Chapter 3. Step One: Defining Your Compliance Risk Universe

Table of Contents

Chapter Goals:

  • Identify what counts as risk for your organization.

  • Identify resources to establish the scope of the compliance risk universe.

Step one—the basics. When you decide to do some baking today, is your goal to bake a wedding cake or a vanilla sheet cake, or is the extent of your skills limiting you to a store-bought, ready-mix brownie delight? It is the same kind of question that you would ask regarding a compliance initiative.

What will be the scope of your compliance initiative? Will it be limited to only federal laws and regulations? Will it cover compliance with your organization’s policies and procedures? Will you incorporate regional and local laws?

Those are all good questions with no right or wrong answer. The answer depends on the scope of your initiative and what is reasonable to accomplish. It is only after you decide what you want to accomplish that you can seek out and identify your compliance risk universe.

The USSG states that an organization should promote a culture that encourages ethical conduct and a commitment to compliance with the law.[1] So, a broader compliance risk assessment could include risks for unethical behavior as well. The Anti-Bribery Convention, an international standard created by the Organisation for Economic Cooperation and Development (OECD) and ratified by 44 countries,[2] provides similar guidance in its “Good Practice Guidance on Internal Controls, Ethics, and Compliance.”[3] Within these broad mandates, your compliance effort can be customized to fit the needs of your entity.

Whatever your decision, start with a reasonable and achievable goal. Going from no assessment to a full-blown identification and analysis of every federal, regional, and local law that touches your entity may be unrealistic. Adopting that broad of a scope may even be more unrealistic if your business has a decentralized mindset, an entrepreneurial spirit, or maybe even a laissez-faire philosophy regarding compliance. A more gradual and expandable version of a compliance risk assessment might be a better option at the onset.

Start your compliance effort with clear and attainable goals that can be achieved within a reasonable time period identified in your plan. If your compliance effort is not well thought-out and does not have clear follow-through with visible, actionable results communicated to the CEO, board, employees, shareholders, and other key stakeholders, the effort will fail. Restarting the effort after an initial failure will be difficult.

Your employees need to have faith that this effort is designed to help the organization become stronger—to make the business more aware of compliance risks, help assess these compliance risks, and plan for mitigating the risks. The underlying philosophy of the initiative can be portrayed as one designed to assist employees in doing their jobs better. If employees believe that the underlying premise for this initiative is to create a “gotcha” mentality, then any compliance risk assessment will not be successful; it will likely be a paper exercise with results placed on a dusty shelf.

So, identifying the risks to be assessed is your first step in this process. This identification generates your company’s “risk universe.” This risk universe list is the combination of all the subject areas and laws that your compliance initiative is going to assess with a resulting plan for risk mitigation.

Your Risk Universe

There are various ways to identify your risk universe. The following options can be used to identify your risk universe, presuming that your business has decided to move forward with a compliance effort that is focused on identification and assessment of, at a minimum, the federal laws and regulations that affect the business and its operations. Each option has scalable options depending on the size of your entity and the scope of your compliance effort.

Option 1: Adopt a risk universe identified by similarly situated businesses.

One of the simplest ways to identify your individualized risk universe—if available in your industry and region of the world—is to find lists of federal, regional, and local laws and regulations identified by other similar businesses or organizations. Using predetermined lists of applicable laws from organizations recognized in your country or region provides instant credibility when you are presenting the lists to your compliance partners, compliance committees, CEO, and board. However, efforts to identify applicable laws should not end with simply finding a good “list” from another entity. Due diligence by your legal office, CFO, COO, and other employees to identify any other specific laws affecting your company is also important and necessary.

Standards developed by government legal and regulatory bodies are good examples of pre-identified lists that could form the basis for a compliance risk assessment. In the United States, that could include agencies such as the Occupational Safety and Health Administration (OSHA), the Department of Health and Human Services (HHS), the Environmental Protection Agency (EPA), the Federal Deposit Insurance Corporation (FDIC), or any other relevant federal regulatory agency. In the European Union, that could include the European Commission as well as each country’s governmental authorities. Another good source is non-governmental organizations that develop standards, such as ASIS International (formerly the American Society for Industrial Security), in its standards and guidelines for security professionals; or the International Association of Privacy Professionals (IAPP), for its privacy standards; or the Higher Education Alliance and its Compliance Matrix, developed in conjunction with the National Association of College and University Attorneys. Good lists can also be found through international standards-setting organizations such as ISO and its ISO 19600:2014 (which provides international standards for compliance management systems);[4] or COSO’s Compendium of Examples,[5] a companion document to the 2017 COSO ERM—Integrated Framework. Substantial new laws also tend to come with governmental guidance that can help with risk assessments, such as the EU’s General Data Protection Regulation,[6] the UK’s Bribery Act 2010[7] , or the U.S. Foreign Corrupt Practices Act.[8] Indeed, in your particular industry and region of the world, it is likely that specific rules regulate your business—identification of those laws and regulations would be used to develop your compliance risk universe.

