As global regulations proliferate and stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before. Specifically, compliance risk is the threat posed to a company’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice.
To understand their risk exposure, many organizations may need to improve their risk assessment process to fully incorporate compliance risk exposure. The case for conducting robust risk assessments can be made given today’s business complexity, but it is also deeply rooted in the U.S. Federal Sentencing Guidelines for Organizations, which establish the potential for credit or reduced fines and penalties should an organization be found guilty of a compliance failure. Nevertheless, according to a survey conducted jointly by Deloitte & Touche LLP and Compliance Week, 40% of companies do not perform an annual compliance risk assessment.¹
How do Compliance Risk Assessments Differ?
Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments (typically owned by the CFO or Chief Risk Officer) to identify the strategic, operational, financial, and risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks—those that could impact the organization’s ability to achieve its strategic objectives. Many organizations also conduct internal audit risk assessments that likely consider financial statement risks and other operational and risks.
While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither is designed to specifically identify legal or regulatory risks. Therefore, while risk assessments should certainly be linked with the enterprise or internal audit risk processes, they generally require a more focused approach. That is not to say that they cannot be completed concurrently, or that they ought to be solid efforts—most organizations may be able to combine the activities that support various risk assessments, perhaps following an initial risk identification and assessment process.