[The following Q&A with Tom Fox comes on the heels of publication of his new book, The Compliance Handbook, which can be purchased online here.]

Q: Why is risk assessment still the key component of a compliance program?

Tom Fox: The DOJ/SEC made clear the need for a risk assessment in the 2012 FCPA Guidance. Under Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program it stated, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” This mandate has only expanded under the Evaluation of Corporate Compliance Programs.

Q: How did this mandate for a risk assessment expand under the Evaluation?

Tom Fox: The Evaluation built on this with the notion that as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not simply as a legal prophylactic, but as a business process.

In this light, it is clear a risk assessment is no longer sufficient but you need an entire risk management process. should begin with forecasting, as it attempts to estimate future aspects of your business.

Compliance professionals should be able to say with some degree of authority what will happen in the next three, six, 12, or 24 months. This can facilitate resource deployment where they think is appropriate in order to meet these future demands. From there forecasting leads to risk assessment, which leads to risk-based monitoring.

Q: What is the risk management process? 

Tom Fox: Your risk management process should begin with forecasting, as it attempts to estimate future aspects of your business. A compliance function utilizes risk assessment to consider issues which forecasting did not predict or issues which the forecasting model raised as a potential outcome which warranted a deeper dive.

Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data.

Q: How does all of this tie together?

Tom Fox: All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process.

The risk management process fulfills the three prongs of a compliance program: prevent, detect and remediate.

In the book, I quote Ben Locwin, international business consultant and former pharmaceutical executive, for the following, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and external factors that probably are of high leverage to your operations in business that you simply do not know about.” 

Q: How does this risk management process tie into a compliance program?

Tom Fox: The risk management process fulfills the three prongs of a compliance program: prevent, detect and remediate.

You are using your risk forecast and you have a contingency in place, which you execute upon, using the risk management tools available to you and when a situation arises, you remediate when required.

This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement.

*

The Compliance Handbook is available on Amazon.com.