We have seen a great deal of regulatory guidance that has prescribed developing “risk-based” compliance programs. What is the meaning of risk-based? And how does your company prove you have a risk-based compliance program?
Risk-based indicates that the company has performed a risk assessment. Risk assessment is the exercise of identifying specific risks related to an endeavor and then determining what kind of actions will be taken to “control” or mitigate the risk. (Note: This is where the term “internal controls” comes from.) Human beings, and most other animals, conduct risk assessments constantly. We observe a situation, usually with some future action in mind, and then we decide whether it is worth moving forward (i.e. taking the risk.) This generally involves determining other actions that could be taken to reduce the risk.
Let’s look at a real-life example we find ourselves universally confronting every day. We have all been schooled about the risk of contracting COVID-19. One way to control/mitigate this risk, could be to stay at home without having any contact with any other another human being. This would be a highly effective way to “control” the risk but is likely to create other problems that outweigh the benefit of exercising this much control. Alternatively, controls can be “stacked” or combined to work together. Multiple controls, that on their own are less effective, may have fewer costs associated with them, and when coupled with other controls, may create a highly effective control framework that has a lower overall cost. As an example, working from home, wearing a mask, grocery delivery or staying 6 feet apart, all help but to a more limited degree. However, in combinations these actions can be significantly more effective than any single control on its own.
How an individual or company deals with risk is personal and unique and is based upon the person’s or company’s risk tolerance. Regulators understand this and expect companies to determine and demonstrate their own personal risk tolerance through developing their own risk-assessment, internal controls and compliance program. AND…don’t forget to document it!