Strategic Risk Assessment and Compliance Management

The process of risk assessment and management in the context of compliance and business quality is crucial for organizations, according to an article by All Things Compliance. Following the assessment, the translation of findings into a risk profile is essential.

The author highlights insights from William C. Athanas, a partner in Holland and Knight, who suggested a shift in FCPA compliance strategies, challenging the common assumption that violations follow a bell curve. Instead, Athanas proposes a hockey stick distribution where a few individuals are responsible for most violations. Accordingly, he recommends focusing compliance resources on this limited group.

The Treasury Department’s 2019 Framework for OFAC Compliance Commitments provides a methodology that adapts to identified violations or deficiencies during routine business activities.

A risk matrix is a tool that helps to evaluate risks by categorizing them based on their significance and likelihood. This categorization is then used to create a heat map that helps to prioritize risks, with the most significant and likely ones being the focus of remedial efforts and continuous auditing.

The likelihood factors range from highly likely to unlikely events and corresponding responses are assigned according to the existence of controls, written policies, compliance failures, and training programs.

The priority rating system is not a measure of compliance effectiveness, but rather a means to focus on the most significant risks. Tools for continuous monitoring are an asset but may include substantive training for employees.

Finally, it’s important to let the risk assessment and evaluation inform the compliance program rather than the other way around. This holistic approach ensures that compliance efforts are tailored to address identified risks effectively.