Catherine Boerner ( cboerner@boernerconsultingllc.com ), President of Boerner Consulting LLC in New Berlin, WI.
linkedin.com/in/catherineboerner/
I have found that conducting a meaningful compliance risk assessment can provide reassurance to the compliance officer that concerns are being reported and addressed. I like to start a compliance risk assessment by asking leadership in a questionnaire, often under attorney–client privilege, what they perceive as the most pressing potential compliance risks to the organization or in their department. When compiling these responses, it often creates a list of 75–100 potential compliance risk areas. I believe this process in and of itself strengthens the compliance program by creating awareness and asking leadership to participate in a way they may not have participated in the past. This exercise may also prompt someone to report a compliance concern that they may have not thought to report to the compliance officer. This inquiry allows the compliance officer to focus on what leadership considers the most pressing as opposed to a list of only compliance risk areas the compliance department may see as important.
After the initial inquiry, I like to only select 10–12 compliance risk areas to do a more in-depth review. Of course, if any specific compliance concerns surface, those should go on the compliance log as concerns to be investigated or reviewed separately from the compliance risk assessment process. The more in-depth risk assessment of 10–12 areas involves gathering information on the controls in place to mitigate these risks, as well as an interview process.
In the end, the compliance risk assessment will allow the compliance officer to determine the likelihood that a risk will be detected or prevented based on current controls. If it turns out the risk is likely not to be detected or prevented, then a work plan to bring in additional risk mitigation strategies can be developed. In addition to risk mitigation work plans, areas can be added to the annual compliance audit plan. Because the risk assessment is not an audit, it can allow conversations to take place and a connection of different departments’ roles in the risk area, which can provide the benefit of breaking down any silos and promoting compliance throughout the process.
Organizations often struggle with how to do a meaningful compliance risk assessment. By seeking input from leadership from the beginning and limiting the number of risk areas for an in-depth review, it will be easy to see the value this process brings to all those involved.