How Risk and Compliance Build Trust

Building trust in an organization in many respects depends on how well risks are identified and mitigated — a critical element in an effective compliance program. Yet, a joint survey conducted by Deloitte and Compliance Week found that 40 percent of companies do not perform an annual compliance risk assessment.

“As global regulations proliferate and become more complex, and as stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before,” says Deloitte. “Global regulatory convergence and the expansion of businesses into new industries have also increased in the need for a broader view of compliance risk.”   

What is a Risk Assessment?  

As defined by DeloitteEthics and compliance risk assessments are not just about process — they are also about understanding the risks that an organization faces. The risk assessment focuses the board and senior management on those risks that are most significant within the organization, and provides the basis for determining the actions necessary to avoid, mitigate, or remediate those risks.

Any business, no matter it’s size or industry, has a number of risks and potential consequences to consider. For example, the following compiled by KPMG highlights the emerging, current, or dissipated industry specific risks in 2016.  

We selected only a few industries and a handful of associated risks in each to briefly capture a snapshot of the diversity and depth of risk landscapes industry-by-industry to qualify the importance of clearly laying out any and all risks.

Banking Risk Landscape

(View source)

  • Strategy: Risk of adverse changes in the equity markets as banks make and manage direct equity investments.
  • Technology: IT Risks relating to malfunction or disruption in the operation of the systems, or a security breach.
  • Reputation and Ethics: The reputational risks to a bank’s business, earnings, and capital from negative public opinion, is inherent in the business and has increased substantially because of the financial crisis and the size and profile of the financial services industry.

Building and Construction Risk Landscape 

(View source)

  • Growth: Expanding international operations leading to risks due to non-compliance with various regulations, economical and political developments, discriminatory fiscal policies, etc.
  • Profitability and liquidity: Exposure to cost increases as a result of volatility of price and fluctuations in supply of raw materials.
  • Compliance: Legal and compliance risk due to changes in international and domestic laws, rules, policies, tax regulations, technical standards and trade policies due to working in foreign jurisdictions that are not understood.

Pharmaceutical Risk Landscape

(View source)

  • People: Inability to attract and retain qualified personnel while appropriately managing costs related to employee benefits.
  • Operational Excellence: Outsourcing risk with increasing reliance on third parties for key business functions such as clinical trials, manufacturing, sales, and R&D.
  • Health, Safety and Environment: Rising pressures from environmental activists due to increasing speculations of pharmaceutical residues leading to contamination of water and soil.  

Retail Risk Landscape

(View source)

  • Strategy: Risk of having expanding international operations such as compliance with various regulations, economical and political developments, discriminatory fiscal policies etc., other than disruption in supply chain.  
  • Technology: IT risks relating to malfunction or disruption in the operation of the systems, or a security breach, could adversely impact the company’s ability to compete.
  • People: Inability to attract and retain qualified personnel while appropriately managing costs related to employee benefits.

KPMG broke down risks for a variety of industries by creating individual “risk cards”, which could be a viable option to begin assessing risks in your organization. Download industry specific risk cards from KPMG.

When risks are proactively taken seriously by leadership, employee trust is an intrinsic benefit. Analyzing risks and laying any and all out on the table, similarly to how KPMG mapped out risks in individual risk cards, sends a strong message that security, privacy, and safety is high priority and not just corporate lip service.

Why Do You Do Risk Assessments?

From government entities to small locally run businesses and multinational corporations, risk assessments help to pinpoint potential hazards and provides an opportunity to consider the consequences.

“The compliance risk assessment can help the organization understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact,” says Deloitte.

A well-designed risk assessment can also:

  • Help prioritize risks
  • Map risk to the applicable risk owners
  • Effectively allocate resources to risk mitigation

Do you understand the full spectrum of risks that are in every part of your organization? Which of those risks pose the greatest legal, financial, operational, or reputational damage — facets of the business that Deloitte breaks down to determine risk impact? How would you then go ahead and mitigate them?  

Conducting risk assessments helps to confidently answer the questions above. While consequences of risks vary, they could include heavy legal fines, reputational damage, and in some industries, bodily harm from occupational hazards.

