ClickCease Skip to content
iclock 8 Minutes - Read Now
idate

Practical Steps to Assessing Compliance & Sustainability Risk

Risk assessments come in a lot of sizes, colors and flavors. Many companies do a very thorough enterprise assessment of […]

Craig Moss
Craig Moss Executive Vice President, Measurement, Ethisphere
Practical Steps to Assessing Compliance & Sustainability Risk

Risk assessments come in a lot of sizes, colors and flavors. Many companies do a very thorough enterprise assessment of financial risk, technology risk and market risk, yet don’t include compliance and sustainability risk either at all or to the same level of detail.

Other companies have established incredibly detailed compliance and sustainability risk assessment processes. They have tried to squeeze subjectivity out of the process by quantifying everything in sight. I worked with one company that asked each business unit leader to separately determine if the likelihood of a negative compliance or sustainability incident was less than 1%, 2%-5%, 6-10%, 11%-25% or 26%+ AND whether the impact would be less than $250k, $250k-$1m, $1m-$5m, $5m-$10m or $10m+. Plus, each business unit leader was supposed to do this for each risk in a list of over 30 risks, ranging from corruption to cybersecurity to labor rights to trade sanctions. The intent is commendable, but getting calibrated responses from the business units is virtually impossible. A huge amount of time was spent by each business unit leader and the compliance and sustainability teams to collect data that is of questionable value.

Yet, completing a compliance and sustainability risk assessment is a critical part of understanding your company’s overall risk. If the compliance and sustainability risk assessment is done in a practical and effective way with the right tools and approach the process can improve cross-functional collaboration in your company. The results can actually link reducing compliance and sustainability risk with improving business performance.

The Purpose of a C&S Assessment

Let’s step back and think about the purpose of a compliance and sustainability risk assessment. The purpose is to identify relevant risks, prioritize what risks to reduce, and to agree on a corporate risk tolerance. Remember, you can’t eliminate some compliance and sustainability risks you can only reduce them to a tolerable level. Related to this, the image I want you to think about is your business on a tightrope. You are balancing business growth with compliance and sustainability issues. Imagine the tightrope is 1,000 feet in the air over a gorge. The risk is extremely high – if you fall you die. If you put a net under the tightrope, you’ve reduced the risk but you’re still 1,000 feet off the ground. Now imagine the tightrope is 3 feet off the ground between two trees. You’re still on a tightrope, but the risk is MUCH lower. Your business can never get off the tightrope. All you can do is to add systems and controls to reduce the risk to a tolerable level. One of your challenges is to use the risk assessment process and results to establish an enterprise-wide risk tolerance.

Of course, some of the risk assessment basics still apply. The risk assessment does need to look at the likelihood and impact of the risk. But understand from the start that this will be subjective to an extent. Use a simple three level scale: Low, Medium or High. If you want to get fancy or need it to align with your enterprise risk assessment, go to a five-level scale: Low, Low/Medium, Medium, Medium/High or High.

A key element is to go beyond just looking at the inherent risk to determine the residual risk. Inherent risk is based on what you do, where you do it, how you do it and who you do it with. Inherent risk is hard for a business to change. Residual risk is the left-over risk after you take the maturity of your systems and controls into account. Think back to the tightrope and how residual risk changed. You have much more control over your residual risk because you can make your systems more mature to reduce the risk. You can lower the tightrope. In fact, one of the uses of a compliance and sustainability risk assessment is to prioritize where to allocate resource to reduce the residual risk.

The ‘Why’ of a Compliance Risk Assessment

Let’s take a deeper dive into the “why” of a compliance risk assessment. For reporting purposes, it provides useful data for producing a double materiality assessment. A double materiality assessment looks at the material financial risks of compliance and sustainability incidents. More important, the risk assessment provides practical intelligence to shape the foundation of your compliance and sustainability program. It should directly influence your Code of Conduct and related policies, your third-party risk management program and your training program. Beyond the foundational elements of the program, the risk assessment should help dictate where to conduct more thorough due diligence and monitoring and focus corrective actions.

So how do you start developing a practical compliance and sustainability risk assessment? We have built and used a risk assessment process and toolkit with many companies around the world. We designed the process to get credible input from the business unit leaders with a minimum amount of their time and to have the compliance and sustainability team provide quality control and consistency to the results. The toolkit has three documents:

  • Risk assessment spreadsheet
  • Risk assessment introduction letter to business unit leaders
  • Interview guide for the compliance and sustainability leader

We know that many companies use sophisticated technology to do risk assessments and that vendors are always introducing new and improved versions, now often integrating AI. We are not advocating you throw the fancy technology away and go back to spreadsheets. We are advocating that it’s the process and content that matters, not the technology.

