Compliance Risk Assessments - An Introduction

Chapter 1. The Compliance Environment

Chapter Goal:

Understand the basics of a compliance risk assessment process.

If you are reading this book, two possibilities exist. First, you are having difficulty falling asleep and thought that
a book on compliance risk assessments certainly could make your weary eyes close. Second, this week you were
approached by your CEO who informed you that you are now responsible for completing a compliance risk
assessment for the organization and will be presenting on this process to the board of directors in two months.

Presuming the latter scenario is your reason for reading this book, you may be in panic mode right now.You could
be unfamiliar with what a compliance risk assessment is, and/or you don’t have a clue how to start a process to
develop one. Or you may understand the nature of risk, but don’t have a background in conducting compliance
risk assessments and managing the process.

Before you decide to quit your job rather than complete this project, be assured that this process is not that
difficult and can be achieved in a reasonable time frame.

Think of a compliance risk assessment process as being just like the process of baking a cake. Typically, cakes
contain eggs, sugar, flour, flavoring, and butter. A typical compliance risk assessment process will be used as one
of the elements (or ingredients) of an effective compliance program.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-1-
Chapter 2. A Risk Assessment and Risk Management Primer

Chapter Goals:

Define risk assessment.

Define risk management.

Understand the differences between the two concepts.

Before you begin your risk initiative, let’s define some terms. Some people want to use “risk assessment” and
“risk management” interchangeably; but they are in fact different. In short, you assess your risks so you can
more effectively address those risks. A risk assessment includes the processes of identifying, analyzing, and
evaluating the severity of risks. Performing these steps helps determine the best way to address those risks: to
monitor, minimize, or mitigate their impact. Assessing and addressing risks together form the foundations of
risk management.

To further connect these two terms, it is helpful to understand that risk management comprises a general set of
processes that can be used for a variety of purposes. For example, large corporations may have a whole
department dedicated to risk management, which might focus on anything from operational to liability to
financial risks and more. Alternately, some organizations may only do more highly focused forms of risk
management—for health and safety, natural disasters, IT infrastructure, or legal and regulatory compliance, to
name a few. At the far end of the continuum is enterprise risk management (ERM), which involves a framework
that aims to assess and address all forms of risk.

But, this book is about compliance risk management, which means we want to identify, analyze, and evaluate the
risks of an organization being noncompliant with applicable laws and regulations, and we want to use the results
to minimize or mitigate the risks. Certainly, this sort of risk management can overlap with and be integrated into
other forms of risk management. For instance, if your organization is just beginning to assess and address
compliance risks, then integration with an ERM framework might be a long-term goal. But for the most part, we
will stay focused on compliance.

Before we can explain how to go about assessing compliance risks, we need to understand the basic premises of
risk and understand how an organization’s tolerance of risk impacts the process. This base knowledge will help
drive the question of what will be the universe of risk to be assessed.

A Primer on Risk
Risk is everywhere. Hiring a CEO without fully vetting his or her background, hackers breaking into your
supposedly secure data system, your employees walking out because of perceived non-responsiveness to claims
of sexual harassment by your CFO—all of these are examples of challenges and risks that your business might
encounter every day. How you deal with any one risk depends on a few factors: the likelihood of the risk
occurring, the severity of impact to your organization if the risk occurs, and the level of risk tolerance your
organization has for accepting the risk.

There are four basic ways to deal with risk—avoid, mitigate, transfer, and assume.

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-2-
Avoid risk. Cancel all overseas business trips, never hire anyone without an FBI criminal background check and an
interview with the applicant’s high school or college yearbook editor, wrap your employees in bubble wrap so
they won’t be hurt and have a workers’ compensation claim, and implement such tight controls on intellectual
property rights that no one at your organization could ever argue for rights to anything an employee ever
developed. Clearly these methods will work, right? Yes, they will, but if the organization wants to expand its
footprint into another country, if you really do want to hire the hotshot marketing manager who 25 years ago
may have said a “naughty” word, and if using intellectual property could expand your offerings, well, then risk
avoidance doesn’t sound like the right approach. Avoidance of risk means exactly that—you totally avoid the risk
by not permitting or doing the risky activity.

