The Red Flag Group®
compliance risk assessments

Compliance risk assessments


Compliance risk assessments - target your risks effectively

Although the formalisation of the discipline of risk management is relatively recent, the notion of enterprise-wide risk management first appeared in the 1960s and was developed in the insurance field. In order to reduce losses, insurance companies encouraged their corporate clients to have a more secure installation to prevent external risks. At this time, risk management was specific and limited. Since then, risk management has spread to other aspects of business, such as health, safety, manufacture quality and environmental protection. Risk management as we perceive it today is used in a wide range of activities, including compliance. Assessing compliance risks while utilising most of the traditional risk assessment approaches requires a specific tact when it comes to determining the potential impact the materialisation of these risks might have on a company.

Risk, risk management and risk assessments

Risk applies across all industries and may be generated through a company’s activities or services throughout its lifecycle or due to changes in business and law. However, operational risks and compliance risks do not have the same scope of intervention in their application to business.

Compliance risk can be defined as the risk of breaching the law, the risk of material or financial loss, or the risk of loss of reputation an organisation may suffer as a result of failing to comply with laws, its own regulations or code of conduct, or even standards of best practice.

An operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational risk can be created by a wide range of different external events, ranging from power failures to floods or earthquakes to terrorist attacks. Similarly, operational risk can arise due to internal events such as the potential for failures or inadequacies in any of the organisation’s processes and systems or those of its outsourced service providers. Nevertheless, and despite the differences within the term, techniques in terms of managing the different types of risks can be approached in a similar manner.

Another distinction that needs to be underlined here is between risk management and risk assessment. While risk management aims at controlling the level of risk associated with an activity, the objective of a risk assessment is to identify and measure the risks associated with this activity. Risk assessment is a key step in the mitigation process.

Compliance risk assessments

A risk assessment in its general sense involves three key steps that can be applied to the function of a compliance risk assessment.

1. Risk identification

Different departments of an organisation are encouraged to identify sources of compliance risk, areas of impact, risk events, and risk causes and potential consequences in order to generate a comprehensive list of risks. The identification of compliance risks can come in various forms, such as email communications, minutes of meetings, issue logs, brainstorming and discussions.

Some of the most common compliance challenges that a company should consider, and that can affect a company’s decision making, are:

  • human rights
  • intellectual property infringements
  • sanction breaches
  • export control breaches
  • fraud, embezzlement and money laundering.
  • corruption and bribery
  • privacy breaches
  • anticompetitive behaviour
  • counterfeiting
  • grey market selling

2. Risk analysis

At this stage of the process, each compliance risk will be analysed to comprehend its nature and determine its impact. The impact of risks, should they materialise, will be measured using a matrix combining consequences and likelihood. The measurement can be expressed either in quantitative, semi-qualitative or qualitative terms. The outcome of the weighting determines the priority and as such provides basis for risk evaluation. The risks with high probability of occurrence and a strong impact are received in detail and captured in a risk register: a central repository that will be consistently monitored and managed.

3. Risk evaluation

The next step is deciding which compliance risks need treatment, and in what order of priority. Depending on the organisation’s risk appetite (as defined earlier), a risk can either be acceptable or require mitigation. The fundamental outcomes of a compliance risk evaluation process should assist with the following:

  • Understanding the nature and significance of the compliance risks
  • Obtaining information on the suitability of the compliance risk control arrangements
  • Developing and implementing additional control measures to further eliminate or reduce the compliance risks
  • Determining corporate objectives, targets and performance measures
  • Identifying opportunities within the organisation’s strategic goals and implementing strategies in line with compliance functions to enhance these opportunities
  • Identifying abnormal events
  • Improving the compliance programme overall.