The process starts with the compliance and sustainability leaders identifying the most relevant inherent risk categories from the following list:

  • Social compliance (e.g. labor and human rights)
  • Environmental compliance
  • Data privacy
  • Intellectual property protection
  • Cybersecurity
  • Corruption and bribery
  • Conflict of Interest
  • Competition and anti-trust
  • Money laundering
  • Trade sanctions and export controls

We typically recommend picking between three to five categories. More than five categories can become overwhelming for the business unit leaders.

Identify Specific Risks

The next step is to start to identify some specific risks and situations within the category that your company faces. You must consider both internal risks and the risks to your company from the third parties you engage. Here are some examples: 

Corruption Risks:

  • Internal – Our salespeople sell products to government buyers
  • Third-party – We use agents to obtain permits and licenses

Data privacy risks:

  • Internal – We collect and store sensitive Personally Identifiable Information (PII) from our customers
  • Third-party – Our customer PII is accessed by a customer service contractor located in a foreign country

Social Compliance Risks:

  • Internal – We require excessive working hours by hourly workers in our operations during peak season
  • Third-party – Our contract manufacturers operate in countries where forced labor is prevalent

Once the compliance and sustainability team has added more detail under the relevant categories it’s time to involve the business unit leaders. It is important to introduce the risk assessment process to them as a collaborative process. Explain why this matters to the company and how it can actually benefit them and their unit.

The business unit leaders have more knowledge about the specific situations and scenarios that are most likely in each risk area. They also have more knowledge about the systems and controls that are in place in their unit or location. The compliance and sustainability function is often centralized, and we all know that what happens at headquarters is not always what happens in the field. We recommend focusing the business unit leaders on providing descriptions of the risks and the controls but not having them rate them. Their initial review should not take them a lot of time.

The compliance and sustainability team should have a follow-up call with each business unit leader to get more details and to get their perspective on the likelihood of an incident and the potential negative impact. During the interview seek to identify areas where improving compliance and sustainability systems can benefit business performance. For example, centralizing procurement could create volume discounts and reduce the higher corruption risk that comes with de-centralized procurement. Improving the carbon output reporting system can speed the sales cycle with customers that request this data – and it could turn into a competitive advantage in gaining new business.

Once the interviews have been completed, the compliance and sustainability team can begin to rank the maturity of the systems and controls being implemented. They can make a judgement on if and how the systems being implemented are impacting the likelihood and reduce the impact of incidents. This is what creates the residual risk ranking.

Conclusion

Having the compliance and sustainability team do the risk ranking (rather than the business unit leaders) ensures consistency so the results are more valuable to senior management and the board. It reduces the amount of time required of the business unit leaders and positions the compliance and sustainability team as partners in understanding risk rather than auditors. Focusing on residual risk allows your company to prioritize resources far more effectively. It provides senior management and the board with far better visibility into compliance and sustainability risks and how they fit into the enterprise-risk management process and the overall corporate strategy.

Author Bio
Craig Moss

Craig Moss  |  Executive Vice President, Measurement, Ethisphere

Craig Moss is the Executive Vice President of Measurement at Ethisphere and a leading expert on using management systems to improve compliance and risk management performance within companies and across supply chains. He is responsible for developing and delivering programs designed to help companies and their supply chains measure and improve their compliance programs on topics including data protection, anti-corruption and cybersecurity. He has designed and led numerous programs helping Fortune 500 companies and private equity firms around the world to implement management systems to reduce supply chain risk and improve performance.

Recommended Reading
From “Who We Are” to “Who We’re Becoming”: The Behavioral Science of Ethical Culture
ieyee
Read Full Article
inews Magazine
8 Minutes - Read Now

From “Who We Are” to “Who We’re Becoming”: The Behavioral Science of Ethical Culture
4 E’s of Ethical Leadership
ieyee
Read Full Article
inews Magazine
8 Minutes - Read Now

4 E’s of Ethical Leadership
Making the Case: Why Boards Should Hear Directly from Ethics and Compliance Leaders
ieyee
Read Full Article
inews Magazine
8 Minutes - Read Now

Making the Case: Why Boards Should Hear Directly from Ethics and Compliance Leaders