Reevaluating compliance risk assessments in today’s world

Five considerations for demonstrating awareness of your evolving risk profile and for preventing and detecting issues.

There is perhaps no better time to re-evaluate and refresh your organization’s approach to conducting risk assessments than following a black swan event. These rare but impactful events will reveal risks attendant to your business that warrant closer consideration in your assessment process. This is not to suggest that prior risk assessments need to be discarded as obsolete but rather that a process exists, as regulators expect, to meaningfully consider evolving risk, design procedures to detect when risk events occur and revise processes as new lessons are learned.

Changes to supply chains, sales channels and pressures, operating models and more have created a new paradigm for risk assessments and the programs designed to monitor risk exposure and red flags. In some cases, internal controls designed around in-person checks and balances have been modified for a remote workforce, potentially leaving unmitigated gaps. Changes to business models have also resulted in adjustments to how and where companies rely on third parties to act on their behalf. Externally, the pandemic and resultant worldwide downturn has complicated the political risk environment as governments concurrently attempt to contain the outbreak, mitigate its economic impact and assuage the fears and frustrations of increasingly exasperated electorates. To compound matters, corruption risks, including public procurement kickbacks and internal fraud, tend to increase in times of crisis. Some companies may engage in morally reprehensible practices – from insisting that employees go to work despite not implementing the requisite health and safety measures, to paying dividends to shareholders while benefiting from government relief programs – underpinning heightened legal and reputational risks. 

Amid all of this, organizations should continue to conduct compliance risk assessments while considering ways to adapt their approaches to fit the current world reality. The consequences of pausing this work could be detrimental in terms of reputational damage or regulatory action down the road.

Risk assessments in today’s world

The current environment presents obvious challenges to conducting risk assessments: travel restrictions, office closures, employment changes and furloughs, cost-cutting measures and general business uncertainties can impact how companies execute their risk assessment mandates. Given these restrictions – in addition to the changing risks facing companies – the processes, methods, tools and resources employed to assess risks are more important than ever.

1. Incorporate assessments of external threats/risks

All this once again highlights the paramount importance of rigorous, targeted, jurisdiction-specific assessments of political risks and operational threats a company or investor is likely to face. Such assessments should include an in-depth analysis of: the political/geopolitical situation, including the central government’s policy agenda and any outstanding issues pertaining to the country’s foreign relations; the political risk environment, such as the potential for contract frustration and heightened regulatory uncertainty; social concerns that may bring the company or investor’s wider environmental, social and governance footprint under the microscope; and salient security threats. Such assessments should also include potential opportunities regarding distressed companies and assets that may be of particular interest in the current climate.

2. Maintain a forward-looking view

The risk assessment should incorporate the current company strategy to determine which identified risks are temporary (e.g., due to the pandemic) versus the risks that are likely to persist in the future. Additionally, large strategic decisions, such as changes to business models, products, strategies, acquisitions and growth or contraction plans need to be understood and incorporated into assessments.

3. Rely heavily on your data

DOJ guidance around compliance programs talks repeatedly about using data in assessing and monitoring compliance risks. In addition to this guidance, current restrictions on travel and workplace arrangements make data analysis even more important. Data should be used for initial risk profiling to focus the risk assessment on key geographies, functions, business lines and entities. If you have never done one, now is the time to start and there are manageable ways to harness your data to assist with understanding evolving risk. If you have done a risk profiling exercise previously, it is important to assess how risk metrics may need to adjust to the current environment. Data also can be used to assess the impact of changes to policies, changes in employee behaviors and emerging third-party risks.

"Is the periodic review limited to a “snapshot” in time or based on continuous access to operational data and information across functions?”
Department of Justice, June 2020 guidelines on Evaluation of Corporate Compliance Programs

4. Challenge past assumptions about risks and controls

Past risks will not necessarily indicate current or future risks. Organizations should take a fresh look at past key risk areas and how they will look going forward. Conducting trend analyses on company expenses can provide insights into how the risk picture has flipped. For example, employee travel and entertainment spending may be negligible compared to prior periods, but donations may be more common to support local communities struggling during an economic downturn. Additionally, employees may devise new fraud or corruption schemes if past means, such as excessive travel reimbursements, are no longer viable.

Controls that you thought were in place, particularly those that require physical sign-offs or office access, may no longer be effective when executed remotely. Conducting walk throughs of newly implemented or changed controls may be necessary to fully understand their effectiveness in mitigating risks identified.

5. Resist the urge to make risk assessments a headquarters-only exercise

The most effective risk assessments take a localized view of risk that incorporates information gathered from local teams, assessments of local business practices and consideration of local risk exposures. None of these can be effectively incorporated by relying solely on information maintained at headquarters.

Even if you cannot fly to other locations for on-site procedures, you can remotely conduct many procedures you would ordinarily conduct in person. You can conduct employee interviews by video conference, use surveys, conduct remote walk throughs of key controls and evaluate documentation maintained electronically. This may require training up and reliance on local resources to conduct procedures typically done by traveling teams, such as transaction testing or training.

Conclusion

The very nature of the “new normal” and subsequent changes to the business environment result in an evolving risk profile. At the same time, regulations remain constant and regulatory and oversight bodies expect risk assessment work to continue. If anything, companies should be working harder than ever to demonstrate awareness of their evolving risk profile and doing everything feasible to prevent and detect issues. The new approaches developed will likely prove valuable even after the pandemic passes.