A key aspect in determining what compliance risks exist within an organisation when conducting a compliance risk assessment is understanding the prior risk appetite as part of the analysis. The key is to decide how much of a compliance risk an organisation is willing to accept, where it has little appetite and where it might be comfortable taking on more risk as a means of meeting strategic goals. To do so, an organisation needs to balance the required financial resources as well as the time and effort to reduce the risk against the degree of risk presented. Even if risks are worth taking to achieve profit, it does not necessarily mean it is a free pass for companies to compromise on compliance with laws and regulations.

Risk appetite mainly depends on the industry and a company’s overarching attitude to compliance and its knowledge of the consequences of a breach. Pharmaceutical companies, for example, will most likely maintain a low appetite when it comes to engaging third parties, given the potential ramifications of non-compliance with expected standards of handling medical products. On the contrary, oil and gas companies are often laxer when it comes to engaging with government associated organisations, despite the potentially high risk of corruption.

Why do we need to carry out a compliance risk assessment?

Conducting compliance risk assessments has become an increasingly fundamental requirement for all businesses. A compliance risk assessment is a crucial step in implementing an efficient, proactive and sustainable compliance programme. Companies should not expect to receive full credit for a compliance programme if it is not derived from a compliance risk assessment. Analysing and ranking the risks related to compliance allows companies to develop the best response to significant compliance risks by allocating compliance resources tailored to these risks. Companies often spend too much time focusing on specific expense situations to the detriment of mitigating other risks, such as third-party conduct.

The wide range of laws and regulations detailing specific requirements and tougher reprisals has increased the liability of companies and the monitoring of their activities. Companies cannot guarantee the total eradication of wrongdoings by conducting a compliance risk assessment, but they can show their awareness and their willingness to move in the right direction in an efficient and expedient manner. It will help prevent the possibility of prosecution and related consequences, such as imprisonment, fines and a severely tarnished reputation as a result of illicit practices.

The number of legal and regulatory requirements have continued to grow, especially in the financial services and healthcare industries, and therefore the requirement for compliance risk assessments is constantly expanding. Tracking these changes, assessing their impacts on the organisation and updating compliance registers is becoming a must-do activity for companies.


What is compliance risk assessment?

Compliance risk assessment is a term used across many industries to ascertain how companies and people comply to prescribed rules and regulations. Often times, governments or industry regulators prescribed a set of rules, laws and regulations that needs to be followed, failure to which a penalty can be imposed.

Why is compliance risk assessment important?

Compliance risk assessment is important because it helps companies or investors to earnestly identify and manage compliance risks before impact on their businesses. Compliance risks assessments can help companies by ensuring that they and their third parties are operating or doing business in accordance with the law.

Compliance risk assessment helps to effectively assess the legal and reputational risk exposure of an institution’s business activities, not only in terms of adhering to applicable laws and regulations, but also to relevant internal firm policies and standards of conduct.

What should be included in a compliance risk assessment?

A compliance risk assessment should include the following three key components:

1. Regulatory matrix – Includes an inventory of federal and/or state laws, regulations, rules, standards and other guidelines to be used in determining the applicability of each to relevant business units and/or activities. Additionally, the matrix will reflect (at a summary level) the results of each risk review, including inherent risk, control factor assessment(s), residual risk and any recommended corrective action.

2. Compliance risk analysis – Provides a detailed analysis of the level of compliance risk inherent for each applicable law or regulation, including the effectiveness of the compliance risk control methods used to measure, monitor and control all identified risk(s). The risk analysis will result in a calculated level of residual risk and will contain recommended corrective action(s) to reduce unacceptable residual risk to an acceptable level.

3. Compliance reviews – Provide for an assessment of overall compliance with respect to applicable laws, regulations, rules, standards, guidelines and/or firm policies and relevant control environment used to identify, measure, monitor and control compliance risk.

4. Determine the likelihood of loss on an asset, loan, or investment. Assessing risk is essential for determining how worthwhile investment is and the best process(es) to mitigate risk. It presents the upside reward compared to the risk profile. It also determines the rate of return necessary to make a particular investment succeed.