Careful risk analysis and assessment are the central elements of an effective Compliance Management System (CMS). A look at the current international compliance standards makes this clear:
- UK Bribery Act: The company assesses the nature and extent of exposure to internal and external (corruption) risks. Risk analyses and assessments ensure that the existing risks are identified and prioritized accordingly, depending on business volume, activities, customers and markets.
- Foreign Corrupt Practices Act: The compliance policies and processes are developed on the basis of periodic risk analyses and assessments which take into account the individual circumstances of the company
- ISO 37001: “Risk analysis and assessment” are listed as a central component
Why emphasis on risk assessment? If the specific risks a company faces are never precisely defined, all other elements of the CMS will be misguided and ineffective. The core questions are: What guidelines and processes are necessary? What should training and communication focus on? What safeguards should be put in place? The answers to these questions will be vague unless they are based on a clear understanding of the risks.
Despite its importance, risk analysis and assessment are often neglected in legal and compliance departments. Many compliance officers start right away by drafting guidelines they deem necessary, or by providing training on specific subjects. This is understandable, and there’s nothing necessarily wrong with this approach. A thorough risk assessment involves real work. However, only companies which understand their risks exactly can develop risk-specific guidelines, and training and monitoring which are precisely targeted to their real situation (this is called the “risk-based approach”).
A Better Way: The Systematic Approach
A robust risk assessment sets the course for keeping a company’s compliance activities on track in the medium and long term.
The compliance risk analysis should, in any case, be initially as broad as possible, focusing on “classic” risk areas. Examples include: 
As with the previous step of defining the areas of responsibility , a broad initial survey of all potential risk areas doesn’t mean that the compliance officer is eventually responsible for all of these risk areas, or will be responsible for them after significant risks have been identified. Rather the focus is on identifying activities or circumstances that could cause considerable liability risks or other harm to the company and the employees acting on its behalf (in particular, liability for criminal and regulatory or antitrust offenses) and taking the necessary cross-functional risk reduction measures for these activities.
Procedure for Risk Analysis and Assessment
The following procedure has proven effective for conducting a risk assessment:
Throughout the process of risk analysis and assessment, the following aspects must be kept firmly in mind:
- What exactly is a “risk” in this context? A risk is the possibility of an illegal act which can lead to significant consequences such as sanctions (individually or for the company) or a loss of reputation. Examples: Employees bribing foreign officials or making deals with competitors.
- Within the framework of a risk assessment, we look at activities or circumstances that may be linked to such risks. Example: A company sells products requiring approval in China and relies on regulatory advice from local service providers. There’s nothing wrong with this in principle. Nevertheless, there is good reason to closely examine and, if necessary, strengthen the safeguards against this risk (for instance, by implementing thorough screening of these service providers, including background checks).Risky activities and circumstances may include the following:
- Risks associated with the specific industry (e.g. intensive regulation in the pharmaceutical or medical-device sector)
- Geographic aspects (negative Corruption Perception Index,  political instability)
- Importance of licenses and permits for a company (e.g. as a condition for operating plants)
- The degree of regulatory supervision and control, which may include local authorities taking more decisive action against foreign companies than locally owned ones
- Scope and importance of assets subject to customs duties or employees subject to entry regulations
- Opening up new markets in countries with poorly developed infrastructure
- Coordination with business partners (e.g. distributors, consultants)
- Joint projects (e.g. joint ventures which grant control in purely legal terms but involve unfavorable conditions for its effective exercise)
- The aim of risk analysis and assessment is not to eliminate risks. It’s hard to imagine a business without risks, and some risks are even inherent in the very nature of business activity and cannot be eliminated. Example: When the business involves significant dependence on official decision-makers, the risk of corruption can never be completely eliminated. However, it can be controlled as far as possible through the use of targeted measures such as compliance audits, consulting, and training.
- During the implementation phase, it should also be clearly stated what a risk assessment is not: It is neither an internal investigation nor an audit. It is crucially dependent on employees feeling they can report as openly as possible on potential risks in their areas of responsibility.
At the end of a risk analysis and should be a clear assessment: Which risks were identified? Which safeguards are already in place? Are they sufficient? Where are possibilities for improvement? As the compliance officer, you don’t have to reinvent the wheel here. Instead, look for existing safeguards you can build on. Perhaps there is already sanctions-list screening or a strong ordering process. Using them as a base, develop meaningful additions to effectively address the identified risks. At the end of a risk assessment, you will know which guidelines and processes are still missing and what exact subjects training should address. In other words: You’ll be able to determine your course and set sail.
In the next episode, we’ll address compliance guidelines.
If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.
 See also the detailed overview “Risk Catalogue” from DICO e. V.
 See Episode 2 of the 12-Month Compliance Challenge.