Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.
Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.
A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.
|Likelihood Rating||Assessment||Evaluation Criteria|
|1||Almost Certain||High likely, this event is expected to occur|
|2||Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it|
|3||Possible||Event may occur at some point, typically there is a history to support it|
|4||Unlikely||Not expected but there’s a slight possibility that it may occur|
|5||Rare||Highly unlikely, but may occur in unique circumstances|
‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.
|Priority Rating||Assessment||Evaluation Criteria|
|1-2||Severe||Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans|
|3-4||High||Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans|
|15-1920-25||LowTrivial||Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.|
Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.
At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.
The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.
In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.
Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability. We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”
I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014