By Michael Fawlk & Lorena Cobiella Carnicer LL.M
All organizations - from large corporations through public institutions to NGOs - should maintain an effective compliance program. Broadly, that is one which is designed to detect and prevent violations of law, regulation and organizational policy.
The cornerstone of any effective compliance program is a thorough grasp of the organization’s risks through a robust complaince risk assessment which is informed by a clear understanding of the organization’s operating environment and the types of risk of misconduct that may occur (sometimes referred to as scenarios).
Without the necessary investment of time and effort to achieve this depth of understanding, the compliance “house” will be built on sand and risks being blown away or severely damaged by the first unanticipated risk to hit the organization. Enlisting the active participation and contributions from those who know the operations best, is a key success factor here.
If this is to be a valuable foundational exercise rather than a potentially unmanageable laundry list, it is important that as part of the process judgements are made as to the likelihood that each such risk will materialize and the consequences for the organization’s operations. With this information, the organization can prioritize often scarce resources and mitigate the greatest risks first.
But risk is not static - as the organization's operations evolve, perhaps by entering a new area or developing new products or new ways of marketing products - so too do the risks the organization faces. A recent example we worked on together was a comprehensive review of a multinational corporation’s marketing compliance policies to ensure they adequately managed risk as the company expanded its digital marketing programs. This resulted in a suite of new risk management tools in the form of policies, processes and training.
If the organization’s compliance program is to be successful in anticipating and mitigating its risks, the risk assessment cannot be a one time exercise or a snapshot. If it is, the organization is likely to be exposed to unforeseen and therefore unaddressed risks and face potentially damaging consequences, for example in the form of penalties, reputational harm and the loss of investor or donor confidence and support. Ideally, these periodic risk reviews should be scheduled and completed annually to set the agenda for the prioritization of risks, the revision of mitigation tools such as policies and related training for the year ahead.
Comments