Option 2: Conduct interviews of key employees to determine applicable laws and regulations that they deal with every day or year.

With these personal interviews, you can identify key laws that must be part of your compliance efforts and you can identify key noncompliance issues. This method is more time-consuming than Option 1, identified above, but it will result in a better initial understanding of the laws and the concerns faced by your employees who are charged with day-to-day operational compliance concerns. Nothing can ever replace an in-depth conversation between a compliance officer and the person responsible for ensuring compliance with a law. Both these individuals are concerned about a possible noncompliance issue and both are focused on trying to determine how best to proactively address the matter.

However, use caution if this method is your only means of identifying your risk universe. The managers being interviewed may not know what they do not know. In other words, are you sure that the employees you interview know all the laws relevant to their specific area? What about laws that cross functional areas? How will you find out about those? Also, if the interviewee is not being fully forthcoming with you regarding noncompliance concerns, you may get an initial biased view about noncompliance issues that may later influence your risk mitigation plan. These concerns can be dealt with by follow-up due diligence research on what laws are applicable to your business as well as follow-up interviews about noncompliance issues when the risk mitigation plan begins to take shape.

Option 3: Send out surveys to key managers and administrators to determine applicable laws and regulations that they deal with every day or every year.

There are two ways to approach this method. One approach is to create an initial survey that would be broad in nature since this survey seeks identification of the laws. The survey recipient would identify laws applicable to his or her areas of expertise and then would send this information back to a centralized location for compilation. Option 3 is similar to Option 2 described above, since you are asking a manager to identify the laws being dealt with on a daily or less frequent basis. If you use this method to identify your risk universe, a subsequent survey would be designed to capture assessment data.

Another approach is to combine this initial survey with a survey seeking assessment data. Using the same survey instrument, the survey recipient would not only identify the law but also provide information and possible documentation on assessments to determine if the business is or is not in compliance with the law.

Regardless of whether you choose the initial survey or survey and assessment method, the concern about scope of knowledge is present here also—does the manager know what he or she doesn’t know? One would assume (and hope) that the employee charged with ensuring compliance would not only know there is a law but also know that the corporation is or is not in full compliance with that law. However, this may be a hope and not a reality.

Being mindful of this concern, using this survey method brings some extra benefits. It will consume less time than conducting personal interviews, force the recipients to put into writing what laws they know about, and initially identify the applicable laws. If you choose this method, it’s critical to use due diligence, research, and follow-up to confirm the scope of your risk universe.

Which method is best for your business? Customization is the continuing key for all elements of this compliance risk assessment process. But remember—initially starting with a manageable number of laws or regulations to assess will probably cause you less heartburn and will result in a more in-depth assessment of the particular laws.

Action Items:

  • Compile your lists of laws and regulations that will form your compliance risk universe.

  • Work with IT to develop a shared space to house the compliance risk universe documents so that everyone working on the compliance effort can easily access them.

 
2 OECD, Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, 1997, http://www.oecd.org/corruption/oecdantibriberyconvention.htm.
3 OECD, “Annex II: Good Practice Guidance on Internal Controls, Ethics, and Compliance,” Recommendations of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions, February 18, 2010, http://www.oecd.org/daf/anti-bribery/44884389.pdf.
4 ISO, ISO 19600:2014 Compliance management systems—Guidelines (2014), https://www.iso.org/standard/62342.html.
5 Pricewaterhouse Coopers, LLP, COSO Enterprise Risk Management—Integrating with Strategy and Performance: Compendium of Examples (2018).
6 European Data Protection Board, Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)—Version for Public Consultation (November 16, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf.
8 U.S. Dep’t of Justice, Criminal Div. and the U.S. Securities and Exchange Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2012), https://www.justice.gov/criminal-fraud/fcpa-guidance.
1 U.S. Sentencing Guidelines Manual § 8B2(b)(1), cmt. n. 1 (U.S. Sentencing Comm’n).

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings