Matthew Tuchow is Chief Compliance and Business Integrity Officer, Veterans Health Administration, U.S. Department of Veterans Affairs in Washington, DC.
I have yet to hear of an organization with unlimited resources to devote to compliance. To determine where to focus those limited resources, a risk assessment is a great tool. Risk assessment is a critical element of an effective compliance program, and in many ways, it should serve as its foundation. It helps an organization make an educated decision on which risks to prioritize given the reality that not all risks can be mitigated; even the top risks cannot be mitigated at the same pace.
A risk assessment is also a vehicle to educate your business partners about their roles as risk managers, which they may not currently understand. Assessments also carve out important time to have conversations about risk with business colleagues with whom you may not speak regularly, which may help unveil risk blind spots. I once assumed a business unit did no foreign business, and I therefore never considered the Foreign Corrupt Practices Act (FCPA) to be a risk area. Much to my surprise, however, I learned during such a conversation that the organization had just decided to seek foreign business.
My greatest lesson from having done risk assessments for years is that it is an art, not a science. At its core, a risk assessment is an opportunity to pull the right people together and make reasoned choices about the risks to mitigate, manage, or accept—and the order and pace at which to do so.
What follows are some fundamental aspects of a well-developed risk assessment that are, in my experience, often overlooked.
Interview your business partners
Because I believe one of the greatest benefits of a risk assessment is educating leaders and others on risk management, I favor a methodology that involves actually talking with business partners. For this, a clear interview script needs to be developed that is also understandable to those not steeped in compliance and legal language.
A couple of tips here: Keep the interview short and allow time at the end for any comments the interviewee may want to add. It is often here that you learn hidden risks.