In short, it’s never a good idea to overlook the risk assessment, no matter how small the risk may seem.

As the saying goes, it’s better to be safe than sorry and in the convoluted landscape that we operate in today, the saying has never rang more true.

How Do You Write a Risk Assessment

Once the importance of conducting risk assessments is understood throughout the organization, waste no time in getting one off the ground. And while it may sound intimidating to start and a little unnerving considering the gravity of some risks, it’s better to get out ahead of them rather than try to work backward after a risk becomes a reality.

You may want to hire a third-party company or consultant to help look at your organization’s specific risk landscape to offer a more removed perspective. We often find ourselves so entrenched in the industry we live and work in that we don’t necessarily have the right lens to see everything holistically through.

Hiring external help may not sound budget friendly right off the bat, but compare the costs to ignoring taking responsibility of risk management. The cost-benefit analysis will almost immediately show that a more proactive approach is the most financially advantageous.

Experts say that a best practice risk process should be:

  • Comprehensive
  • Dynamic
  • Customizable
  • Industry-specific  

Deloitte suggests to consider the following best practices when starting to outline your own unique risk assessment framework:

  • Gather input from a cross-functional team.
  • Build on what has already been done.
  • Establish clear risk ownership of specific risks and drive toward better transparency.
  • Make it actionable.
  • Solicit external input when appropriate.
  • Treat the assessment as a living, breathing document.
  • Use plain language that speaks to a general business audience.
  • Periodically repeat the process.
  • Leverage data.

“There isn’t a one-size-fits all kind of questionnaire template,” says Janelle Hsia, PMP, CISA, GSLC, Director of Privacy and Compliance at American Cyber Security Management. “You need to figure out what is important to your organization, your organization’s approach to governance, and the organization’s risk tolerance.”

There are lots of guides and thousands of canned questions to choose from but it really depends on having the knowledge to ask the right questions about your specific organization.

  • First, you need to identify what information your business has. As they say, you can’t protect something you don’t know exists. List as many of these assets as you can. Create a table because you will fill in information about each asset.
  • Second, you must figure what the asset is worth. You can either use a dollar value or high/medium/low scoring system. Play the “what if” game: What would happen if this asset was hacked? What would happen if this asset was stolen? What would happen if this asset wasn’t available for 24/48/72 hours?
  • Third, create some attributes about the asset. Who owns it? Does it rely on a third-party? Where is it physically located? How quickly can I access it? What type of information does it contain, i.e.: PII, PCI, or PHI? Will I know if it is gone?
  • Next, think about the impact that asset has on your business. Again either dollar value or a high/medium/low scoring system.
  • Now, understand the likelihood of specific threats and vulnerabilities. Using something like KPMG’s Industry specific risk profiles, the National Vulnerability Database (NVD), US-CERT, or InfraGard you can get a list of common threats. This will help you prioritize the areas of focus.

A full risk assessment should be done on the assets which are high in value and have a high impact on your business. So start simple and with something everyone can agree on. Start with determining your critical assets — what are your company’s crown jewels? The things that must be protected above all else. It should be fairly easy to design a set of questions that will help you determine if these assets are well protected or not.  

“Some basic rules apply to risk assessments: always partner with business leaders, keep the methodology simple, but robust, and make your documentation intuitive and user-friendly,” says Kevin Lane, principal, Deloitte Advisory.  

For small to midsized businesses, the CIS Top 20 Critical Controls is a good place to shart.  Also, NIST has a great document Small Business Information Security: The Fundamentals to review.

There are also some simple things you can do today, even before you set out to complete a risk assessment:

  • Always encrypt sensitive information both in transit and in storage.
  • Understand your data retention policy. If you don’t have it, it can’t be compromised
  • Limit access to information — the fewer people that can access it the better.
  • Create a good password policy — and enforce it!
  • Patch your systems as often as possible or at least now why they are not patched.
  • Insure good boundary protection, including wireless access points and bring your own device (BYOD).
  • Train your employees on good security hygiene.

Learn how to gain company-wide insights by leveraging a well-built compliance and ethics program.

How to Gain Company-Wide Insights With Culture Assessments (e-book)

Get Your E-Book
Join the Conversation
  • Felix Michael

    Useful article.