Compliance risk maps. how to develop a compliance risk assessment?
From the perspective of the Compliance function, it must be identified the situations or processes in which breaches of legal, regulatory obligations or a violation of the commitments acquired by the organization.
With the aim to carry out this identification of risk situations for the organization, the level of risk in each process must be evaluated, suitable measures must be proposed to mitigate this risk, as well as establishing controls to detect and to prevent the materialization of the risk. o. A very important element that must be considered, is the correct channeling of all the information detected in this analysis to the Government Bodies and to the Internal Oversight Control Bodies of the company; such as audit committees or risk committees.
Before entering into more details on how a compliance risk map can be defined and its importance, we must define what Compliance risk is. In 2005, Basel Committee on Banking Supervision defined Compliance risk as “the risk of legal or regulatory sanctions, financial loss, or loss to reputation a organization may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its activities.”
Once we understand what compliance riskis, we develop the phases to manage the risk:
- Setting of the context: All factors, external and internal, that can have an impact on the organization must be analyzed. As an example, aspects such as company structure and ownership, number of employees, activities of the organization or applicable regulations must be considered.
- Risk identification: We must elaborate a list of possible risks / situations / events that could occur in the entity. All entities will not have the same Compliance risks, since each organization, depending on the activity it carries out, its size and other factors will have different risks. It is important to identify the specific applicable risks, in order to assess them correctly. In order to identify these risks, we could ask ourselves questions such as, are personal data processed? Are cash payments usually made or received? Or are there business partners with high power of representation on behalf of the entity?
- Risk Analysis: Although there are different ways of doing a risk analysis, a good alternative is to analyze the probability and impact of each of the risks. Within probability, we can analyze different types of probabilities, such as the possibility of occurrence and the probability based on the existing controls. Regarding impacts, we could analyze, as in the case of probability, different impacts, such as the impact of the image, the reputational impact, the impact if they are sanctioned, etc.
Is essential the result of previous two stages be documented.
- Risk assessment: The purpose of risk assessment is to assist decision making, determining the risks to be treated and the priority to implement the treatment. We must have defined what is our acceptable risk level so from this level, we decide the risks that must necessarily be treated. In this way, the organization will be able to focus on the allocation of resources for those risks assessed as “high level”.
- Risk treatment:In this stage decisions about how to address identified risk will be taken. Some of the decisions could be; to avoid risk, to reduce or mitigate risk by establishing controls to reduce probability or impact, to share risk transferring it to third parties, or to accept risk. For all options, the approval of the government body will be required, and mechanisms must be established to monitor its evolution.
- Follow-up and review: This stage should have as a minimum aim to ensure that all controls are effective or to detect any change in the organization’s context that may suppose a new unidentified risk, over the course of time..
During all stages, as we have commented previously, the importance of communication of all relevant aspects to the government entities and interested parties, both internal and external must be kept in mind.
Therefore, to define our Compliance risk assessment we will need to follow the following steps: identify the risks, analyze them, assess them, treat them, monitor them and report all this to corresponding bodies.
With the tool GlobalSuite® We will be able to address all of them, being able to define a personalized risk methodology adapted to the entity, obtaining a risk map graphic in different formats and offering us the possibility of establishing a treatment plan in which the risks to be treated can be defined, with their actions, deadlines and those responsible for their follow-up.