Speak the language of business by putting numbers around the risk of non-compliance.
By Hernan Huwyler, governance, risk and compliance specialist for multinational companies. Professor of Compliance at IE Law School
The management of an ethics and compliance program requires the measurement of integrity, legal and compliance risks to allocate resources to the most critical business processes. The decision to implement and monitor controls mitigating key risks is the centerpiece of any compliance plan. Compliance officers adopting straightforward tools and data to quantify risks will choose the most efficientresponse measures, from prevention to contingency plans. This article offers the compliance officer practical ideas to measure risks to prioritize actions.
Too often, the assessment of compliance risks is based on qualitative and subjective criteria. The use of adjectives, ranging from minor to catastrophic impacts or from very low to very high frequencies, adds biases in the risk analysis. As a result, the ethics and compliance program may not allocate the available resources to mitigate the key risks. It is an expensive and ineffective way to manage compliance risk.
The ability to quantify risks allows compliance officers to produce clear answers related to the effectiveness of the program. Consequently, they will be able to demonstrate how much value the compliance function is adding to the organization. Compliance officers speaking about risks in financial terms will get increased attention from the C-suite level, as well as, focusing on a number of key compliance areas to protect and support the achievement of objectives and strategies.
The compliance function whose actions prevents regulatory and contractual breaches adds value by avoiding negative risks. It requires identifying the most critical external and internal requirements, especially for global organizations operating in a myriad of national authorities and regulators where different non-compliance scenarios are needed to be assessed in terms of impact and probability.
The challenge to produce and make use high quality compliance data
The mathematics supporting risk management developed analytical techniques to quantify losses and probabilities of outcomes. These techniques allow the compliance officer to gain valuable insights. Simple methods of quantifying the size of the compliance risks involve the assessment of different scenarios. Examples of simple quantifying techniques are, a) the three-point weighted estimation which considers 3 scenarios with the formula of (best case + most likely case * 4 + worst case) / 6, and b) the expected monetary value which considers the weighted values of outcomes and their probabilities of a series of scenarios.
The assessment of compliance risks based on financial data produces plausible scenarios which allows the compliance officer to evaluate possible sources of information across the different categories of integrity and compliance risks. The financial data related to compliance risks can be collected from statistical data from litigation, lawsuits, fines and claims, civil damages, fraud losses, investigation and legal expenses, cost of customer complaints, booked contingent liabilities, and penalties for contract breaches. This data is not only limited to internal sources, but can also be obtained from fines and disclosed losses involving competitors or other organizations in the same sector. Measuring the financial losses from this statistical data allows for better trend identification which provides insight on emerging issues. The reputational damage of compliance breaches can be measured by the loss of contracts and clients, additional advertising costs, increase of capital and insurance costs, and the underperformance of the stock value against peers.
A compliance risk measured in financial terms can be used to balance the cost of compliance controls. The quantified risk can be compared against remediation costs, such as the hiring of additional staff, training costs, consultancy and process audit fees, hardware and software costs and the opportunity cost. Also, a quantified risk assessment provides a valuable insight when is incorporated into relevant decision-making processes such as approval thresholds for new markets or products.
Compliance officers can look for models and support from risk managers to build tools leading to new ways of quantifying integrity and compliance risks.
Another use for quantified compliance risks would be to compare these risks against the organization´s or the stakeholders´ tolerance level. This tolerance level depends on their readiness to bear the compliance risks after controls are implemented to meet the objectives of the ethics and compliance program. Statements emphasizing a zero tolerance to fraud and corruption, as well as, to other elements of the code of conduct do not imply that zero is the maximum amount of compliance risks the organization can accept. The ethics and compliance targets can be operationalized with a quantitative approach. It is done by establishing a tolerable level of annual losses in fines, penalties and other compensations and impacts.
A solid assessment of compliance risks helps to defend budgetary needs and to highlight the business benefits of the controls deployed and monitored by the ethics and compliance program. In this direction, compliance officers can look for models and support from risk managers to build tools leading to new ways of quantifying integrity and compliance risks.
Hernan Huwyler, MBA CPA, is a governance, risk and compliance specialist for multinational companies. He works in developing internal controls to address business risks and legal requirements in European and American corporations and is currently working for ISS World in Copenhagen to develop its center of risk management excellence. He previously served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. Hernan frequently lectures on compliance, risk management, data privacy, GDPR and auditing at top universities and business schools. Follow Hernan @hewyler
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution. This article was published in Legal Business World.