High quality ethics and compliance (E&C) programs, as identified by ECI (Ethics & Compliance Initiative) understand and accept responsibility to identify, manage, and mitigate ethics and compliance risks. For more on ECI’s take, see our June 3, 2016 blog post on ethics and compliance.

Two major emerging risks, per a recent survey of financial institutions by consulting firm Deloitte & Touche, are cybersecurity and “the need for financial institutions to take proactive steps to encourage ethical behavior among their employees and create a risk-aware culture” (Hida, 2017).

In order to manage risk, all forms of risk, including E&C-related risk, firms and their leaders must assess risk on an ongoing basis. So, it was timely of the National Association of Corporate Directors (NACD) to blog about how to improve any risk assessment process (DeLoach, 2017). A risk assessment, says DeLoach, should help decision makers understand what they don’t know, “rather than shuffling ‘known knowns’ around on a risk map.” Here is a summary of NACD’s 10 practices for improving the risk assessment process.

1. Involve the appropriate people—across the C-suite and vertically into the organization—to ensure relevant points of view are heard.

2. Reduce the danger of groupthink—ensure that all perspectives are heard and considered, including dissenting views.

3. Focus comprehensively on the distinctive dimensions of strategic risk—the implications from a given strategy; the possibility of that strategy not aligning with the firm’s mission, vision, and core values; the risks to executing the strategy.

4. Understand the assumptions underlying the strategy—how will the strategy drive behaviors in setting objectives, allocating resources, and making key decisions.

5. Consider the impact of disruptive change.

6. Consider appropriate criteria to assess “high impact, low likelihood” risks—to include the firm’s response readiness.

7. Understand the sources of risk—design the process to identify patterns that connect potentially interrelated risks (those that are not necessarily mutually exclusive).

8. Inform the board of the results (of the risk assessment) in a timely manner—incorporate the identified risks into the board’s oversight process.

9. Integrate risk considerations into decision-making.

10. Never end with just a list—designate appropriate risk owners to develop appropriate responses and accountability structures.

Obviously, E&C professionals could apply this approach specifically to their own domains, as part of the effort to identify, manage, and mitigate ethics and compliance risks. Ideally, however, the ethics and compliance program is integrated with an enterprise-wide risk and compliance effort, thus reinforcing the strategic importance of ethics and compliance to business success

Feel free to contact Ethical Advocate for information about ethics and compliance solutions.

References

DeLoach, Jim. “Ten Practices for Improving the Risk Assessment Process.” NACD blog, March 2, 2017. https://blog.nacdonline.org/2017/03/improve-risk-assessment/

Hida, Edward. “Global Risk Management Survey, 10^th edition.” Deloitte University Press website, March 2, 2017. https://dupress.deloitte.com/dup-us-en/topics/risk-management/global-risk-management-survey.html