Inside Experts: It’s time to grab the lowest-hanging fruit
Every company assesses risk. This is not just a compliance issue. There are operational risks, competition risks and other risks that companiesfrom a business perspectivemust control. The process is a familiar one.
October 29, 2012 at 03:00 AM
4 minute read
The original version of this story was published on Law.com
Every company assesses risk. This is not just a compliance issue. There are operational risks, competition risks and other risks that companies—from a business perspective—must control. The process is a familiar one.
But when it comes to compliance, I see too many programs overlooking the incredible benefits of a thorough risk assessment. Too often, compliance officers believe they know where their companies' risks are or don't see the value for the cost and ask for a “quick and dirty” risk assessment.
A risk assessment done right provides significant benefits:
- Business buy-in to short-, medium- and long-term goals
- Easier budget and resource discussions
- Proof for regulators of the robustness of your program
- Agreed-upon progress metrics and a format to report-out
- Robust prioritization of issues (and how to easily avoid fire drills)
- Effective use of resources
- Comfort in the identification of issues
How can companies achieve these benefits? To secure the full benefits of a robust risk assessment, the mindset must be one of establishing a continuous feedback loop. Too many companies view a risk assessment as a document rather than a process.
The first requirement is to involve the business in the process: That's where the feedback comes from. This leads to the first concrete benefit to an effective risk assessment: business buy-in. A risk assessment based on data provided by the business is one that the business will understand and accept. Data-based risk assessments also avoid a compliance officer's confirmation bias—“I know what our risks are”—and gives comfort that all risks have been identified. Because one thing I've found: In any set of data, there's always a surprise.
An assessment that doesn't include the business will always be suspect in the business's eyes. The business will resist. That resistance will be especially strong when suggesting remediation that costs money. Anything you try to do will be labeled unrealistic, unwieldy, too disruptive and too expensive. And then, I'm afraid, the business will get negative.
The structure of a robust risk assessment leads to some of the other benefits. The risk assessment has several key sections: business activities that bring risk, what type of risk (geographic, industry, third-party, etc.), current mitigating controls, planned mitigating controls and target dates. It has elements of a project plan.
Once the business buys into that project plan, you've just won half the battle. Because buying into the plan means buying into the commitment of resources—budget and people—to accomplish that plan. Even the arguments you'll be having are better ones. You'll argue with the business about resource allocation versus return on investment and which planned mitigation enhancements will have the most impact. You'll be forced to prioritize, think through and focus your efforts. All this will help you improve your program. And as my old boss used to say, it's the right conversation to be having. There's even a term for these kinds of arguments: engagement.
Once you have agreement about the plan and the target dates, you also have a natural reporting-out format. You have a plan; you can track progress against that plan. If you fall behind schedule, you can reprioritize, explain it or renew the discussion around what new resources could achieve.
Next, I knew of a place once where the compliance people felt they were always working on “fire drills”—something happens and requires an immediate response, and then everything else gets put on hold to work on this new thing. So how can a program stop confusing the “important” with the “urgent”? Through risk assessment. When you encounter a new problem, you now have a mechanism to examine that problem in context.
From a regulatory perspective, these kinds of business-based decisions—decisions to prioritize addressing one defined risk over another—are rarely, if ever, questioned.
Imagine having this discussion with regulators: “Look, we caught that issue, and we discussed it. We looked at our entire universe of risk and decided that we needed to address it, but we have four issues that are more pressing, so it's now on our risk map as risk number five. We have a plan in place to address that risk, and we've already decided, alongside the business, what resources—budget and people—we will allocate to it. We've agreed with the business on delivery dates. For previously identified risks, by the way, we're 12 percent ahead of schedule. The business is fully behind this effort, and is integral to our continued risk identification and mitigation efforts.”
Now that's a conversation I'd like to have.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Crypto Groups Sue IRS Over Decentralized Finance Reporting Rule
SEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readTrending Stories
- 1Letter From London: 5 Predictions for Big Law in 2025, Plus 5 More Risky Ones
- 2Crypto Groups Sue IRS Over Decentralized Finance Reporting Rule
- 3Jenner Brings Back Zachary Schauf from DOJ's Office of Legal Counsel
- 4'Erroneous Assumption'?: Apple Challenges DOJ Antitrust Remedy in Google Search Monopoly Case
- 5A Jury to Determine Whether Stairs Were Defectively Designed in Injury Case, State Appellate Court Rules
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
