Risk assessment for small companies
Designing and implementing a compliance and ethics (C&E) risk assessment can be a daunting task. This is true for many types of organizations, but it can be especially difficult for small businesses. Small companies often lack, among things, the resources, culture, enforcement-related incentives and relevant experience necessary to be successful in a risk assessment. For these and other reasons, it can be important for small companies to have an easy-to-use and effective risk assessment procedure.
Getting started
For many companies new to the C&E area the first step in designing/implementing a risk assessment (or, for that matter, taking many other C&E measures) should be assigning management responsibility for the process. In theory this should be straightforward, but that may not always be the case with small organizations.
That is, a small company without an in-house lawyer may need to appoint an executive with operations, HR, finance or other duties to be what is in effect a part-time C&E officer role for the risk assessment. However, that role is not a “machine that will run by itself.”
Therefore, extra care should be taken to document and reinforce the risk assessment responsibilities of the manager(s) responsible for the process, e.g., inclusion of compliance duties in job descriptions, strategic plans and other responsibility-defining company documents.
Outside counsel
Note that some companies hire outside counsel to assist with this effort. While often valuable, having outside counsel is not strictly necessary for every small company’s risk assessment process. For very small companies it might make sense to work through a business association, such as a trade association or chamber of commerce to hear from a compliance professional with experience in this area.
One benefit of having a lawyer is that the process of conducting interviews can be done under attorney-client privilege. That, in turn, should make it easier for interviewees to be candid.
Developing the risk list
The next step in this process is to develop an initial list of risks to be assessed. As described below this will be used for interviews of company personnel.
The starting point here can be the company’s code of conduct, if it has one. If it does not it can consider looking at publicly-available codes from larger companies in the same industry. While that does not assure that all relevant risks will be covered, it can be a helpful start. It is also advisable to follow industry and business news. A company could start by having the designated compliance person read the Wall Street Journal to keep up on developing compliance risks and areas where government agencies are focusing their enforcement efforts.
The initial risk list will often need to be modified in several ways; in fact, this can be true for even the largest, most sophisticated companies.
First, with some risk areas the topics seen in codes of conduct may already be an area of focus for the company, such as environmental, health, safety, privacy and fraud. For such risk areas, there is generally no need to “reinvent the wheel” and to reassess a risk that has already been on the company’s radar.
Second, and in a related vein, for some areas there may be a need for more granularity than what appears in codes of conduct. Examples include corruption and misuse of confidential information.
Finally for each item on the list the assessment should be of both risks involving wrongdoing by the company but also including areas where the company is the victim and might discover that it has a cause of action against others, such as competitors. Competition law may be a good topic in this regard.
Using the risk list
As noted above, the risk assessment process needs to involve conducting interviews of company personnel.
To that end, the company should distribute the draft risk list to those who will be interviewed.
Who should be involved in the process will, of course, vary by company. However, at least in my experience, staff involved in controls – law, audit, finance, HR, procurement – tend to do better with providing risk assessment information and ideas than do business people. However business people may be more aware of what is actually happening in the field, and may surface business activities that were not known to control personnel and that may raise unexpected risks.
What gets assessed
This is the heart of the risk assessment. It includes two types of analysis.
The first concerns the likelihood and impact of violations. It is, of course, quantitative information and is standard fare in risk assessments. In other words, how likely is it that a particular violation will occur, and what are the possible consequences if it does. However, there is a risk here that busy managers will underrate both of these factors. For example, while retaliation is a dangerous and prevalent risk, it is routinely downplayed by managers who think it “never happens here because we say we won’t tolerate it.”
An example of the assessment process can be seen for conflicts of interest (COI), assessing what is the likelihood and impact of different possible COIs, e.g., hiring relatives in a different part of the company (by business line and/or geography).
A second level of analysis is qualitative. It is more complex than the quantitative type – and more judgment based. It seeks to identify causes of risk and to use that information to identify areas for enhancement of mitigation.
For instance, are there parts of the company where particular risks are not sufficiently understood/appreciated? If so, should training and communications be enhanced?
The same inquiry should be made with respect to other causes of risk – e.g., undue pressure, weak process controls, misaligned incentives – all on both an enterprise and granular level.
Interviewees should also be asked for identification of any risks that are not, but should be, on the list.
Finally, small companies looking for ideas on C&E program design, development and maintenance should consider using Joe Murphy’s excellent book on 501 Ideas Compliance Ethics Program, and the SCCE white paper, A Compliance & Ethics Program on a Dollar a Day.
Get connected
