A recently-published NAVEX report offers an interesting insight into the views and practices of over a thousand compliance professionals.
The report suggests that compliance and risk professionals are doing a fairly diligent job despite the turmoil and uncertainty of recent years. However, there are some areas which leave room for improvements, such as how organisations respond to risk assessments.
The respondents also revealed the areas of risk and compliance that are most important to their organisations, with regulatory compliance, privacy and fraud coming out on top.
Here’s a look at three interesting insights from the report about risk assessments, compliance concerns and third-party risk.
Reviewing and Acting on Risk Assessments
The report suggests that participants were generally conducting risk assessments where appropriate. This is crucial, the authors suggest, because of “the importance of building compliance programs on a strong foundation of risk assessment”.
So far, so good.
However, the responses also suggest that the results of such assessments were “not always put to best use”—and that risk assessments are sometimes being conducted in a one-and-done fashion.
For example, around one-quarter of participants noted that their organisation’s risk assessment was either not current or not subject to periodic review.
Periodic review is a vital part of the ongoing process of assessing risk. As the UK Health and Safety Executive (HSE) puts it:
“Nothing stays the same forever. By talking to your staff and monitoring incident rates and control measures, you will be able to judge whether your control measures are effective.
“Managers and staff must be given responsibility to oversee the process and develop reporting procedures, discussing and helping to implement solutions, as well as monitoring the solutions for effectiveness.”
This is relevant to all types of risk assessments. Here’s what the Information Commissioner’s Office (ICO) says about data protection impact assessments (DPIAs):
“It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.”
A minority of survey participants (47%) said that risk assessments were informed by “continuous access to operational data”.
The ability and appropriateness of having continuous access to operational data across business functions will vary between organisations and industries. But compliance teams can sometimes use such data to inform the ongoing process of assessing risk.
Furthermore, a minority of respondents (46%) reported that their risk assessments resulted in “risk-tailored resource allocation” whereby more time and resources were dedicated to high-risk areas.
A risk assessment is not and end-in-itself—it’s a means to identify potential problems.
If risks identified by an assessment don’t lead to action of some kind—including, potentially, directing resources to deal with the risks—the risk assessment might have been a pointless exercise.
Regulation, Privacy and Fraud Are Top Compliance Concerns
The survey asked participants about their organisations’ most important compliance concerns.
Perhaps unsurprisingly, the broad category of “regulatory compliance” came out on top, with 66% of respondents identifying this concern as “absolutely essential” to their organisation,
Regulations extend into many areas of business activity and almost every organisation will need to have some regard for regulatory compliance.
Next came “data privacy”, with 64% of respondents deeming this an “absolutely essential” concern.
Bear in mind that many of the survey participants were based in the US, where privacy law remains fragmented. However, 10% of US states—namely, California, Colorado, Connecticut, Virginia and Utah—have enacted local privacy laws in recent years, with many more considering doing so.
Moreover, multinational companies must comply with a patchwork of national and regional laws, including the General Data Protection Regualtion (GDPR) across most of Europe and recently-enacted national laws in countries like Brazil, South Africa and China.
In fact, according to the United Nations Conference on Trade and Development (UNCTAD) 137 out of 194 countries have some form of “legislation to secure the protection of data and privacy”.
“Bribery, corruption and fraud” was identified as participants’ third-most important compliance concern, with 55% of businesses identifying it as an “absolutely essential” concern.
The latest edition of PwC’s annual Global Economic Crime and Fraud Survey suggests that 46% of organisations experienced fraud in the year preceding the survey and that there has been a substantial increase in certain types of fraud (mostly involving online security) over the past two years.
Financial crime risks are not exclusive to financial institutions—businesses of all kinds must manage the risks associated with fraud, bribery and corruption.
The survey asked participants some interesting questions about how their organisations handled third-party risk management (TPRM).
Participants were asked how well their organisations performed in terms of ensuring “proper contract forms” were applied in their agreements with third parties. Forty per cent of respondents said their organisation’s performance was “good” in this area, with just 8% rating it as “poor”.
The most problematic TPRM area was “requiring compliance training and certifications from third parties”. In this area, 19% of respondents said their organisations’ efforts were “poor”, with just 30% rating them “good”.
Again, the survey results should be interpreted with a degree of caution. Not all companies operate in areas where they will need to require third parties to undertake compliance training or certifications.
But for companies operating in sensitive fields—or transferring sensitive data to third parties— a review of third-party compliance training and certifications should be an essential part of their TPRM process.