This is the second article in a three part series on building effective compliance programs.
In our first post on building effective compliance programs, we wrote about the importance of committing to compliance. But that is only the first step; the next is to standardize your compliance program with documented policies and procedures. In the compliance hierarchy outlined in the previous piece, this is the point when compliance goes from "fragmented" to "defined."
A risk assessment is key to properly defining a compliance program. The assessment allows you to right-size your program with policies and procedures tailored to the risks you actually face. It results in a program that is practical, connected to the business you conduct and the highest potential threats.
If it was possible to design a perfect compliance program, we would never hear about fines again. However, the undeniable fact is that compliance is extremely complicated, especially when the preservation of compliance depends on perfectly managing people and complex programs, like cybersecurity. Considering how many different threats (intentional and accidental) can compromise compliance, companies can’t expect to address them all.
A risk-based approach is based on the principle that when threats are myriad and defenses are limited, the limited resources should be focused on stopping the biggest threats. That might mean protecting a certain class of regulated data or defending against a specific cyberattack — it’s all about deploying security wherever it will have the biggest impact. In that way, a risk-based approach helps to maximize the impact of the compliance program instead of spreading it thin.
It also helps produce employee buy-in, which is crucial for avoiding user errors. Framing a threat/defense as the “most important” rather than as “one of many” helps to command people’s attention and make your priorities clear. Users may not become perfect at cybersecurity broadly, but they’ll probably become perfect with regards to the “top risks.”
The most compelling case for a risk-based approach may be that it’s considered part of a best-in-class compliance program. If a prosecutor, auditor, or other third party evaluates the quality of the compliance program in the wake of an incident, the program will likely only be considered adequate if you've conducted a risk assessment and responded to the top risks. And if your program does pass third-party review, you may receive lesser fines and fewer required remedial actions as a result.
The sooner you get serious about risk assessment the better. It’s relatively simple when companies are small, but it becomes harder as companies grow. Rather than trying to start from scratch later, companies should identify their top risks now, then update and expand the list on an ongoing basis.
HOW TO LAUNCH A COMPLIANCE PROGRAM BASED ON A RISK ASSESSMENT
As the foundation for the entire compliance program, the risk assessment needs to be conducted correctly. Follow these best practices to learn as much as possible:
- Design the Risk Assessment – Companies can explore their risk exposure using a variety of tools — surveys, interviews, document reviews, market analysis, etc. Start by determining what toolset best supports the assessment and provides the best supporting information. Then identify which stakeholders will be involved with providing information, conducting analysis, and leading decision making.
- Research Risk Profile – Risk assessment is all about identifying anything and everything that could compromise compliance. Technical issues are high on the list, but so are things like bribery, burglary, human error, or natural disasters. How these threats rank in the risk assessment will be different for every company, but it's important that as many as possible be included. To put it simply, you can't accurately assess risks until you know what all of them are.
- Prioritize Each Risk – Risk is measured based on several factors — the likelihood of an incident, the probability of stopping it, and the consequences if it is successful. Risks that are common, hard to stop, and highly destructive are the priorities, and everything else is ranked below it. Since you're using this list to determine how you'll deploy limited resources, it's important to be accurate and honest about your top priorities.
It’s easy to make assumptions about risk, and it’s also easy to be wrong. As we emphasized earlier, compliance programs need to be systematic, especially in the early stages. Committing to the risk assessment process isn’t always quick or simple — and it can reveal some uncomfortable truths along the way — but diligence in any phase of implementing an effective compliance program is always worth it.
DOCUMENTING YOUR PROGRAM
There should be a policy and procedure to cover the prioritized risks you identify. Obtain help from advisors and peers for the issues you identify. They have been through it before and can let you know what solutions work (and which ones don't).
One of the biggest challenges when developing a compliance program is the tendency to skip steps or overlook details when trying to progress toward goals. An easy way to balance both objectives is to benchmark existing plans, policies, and programs at other companies. Since those plans have already been tested and refined, they usually offer good ideas for the development of effective plans. Just be aware that the risk assessment and program documentation should be tailored to your situation; this should not be a cut-and-paste job.
Once you know where the biggest vulnerabilities exist, your conscientious attempts to improve compliance can have great impact and economic benefits — exactly what a compliance program is designed to do for business.