Looking Beyond Controls: Leveling The Playing Field To Address Compliance Risk

Monday, June 1, 2009 - 01:00

In today's increasingly regulated business environment, chief compliance officers and other corporate executives are moving compliance programs to the top of company agendas. Companies are expected to comply with both mandatory requirements, such as laws and regulations, and voluntary leading practices recommended by other organizations, businesses or associations. Corporate mission, values and code of conduct also play an important role when creating and evaluating your compliance program.

Compliance programs are meant to prevent and detect noncompliance and to make business run more efficiently. One way that business runs more efficiently is through the appropriate allocation of resources. More resources should be allocated to managing more significant compliance risks, but this principle raises further questions. Which risks are most significant? Do we consider inherent risk (i.e., without consideration of controls) or residual risk (i.e., taking controls into account). Furthermore, not all compliance risks are created equal. To make sure that resources are allocated appropriately, compliance risks must be evaluated and prioritized without consideration of controls and monitoring. To do otherwise would not be a comparison on equal ground. For example, a manufacturing company may not see hazardous material management as a high risk because there is an environmental compliance manager at each facility. However, without that manager addressing proper disposal of hazardous materials, the risk of noncompliance could be very high. The environmental compliance manager is an active control that is residual to the risk of hazardous material management. In other words, serious compliance risk is still risk even when controls are in place.

Reviewing Your Risks

To determine what risks your company faces, you must look at the entire body of risks related to compliance, which becomes what we call a compliance risk universe. A compliance risk universe is developed as a sample taxonomy of compliance risk categories that will help you identify relevant risks. It is organized by listing all the company's requirements that are mandatory - both legal and regulatory - and voluntary, along with its own policies and procedures. Key risks will be determined by their potential to prevent your company from achieving its business objectives or expose your company to noncompliance. Once compliance risks are identified, you must assess and prioritize each risk based on the likelihood of noncompliance as well as the reputational, legal and financial impacts of the noncompliance.

Each time you review compliance risks, it is best to start with an even playing field. You may wish to imagine that you are a brand new company with a finite budget for compliance implementation. The way that budget is initially allocated is based on the assessed risk without any consideration of controls or monitoring since you don't have any yet. This is the same thought process that should take place each time a compliance risk assessment is conducted. Doing so makes sure that resources are always appropriately allocated to the compliance risks that have the greatest potential for affecting the company.

Where To Look For Indicators Of Risks

There are several factors to consider when evaluating risk.

Industry-Specific Risks. The industry in which your company operates is a significant indicator of risks you will encounter. If your company manufactures products, there may be risks related to complying with environmental standards or health and safety regulations.

Similarly, a company in another industry must determine how likely it is that waste will not be disposed of properly or that employees will not wear appropriate safety equipment if there are no policies and procedures stating appropriate conduct. However, these risks most likely would not appear on a risk profile for a company in the professional services industry, where you may see risks such as confidentiality of client information, insider trading and providing legal opinions.

Geographic Operations. The location of your company's operations sheds light on risk areas. Does your company only operate in the United States, or does it have entities, subsidiaries or joint ventures abroad? Are these operations located in countries with cultures that may be susceptible to bribery or corruption?

For example, if your company has operations in one or more of the BRIC countries (Brazil, Russia, India or China), there is a significant potential for FCPA risk, according to Transparency International's 2008 Bribe Payers Index (BPI).1If operations are located in countries that have limited trading regulation, there may be a risk of violating U.S. trading restrictions such as shipping to forbidden countries.

Organizational Structure. How your company operates as a business is vital to the likelihood and impact of each risk. In a decentralized organization, there will be a higher risk that noncompliance will not be identified as quickly as in a centralized organization. The longer noncompliance goes without corrective action, the more damaging the consequences of that noncompliance can be.

What is the reporting structure at your company? Looking at your organization chart and determining the flow of information at your company may give insight into risk areas not previously identified.

Products Or Services Sold. The product or service your company sells can determine many risks that your company faces. If you are a manufacturer, do you produce products that can be harmful to others? Even if the product is not an end-user product, your company may be liable for the product that may be a part or add-on to the user product.

