compliance Risk Assessment”. It is a procedure for organizations that value the managerial efficiency of their business, ethics and, above all, their state of compliance with regulations.
The Compliance Risk Assessment – CRA is a necessary accomplishment for organizations that value the managerial efficiency of their business, ethics and, above all, their state of compliance with regulations.
CRA is a process used to discover an organization’s inherent compliance risks. Carrying out risk mapping aims to eliminate uncertainties and unpredictability that hinder the management of an organization, regardless of the sector and its size.
Risk mapping is an instrument for validating Business Compliance, as it is responsible for categorizing an organization’s integrity risks, such as: corruption, internal fraud, bidding fraud, conflict of interest, money laundering, regulatory non-compliance, competition unfair, insider trading, violations in labor, tax, environmental, etc.
The CRA is one of the main pillars of a Compliance Program and one of the requirements to be considered by the authorities when evaluating the effectiveness of a company’s integrity measures, especially to reduce sanctions.
A Compliance risk analysis provides organizations with expertise on how to direct their efforts and investments to solve highly relevant problems, especially those related to the organization’s financial health or image.
It is an attraction that allows the company to attract new business, improve its environment and quality of work, detect fraud to reduce losses due to illicit acts, in addition to facilitating participation in public contracts, approval of credits, financing, etc.
Despite the benefits, a poorly executed Compliance Risk Assessment makes it difficult for the organization to have productivity, financial peace of mind, control over its operational productivity and, above all, forecast integrity risks.
There are several risk assessment standards on the market, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) and ISO 30000 (Risk Management). By default, the risk methodology is divided into 7 steps:
Step 1 – Know your organization: The maker of a CRA needs to know your organization in depth. You need to understand the history, culture, customers and suppliers, operational activity, leadership, employee profile, etc.
2nd Step – Know the jurisdiction pertaining to the organization: It is necessary to understand which laws apply to the organization to understand the possible risks, as well as it is necessary to agree with the top management about what risks the organization expects management. For study purposes, we cite the Anti-Corruption Act, FCPA, UKBA, Money Laundering Act, Defense and Competition Act, Code of Conduct, etc.
3rd Step – Elaboration of the risk grid: A prior risk matrix must be prepared that classifies the probability of occurrence of the risk and its impact on the organization. The classification must interpret the risks as inherent, disregarding the existing mitigating controls.
4th Step – Conducting interviews: Identify the areas affected in the processes assigned to risks and select your managers for interviews. The chosen management must criticize the classification of inherent risks and point out the existing mitigation measures for each risk. Afterwards, the interviewer must agree with the interviewee on the new risk classification applying the existing controls, so that the residual risk matrix is prepared.
5th Step – Action Plan: It is necessary to create an action plan in order to establish and implement new controls or ways to improve existing ones, in order to mitigate the residual risks found.
6th Step – Elaboration of the target Risk Matrix: Create a matrix that graphically represents the impact and probability classification of desirable risks. Desirable risks are those that the organization intends to be able to accept after improving its controls. It is recommended that the graphic risk matrices be placed side by side, to better visualize the evolution of controls.
7th Step – Monitoring: It is necessary to monitor the execution of the action plan so that residual risks become target/desirable risks by the organization.
P&B Compliance is a highly qualified consultancy specializing in the design and implementation of Corporate Integrity Projects. The vast experience and professionalism of its staff guarantees vast knowledge of national and international standards and risks, improving its methodology for preparing an integrity risk analysis. P&B Compliance remains available for any questions and clarifications on the subject.