Assessing the Enemy – Risks That Threaten the Mission
It’s time for another Compliance Commando Stand Down briefing on the essential elements of a military-grade compliance program! Todays’ focus: Assessing the Enemy – Risks That Threaten the Mission
“It does not do to leave a live dragon out of your calculations, if you live near him.”
― J.R.R. Tolkien, The Hobbit
Completing a thorough and thoughtful legal and compliance risk assessment is absolutely essential to the success of your mission and your continued business readiness. You cannot prepare to meet risks and enemies you did not anticipate! This is a keystone process that provides the strategic framework for tactical decisions about risk mitigation and program design.
How do you conduct a thorough and effective risk assessment, you ask? By keeping the process as simple as possible!
Assemble and rally the appropriate units that can provide input on the legal and compliance risks the company faces – think broadly and leverage your third-party business partners who help you mitigate risk (PEO, payroll vendors, tax advisors, outside legal counsel, background check vendors, etc.).
Explain the purpose and process of the risk assessment so everyone is aiming at the same target.
Name, inventory, and catalog legal and compliance risk areas; a simple spreadsheet is useful for this exercise. Be sure to include known legal and regulatory risk areas of your business, industry, jurisdictions, size, as well as those that apply to every business – such as wage and hour compliance risks. Be aware of including only legal and compliance risks, as this process is a microcosm of “Enterprise Risk Management.” If there is no law or regulation involved, save those operational risks to rate during the ERM process.
Define financial ranges for your impact ratings of 1-5 (1-minimal, 2-low, 3-medium, 4- high, 5-extreme). It’s usually easiest to define the financial impact that would be catastrophic for the business and define ranges backwards in substantially equal proportions down to “minimal.” Consider not just fines or penalties, but also loss of market share or goodwill, reputation damage, exclusion from public procurement, attorney’s fees, costs of remediation or restitution, workforce impact (turnover, retaining talent, or organizing), and other impacts to the business.
Rate the risk areas on probability that a violation or non-compliance will occur (1-remote, 2-unlikely, 3- possible, 4-likely and 5-certain) and rate the impact on the organization, as defined by the ranges the company established.
It is important to rate both inherent risk – that is, the level of risk before any controls, oversight, policies or other mitigation is considered, and then rate again for residual risk after considering what mitigation is in place. This is how you identify the resources that are already being devoted to effective risk mitigation, so you have a CLEAR picture of what risks are mitigated and how.
Assessing risk requires guessing at the future but aim for intelligent, informed guessing based on known factors such as what has occurred in your business, peer companies, industry as a whole, and where the regulatory enforcement priorities are likely to go.
As with any successful military mission, preparation, planning, and training are the keys to success. There is no substitute for a solid risk assessment in planning and training your company to stay compliant and legal in all of its operations. If you need a strike force to get you through a risk assessment, CLEAResources has just the Commandos to provide you that extra bit of force to get things done. Let us know how we can help you get to “mission accomplished!”
