The 2020 edition of Risk & Compliance Management reflects the globally quickly growing legal requirements on corporates regarding their risk and compliance management. Legislators in many countries are demanding from corporates that they implement and maintain effective risk management and compliance management systems. As a result, there is a need for many companies to professionalize their risk and compliance management. To give an example on risk management: The DOJ, in its recently updated Evaluation of Corporate Compliance Programs, proposes that the first risk management question to corporates under investigations is: “What methodology has the company used to identify, analyze, and address the particular risks it faces?”
Globally, there are only 2 generally accepted risk management methodologies: the ISO Standard 31000 – Risk management (according to the OECD, de facto the world standard) and the COSO Enterprise Risk Management/ERM Framework. What DOJ, in my understanding, says, is that effective risk management must be transparent, methodological and systematic. Invented-here risk management models based on excel sheets are outdated. A possible test for the maturity of the risk management is whether the board and senior management have decided what the risk tolerance of the company is and whether they have broken this down and communicated it to the employees. Another test is to ask how the company selected the risk assessment techniques and how they are applied in the risk assessment process. And then it is about the top 5 key risks that have been assessed and their treatment (which many companies forget). Also, the board should discuss the top 5 risk scenarios with executive management on a regular basis and document its findings and decisions. If all this is done methodologically, a company should pass the tests of DOJ, SFO, AFA etc.
With regard to professionalization of compliance management: Many jurisdictions have in the past years introduced legislation requiring companies to implement effective compliance management systems: Italy, Brazil, Argentina, Spain, France and just a few days ago, Germany. And many other countries have such legislation in place, some since decades, as for instance the US, UK and Switzerland. However, empirical evidence shows, that many companies do not yet live-up to the statutory requirements. This is corroborated by high number of compliance scandals of the recent years at big and mid-sized multinationals or – just by way of example – the fact that 75% of global organizations still do not train their C-Suite and Board of Directors specifically on ethics and corporate compliance topics, as a recent survey by SAI Global showed. Here again, companies should not reinvent the wheel but follow best international practice, as represented in ISO Standard 19600 – compliance management systems or generally accepted guidance, such as the DOJ Evaluation Criteria. A simple test for the maturity of compliance management is to check for direct access of the compliance function to the Board, its true independence from line management and the availability of adequate resources. As a rule of thumb, around 0.3 to 0.5% of turnover or 3-5% of gross income for financial institutions should be spent on compliance. Also, the quality of the whistle-blowing mechanism typically immediately shows how mature an organization’s compliance management is. A company with no or an ineffective or under-used whistleblowing system typically has a major compliance weakness and a generically a higher financial and reputational risk.
In summary: The importance of ethical conduct and effective control systems is globally more and more recognized, appreciated and reflected in tangible legislation and in all dimensions key for sustainable development and growth of all companies. And this is what is reflected in the new edition of Risk & Compliance Management. I wish you success in your risk and compliance management endeavours in 2020.