What is a risk-based approach?
Miguel Gallardo Guerra
Bello, Gallardo, Bonequi y García (BGBG), Mexico City
Samuel Uziel Rivero Prado
Bello, Gallardo, Bonequi y García (BGBG), Mexico City
One of the most common phrases in corporate ethics and compliance is ‘a risk-based approach'.
What does it mean? How do you run a compliance programme every day when you use it?
The definition of a risk-based approach is identifying the highest compliance risks to your organisation, making them a priority for the organisation’s compliance controls, policies and procedures. Once your compliance programme reduces those highest risks to acceptable levels, it moves on to lower risks.
In this way we can see why a risk-based approach is so useful. Your highest compliance risks will cause the highest interruption if they happen, resulting in time spent on research, regulatory settlements, unwanted headlines, endangered business partnerships, among other things.
Regulators advocate a risk-based approach for another reason: because it shows that the company really worries about its risks.
For example, if you perform the same due diligence procedures on all third parties or providers, it could be less efficient. Many of your third parties or providers are harmless, while others may be a huge danger. Applying the same standard to all providers indicates that the company is not thinking about its compliance risks, suggesting instead that the company is only thinking about demonstrating compliance with one more requirement, in this case, due diligence.
Once regulators have that idea in mind – that perhaps the company sees compliance as an item on a checklist to finish as soon as possible – you are in a much worse position. Regulators may begin questioning the sincerity of the company regarding compliance, as well as its ability to comply. Nothing good will result from this.
What does a risk-based approach imply?
Our risk-based approach definition has two parts: identify some risks; and make them a priority. Therefore, a risk-based approach implies skill in both risk assessment and nimbly reacting.
That is an important point for compliance officers to consider when they defend the value of their compliance programmes before senior management and the board of directors. The best way to run a compliance programme is to use a risk-based approach. However, it is not necessarily cheaper or faster because saving and speed are not its main purposes – the reduction in compliance risk is.
The ‘risk assessment skill’ involves several specific abilities. For example, it implies a strong ability to perform due diligence on third parties, who may become part of your extended company. Inevitably, a third party brings some risk, which is alright as long as you understand the nature and extent of the risk.
It also involves the ability to monitor regulatory change. We may define these as new regulations which affect your business, or existing regulations that are becoming higher enforcement priorities. (Think about the corruption risks ten years ago, or the risk of sanctions today.) There will be a need to understand how a regulatory change in the outside world is changing the criteria for ‘high’ compliance risk in your specific organisation.
Perhaps most importantly, you need the ability to understand the compliance risks arising from your company's internal processes: new product lines, new incentive compensation schemes, new IT systems, new third parties, new assignments for third parties. All of these factors may affect your compliance risks, without any ‘external’ changes.
To some extent (in many cases, to a large extent), compliance officers will need to access more data and more analytics to develop these abilities. You will also need a good relationship with other areas of the company so that you are constantly informed of the internal changes. This means support for compliance by the leaders of the organisation. It is important that those other parts of the company understand that they must always include the compliance area in their decisions.
Risk-based approach after the assessment
After that enhanced risk assessment, comes the job of reacting to identified risks. As mentioned, ‘nimbly’ is essential for this process to succeed. It also requires many specific abilities for the compliance programme. First, the programme will need the skill to implement the controls. These controls are like the ‘car brakes’ that stop the company compliance risk from becoming a disaster and they need to work. If not, the skill to develop compensating controls is needed to fill the gap. In practice, that may mean working closely with your audit team or an information security function, or even an outside provider.
Second, the programme will need skills in policy management because a control somewhere may not cover the specific compliance risk you have. In that case you will need to change a policy or procedure to fix it and that change must be constantly updated.
Without that ability to manage and control change within the company, the organisation may face serious doubts about its compliance programme's effectiveness. Perhaps the company is not dedicating enough resources or maybe several employees are not giving compliance the priority it needs. Whatever happens, the inability to implement compliance defeats the point of a risk-based approach.
Third, the programme will need reporting skills because these will provide the evidence to demonstrate to senior executives, regulators, business partners and anyone else that the compliance programme has thought through its approach.
Once more, identifying priorities is the purpose of a risk-based approach. Many groups will have a perfectly reasonable need to ask, why are we doing this? Clear and precise reports about compliance provide the answers.