If your company is a professional services firm, what services do you provide? Do you provide services that require opinions or statements of legality? Does your company guarantee something with the service that may result in lawsuits if it turns out to be untrue?

Customers. Customers also play an important role in identifying and prioritizing risks. What is your company's customer base? Do you sell directly to the consumer or other businesses? Are sales contingent upon strict contract terms that could have a significant impact if terms are not met? Are there pressures to make sales targets on a quarterly basis? Are goods or services exported abroad? All of these questions will help your company identify the potential compliance risks and the impact of noncompliance.

Evaluate And Prioritize Risk

When assessing compliance risks, you need to consider a number of factors. The two most significant factors used in prioritizing risk are the likelihood that noncompliance will occur and the impact of noncompliance. Likelihood is usually measured temporally, that is, how likely noncompliance is to occur and how frequently within a specified time frame. Impact is usually measured from three perspectives: regulatory, financial and reputational. From a financial standpoint, how much will noncompliance cost your company if it faces monetary penalties from the EPA or falls under litigation from a personal injury claim? How will the noncompliance affect customer sales if these issues are open to the public, possibly tarnishing your company's reputation? How will the company operate from a legal standpoint if it is restricted by regulators in conducting business?

After determining the impact of risk and as you prioritize each risk, you should look past the fact that your company may have a full-time environmental director or safety supervisor at each facility that is supposed to be mitigating those risks. By removing the resources that your company has dedicated to each risk, it allows risks to be prioritized on an equal level. Set aside the fact that the internal audit group performs tests of controls around trading transactions at foreign locations. When people, money, audits, approval processes and other factors are removed, risks like environmental and trading are prioritized the same way anti-bribery, health and safety, antitrust and others are prioritized. You can then allocate resources more appropriately to address the most significant risks.

Implement An Effective Compliance Program

In many instances, companies find themselves addressing compliance and risk reactively in response to events such as litigation, regulatory action and criminal investigations, resulting in increased costs and negative public exposure. The Federal Sentencing Guidelines even state that one of the two factors that mitigate the ultimate punishment of an organization is an effective compliance and ethics program.2Therefore, proactively developing a compliance program is a priority for many companies.

An effective compliance program should answer five basic questions: (1) What are the company's most significant compliance risks? (2) Who owns those risks? (3) What are they doing about the risks (i.e., what controls are in place)? (4) Is it working? (5) How do we know if it is working?

These five questions are the starting point for implementing any compliance program and evaluating its effectiveness. In the development of any new strategy, process or program, the first step is typically the hardest step to take. So it is with designing, implementing and enhancing an effective compliance program.

Once risks are identified through mapping a risk universe and prioritized on the basis of a level playing field without consideration of controls, a careful risk assessment can help you determine how to allocate resources efficiently.

When starting a risk assessment, you need to understand your company's environment, strategies, objectives, initiatives, business model, key transactions and other key elements of business. All applicable laws, regulations and additional voluntary compliance leading practices must be identified. To do this, a review and analysis of corporate documentation needs to be performed.

Once the analysis is complete, identify relevant compliance risks and customize the compliance risk universe. Refine your company's process model as it relates to compliance risk management and consider IT applications associated with compliance-related processes. Determine coverage of compliance risk categories and processes, identify the participants for the assessment, determine the approach for assessing risks and develop a work plan.

Finally, understand and prioritize key compliance risks, develop the compliance risk profile, identify your company's perception for effectiveness of controls relied upon for managing prioritized risks and develop a road map for prioritized compliance risks. This is done through conducting interviews with senior management and risk owners as well as completing a workshop to prioritize each risk. It is critical to a compliance risk assessment and is where many companies struggle in conducting successful risk assessments.

Leveling the playing field and looking beyond controls for each risk assessment will ultimately allow your organization to allocate its resources in the most effective and efficient way. By doing this, you will have a successful compliance risk assessment and the start to an effective compliance program.

Jack Holleran is a Principal and the leader of Ernst & Young LLP's corporate compliance advisory services team in the Americas. Larry Iwanski is a Senior Manager and Michael Ricks is a Senior. The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.