Large companies have the resources and the incentive to implement risk management systems. With the increase in compliance by medium and small-sized companies, chief compliance officers and internal auditors are developing and implementing risk management systems. I have never been a fan of complicating or confusing compliance and risk management. After all, risk management naturally belongs in the compliance program functions. Creating a whole new risk management function separate from compliance makes no sense.
With this caveat on the structure and operation of a risk management system, I believe that companies should conduct risk assessment and management strategies. When I use the terms risk assessment and management systems, I am referring to overall organizational risks, including business and operational risks, not a specific anti-corruption risk assessment.
A basic risk management system can be developed through an annual collaborative process which requires the participation of all senior management, as well as mangers in each business unit/product or service line. Essentially, a senior risk management group should be charged with the responsibility of identifying the most significant risks facing the organization.
Members of the senior risk management committee should reach out within their respective units, divisions or other organizational unit and conduct a survey of management as to risks in their respective unit, division or organizational unit. The survey can be conducted informally or with a written or electronic form. Based on this information, the senior management representative should report back to the full senior management representative on the specific risks.
The senior management risk management committee can share the information among the committee members, and then divide into groups to assess these risks and identify any others. In the end, the senior risk management committee should develop a lengthy list of risks. Working together, the committee should complete the process by preparaing a risk analysis list which includes the following elements:
A description of each risk
A measurement or ranking of the risk relative to the other risks
The assigned “owner(s)” of the risk
The policies and strategies for reducing/managing the risk
The expected outcome of such strategies
This risk assessment chart can be quite detailed and very helpful for organizing risk management strategies. The owners of the risk should be evaluated on their performance in managing the specific assigned risk.
This risk management process is a continuous process. Once the risk management strategy is developed and approved, the process should begin again for the next year. It is a continuous process which inevitably leads to focused strategies to reduce risk and improvement of compliance and other risk management operations.