Determine a sustainable compliance risk assessment initiative.
Imagine forcing employees to partake in a compliance risk assessment process by insisting that they participate, do the assessment as part of their daily workload with no recognition for their efforts, and then do a “gotcha” when it is determined that the employees were not promoting or adopting best practices to ensure compliance with the law. A really bad idea, right?
Knowing your organizational culture will help you begin your quest to start a compliance risk assessment process. Did you start this process with an edict from the CEO or board? Did you start this process with a grassroots initiative involving employees who may know that the organization is not complying with a specific law?
Customize this process to best fit your organization. Ask these questions: What works best at your entity? Does the CEO command the loyalty and trust needed to successfully start and implement this assessment process? Do your employees feel empowered to raise ideas to upper management with the presumption that they will be heard and that good ideas will be addressed? Or is the culture mixed—the CEO pushes the idea and leaves it to the employees to determine the who and what to make it work?
Regardless of how your culture works, you need to know it well and work within its boundaries. Implementing a compliance risk assessment initiative takes time and a lot of effort across the entire business. This is not an initiative confined solely to internal audit, finance, or facility services. This initiative cuts across all departments, units, and divisions. It involves the entire organization.
One does not have to look hard to find clear evidence of organizational cultures that did not believe compliance was a necessary part of their existence. Indeed, in the banking industry, the number and dollar amount of fines for noncompliance with federal laws is staggering. And the long-term reputational damage from these highly publicized noncompliance events will linger in the public’s mindset for years, if not decades.
So, what can you do? If your initiative does have the initial push from the CEO, other upper management, and board, then the initial buy-in is present. How can you turn that enthusiasm into a sustainable program that has buy-in from all employees?
Time: Realize that it takes time to let the process work and see the benefits of compliance risk assessments. When employees realize that this assessment program will make their jobs easier, it will result in buy-in.
Deliberate Communications: Throughout the entire organization, deliberately and systematically communicate how the initiative is going and publicize its benefits, including increased employee morale, fewer fines, or whatever measurement has been chosen to show the initiative is achieving its stated goals.
Realistic and Achievable Goals: Remember the old adage: don’t bite off more than you can chew. Be realistic when determining your universe of risk and focus on what you can achieve in the appropriate time period for this first round of assessment.
So, perhaps you have accomplished what you were asked to do—e.g., develop the framework for implementing a compliance risk assessment program. You have identified the universe of risk, recruited compliance partners to assess the risk, quantified your organization’s compliance risks, and developed a robust mitigation plan. Your work will always be in progress and you’ll sometimes feel as if you are pushing that rock up the hill. Keep pushing; the summit is approaching.
And now, finally, it’s time to sit back and eat that piece of red velvet cake with luscious whipped cream frosting . . . while planning your next assessment cycle.
Go bake a cake from scratch. Bring it to work and celebrate the achievement of implementing an effective compliance risk assessment program with your coworkers.