The compliance and risk management has its concepts. The German regulator imposed a penalty of 35 million euros on the H&M retailer for collecting and storing information about several hundred employees’ private life, health, and religious beliefs. The investigation lasted a year, and investigators concluded that this practice had existed in the company since 2014 and was used for making personnel decisions. In addition to the fine, the company was forced to pay significant compensation to employees whose data were collected and stored on the internal server.
This case demonstrates consequences to business to which a breach of external compliance in terms of personal data protection and internal compliance – concerning those principles that the company committed itself to adhere to in its activity – can lead. In this case, legal compliance turned out to be closely connected with moral and ethical principles.
The classic understanding of compliance implies that a company organizes its activities. In case of violations of these requirements, the national regulator may fine the company or revoke its license. However, in recent years, adherence to the moral and ethical principles enshrined in the company code of conduct complements the understanding of compliance. The regulator does not impose a fine for the violations of these principles, but reputational losses can be so significant that they will inevitably lead to financial losses.
Each such violation is a potential risk that can lead to negative consequences for the activity of a company. These risks will depend on a specific company, so potential consequences will differ.
Compliance and Risk Management: Risk Assessment
In essence, a risk consists of two parts:
- Consequences which means what will be the extent of losses in case of a negative event.
- Probability which means how probable the occurrence of a negative event is.
For example, an attack on a company’s warehouse by a zombie army can have significant consequences. Still, the probability of such an event in the short term is so low that this risk is irrelevant. At the same time, the disruption of logistics chains of supply of raw materials also has significant consequences but already a medium probability, which makes this risk more relevant.
Non-compliance risks may arise in a significant number of areas of law, but most often, high risks occur in such areas as:
- Anti-corruption legislation
- Anti-monopoly legislation and competition protection
- Labor legislation
- Money laundering
- Tax legislation
- Protection of personal data
- Export control
- Environmental legislation
That is why risk assessment for a company should start with these areas. First and foremost, an assessment is a tool to increase the effectiveness of introducing compliance. Without knowledge of the most relevant risks and possible negative consequences, it is difficult to answer the question about the proper use of the resources aimed at risk management. Moreover, without a risk analysis, a company sets wrong priorities, implements ineffective measures, and can completely ignore potentially high risks.
Ideally, this analysis should be performed at the beginning of the introduction of compliance in the company, but in practice, it does not work. However, even in this case, implementing a risk-oriented approach can have an effect, especially in the case of a negative event. At least the company can appeal to the fact that it has made sufficient efforts to avoid the risk.
Compliance Risk: Risk Management
Risk management implies that a company directs its resources to avoid the occurrence of a risk. It cannot be completely avoided, then minimize or execute administrative control, such as training, additional equipment, and services, etc.
To begin with, possible risks must be detected, and their level by a five-level scale must be identified.
- Critical (C) – Immediate actions with detailed planning and regular monitoring of the situation at the highest level are required.
- High (H) – High risk, regular supervision, and control are needed.
- Medium (M) – Medium risk, partial supervision, and control are needed.
- Low (L) – It is recommended to supervise and control in normal mode.
- Very low (VL) – To supervise under a normal procedure.
For the correct classification of risks, assessing the consequences and probability of risk occurrence is necessary. Matrices can be used to assess the consequences and probability.
As a rule, a company starts risk assessment with the help of the legal analysis of the legislation and internal documentation. But it is also important to involve the company management through interviews with heads of departments and divisions. Risks are then systematically recorded and assessed from the perspective of the probability of their occurrence and the expected level of damage. Based on this assessment, resource planning and the application of risk management measures are carried out.
The process of identifying, assessing, and monitoring the risks to your organization’s compliance with regulations and industry standards is known as compliance risk management. This includes all internal controls put in place to ensure that your company complies with those obligations, as well as monitoring those controls on an ongoing basis to ensure they’re effective.
A compliance risk management program documents the potential losses and liabilities that your organization may face as a result of noncompliance, such as legal penalties, fines, business loss, and reputational loss, and then implements the necessary remediation steps to keep those risks at acceptable levels.