In the past, the compliance function never truly understood the model process concerning risk management. There was very limited modeling of risk and compliance issues to determine prioritization of resources and business impact.
Compliance was considered to be reactive, known to put out fires instead of predicting and interpreting ethics and compliance risk issues as well as developing treatment plans to avoid or lessen damages to the organization.
The CECO during the 21st century needs to take a risk-based approach towards compliance processes. This requires the organization to acquire information from the external regulatory and business environment, understand both current and future contexts of a distributed and dynamic business and model business and risk impact currently and for the future.
In several industries CECOs are best provided as use for risk models that support scenario and decision tree analysis to evaluate risks in their environments, but they can also benefit from MARCI Charts (mitigate, assure, redeploy and cumulative impact), heat maps as well as quantitative approaches like in Monte Carlo simulations to depict impact and loss.
Despite the complexity in the analysis, the principles/elements of compliance risk management yet remain the same such as:
An organization requires a risk-based approach to manage ethics and compliance. This would include periodic assessments of the organizations for unethical demeanor. However, risk assessment processes should be dynamic, each time there’s a significant business changes that could result in incidents and exposures such as entering into a new market, new strategies, acquisitions and mergers.
How an organization will implement compliance controls and procedures should be directly proportional to the risk it will face. If a business partner or specific area of the world receives any form of high risk score based on corruption or ethics, the organization should immediately take action with stronger compliance controls and procedures. Proportionality of the risk also depends on the size of the organization, since smaller enterprises are not expected to be at the same level as larger organizations.
Risk assessment and due diligence efforts need to be kept up to date. These should not be considered as ‘point-in-time’ efforts, but must be implemented when the business is aware of the changes or on a regular basis in order to point out increased risk of ethics and compliance issues.
The organization needs to have someone accountable for the inadvertence of compliance risk activities and processes. This includes independent monitoring bodies like the audit committees on the board to an authority figure you will report any ethical and compliance risks.
The organization needs to monitor business changes that could affect its ethics and compliance program or should introduce greater risks to corporate veracity. The organization needs to document/record changes in the business practices through investigation and observation as well as implement changes through a premeditated program for management change. These changes need to be monitored and documented by compliance aggressively prevent any form of corruption.