How nice would it be to own a crystal ball. One look inside and you would know what's happening in a week, a month or a year’s time. Certainly, companies would pay a lot to know what compliance incidents were on the horizon. Which scandals will emerge, which fraud cases will come out, where illegal agreements will be made?
Unfortunately, the crystal ball with clairvoyant abilities has not arrived on the market. But while we wait, something known as compliance risk analysis can help companies. It does not forecast the future in its entirety, but ideally provides a clear picture of which business units, processes and legal areas are likely to be affected by compliance issues and which are not.
What Are Compliance Risks Anyway?
Compliance is the effort to establish behavior that conforms to the rules. This includes "classic" compliance with applicable national and international laws and regulations, but also adherence to ethical and moral principles, set out for example in the company's Code of Conduct. A compliance risk exists when an organization runs the risk of violating rules from these two areas.
Exactly what these risks are varies from company to company. And, should a risk become a reality, the potential consequences can also vary greatly. Sanctions, claims for damages, fines or imprisonment are conceivable, but so is massive damage to the company's reputation – examples of this can be seen frequently in recent economic history.
Areas Where Compliance Risks Are Particularly High
In principle, compliance risks can occur in the context of a large number of legal fields, regulations or ethical and moral values. However, there are some legal areas that are often associated with particularly high risks of damage:
- Anti-corruption laws
- Cartel and competition law
- Money laundering acts
- Bookkeeping and accounting regulations
- Data protection law
- Export control
- Labor law
- Environmental law
Evaluating possible risks within these areas in your own company can be a starting point for compliance risk analysis.
Ultimately, compliance risk analysis is primarily a tool for increasing the effectiveness of the compliance program. Without knowing the most relevant risks and possible negative consequences, it is difficult to determine whether compliance resources are being utilized properly – or even whether more resources are needed for the most relevant risks. Thus, risk analysis is also an important way of proving the effective and efficient design of the compliance program – not only to auditors and law enforcement officers, but also to internal stakeholders.
Compliance Risk Analysis as the Basis of Every Compliance Program
The common compliance frameworks (ISO 19600, IDW PS 980) as well as the relevant international regulations and their guidelines (such as DoJ guidelines and the UK Bribery Act) agree: a comprehensive compliance risk analysis should form the foundation of any compliance program. In Germany, the German Corporate Governance Code also provides for the analysis of compliance risks as the basis of the compliance management system. Without risk analysis, companies run the risk of setting the wrong priorities, implementing ineffective measures and completely ignoring potentially relevant risks.
For this reason, compliance risk analysis should ideally happen at the beginning of compliance efforts in the company. In practice, however, it is unfortunately often the other way around: companies implement their first compliance measures out of a concrete need or obligation without having first analyzed the risks in their entirety. As a result, companies may disregard relevant risks and fail to channel compliance resources into the correct areas.
Particularly when a compliance issue occurs, the risk analysis can serve as important evidence. Companies can demonstrate to law enforcement and auditors that the relevant compliance risk has been identified, assessed and appropriate countermeasures implemented. This evidence shows that an effective compliance management system has been proactively set up and this can have a mitigating effect.
A Typical Approach to Compliance Risk Analysis
As a rule, a company draws up an initial overview of potential compliance risks with the aid of legal catalogues and internal documents such as annual reports, organizational handbooks or audit reports, which are then validated and supplemented with interviews and workshops with the operating units. The risks are then systematically recorded and evaluated, often in terms of their probability of occurrence and the expected level of damage.
A strategy is also defined for each compliance risk. Companies often try to reduce the compliance risks identified using various measures which may include compliance training, guidelines, internal communication measures or processes such as the dual control or job rotation principles. Evidence that companies have implemented such measures is also an important element of compliance risk management and puts companies in a better position to investigate compliance issues.
Ongoing Monitoring of Compliance Risks Necessary
But the work is not yet finished. At this point the compliance risk analysis becomes compliance risk management. Compliance risks should be continuously monitored and re-evaluated as necessary, because external and internal factors are changing constantly. For example, the political situation in a country changes and, as a result, the risk of corruption alters significantly (external factor) or the company moves into a new business area that may be subject to compliance risks (internal factor).
Even independently of such events, it is advisable to review the risks recorded at regular intervals. Is the probability of occurrence and damage level still realistic? Have the defined measures been implemented and are they having the desired effect?
Regularly reviewing compliance risks not only helps to ensure that companies constantly question the effectiveness of their compliance program and better identify potential new risks – it is also indispensable for demonstrating a robust compliance system to external auditors – and, in an emergency, to law enforcement officers.