Mitigate risk. Unlike the avoidance approach, mitigation of risk would require that the owner of the risk
(corporation, partnership, etc.) put controls in place so that the potential negative effect of the risky activity is
reduced. If you really want to hire the hotshot marketing manager who may have said an inappropriate word
years ago, perhaps you can have a conversation with HR, the applicant, and the supervisor to discuss how to get
ahead of this story and possibly turn the situation into a positive PR moment. If you want your employees to use
intellectual property that your entity developed to expand your product line, you could have the employees sign
nondisclosure and noncompete agreements and develop methodologies to monitor their use of this valuable
company asset. To mitigate means to reduce the effect of the risk; it does not mean you put your head in the sand
or avoid the risk at all costs.

Transfer risk. Transferring the risk is all about figuring out how the business would not be the only one, or the last
one, left holding the bag if/when a lawsuit is filed. Perhaps you would consider buying insurance to protect
against the risk. Or, if you want to protect against a data security breach, perhaps you can have your third-party
provider sign a contract to be the one responsible for notifying the affected individuals of the breach and for
paying for any fraud-monitoring services. Decide if you want your employees to purchase the add-on car
insurance when renting a vehicle for business travel. Require evidence of sexual molestation insurance when a
soccer team uses the flat grassy field located on your company’s property.

The bottom line—ensure that other entities surrounding your business have as much, more, or even all the
monetary and legal liability if a compliance violation occurs.

Assume the risk. Your business has tried to avoid the risk, mitigate the risk, and transfer the risk. Whatever risk
remains from these efforts is what the entity must assume. Your entity is legally responsible for any
fine/punishment resulting from a noncompliance issue where the “just say no” edict did not work (avoid the
risk); where the risk could not be reduced by policy, practice, or working protocol (mitigate the risk); and where
the risk could not be shifted to another entity agreeing to assume it (transfer the risk). Presumably, when your
business assumes the noncompliance risk, it is with full knowledge of the risk and its consequences.

Now that you are aware of the types of risk, take a moment to ponder this: Which risk philosophy best represents
your organization? Do you prefer to avoid risk at all costs, do you proceed with caution while being aware of risk,
do you purchase insurance to protect against the most costly risks, or are you unprepared for risk—which is
clearly why you need this compliance risk assessment process implemented quickly? These exemplify different
levels of risk tolerance.

Having addressed the basic nature of risk and considered the level of risk tolerance your entity can assume, let’s
put risk assessment into more context by reviewing some different forms of risk management. To simplify, look
at both ends of the continuum: the all-encompassing enterprise risk management and the more highly focused
compliance risk management and fraud risk management.

This document is only available to subscribers. Please log in or purchase access.

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-3-
 Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-4-
Chapter 3. Step One: Defining Your Compliance Risk Universe

Chapter Goals:

Identify what counts as risk for your organization.

Identify resources to establish the scope of the compliance risk universe.

Step one—the basics. When you decide to do some baking today, is your goal to bake a wedding cake or a vanilla
sheet cake, or is the extent of your skills limiting you to a store-bought, ready-mix brownie delight? It is the
same kind of question that you would ask regarding a compliance initiative.

What will be the scope of your compliance initiative? Will it be limited to only federal laws and regulations? Will it
cover compliance with your organization’s policies and procedures? Will you incorporate regional and local laws?

Those are all good questions with no right or wrong answer. The answer depends on the scope of your initiative
and what is reasonable to accomplish. It is only after you decide what you want to accomplish that you can seek
out and identify your compliance risk universe.

The USSG states that an organization should promote a culture that encourages ethical conduct and a
commitment to compliance with the law.[1] So, a broader compliance risk assessment could include risks for
unethical behavior as well. The Anti-Bribery Convention, an international standard created by the Organisation
for Economic Cooperation and Development (OECD) and ratified by 44 countries,[2] provides similar guidance in
its “Good Practice Guidance on Internal Controls, Ethics, and Compliance.”[3] Within these broad mandates,
your compliance effort can be customized to fit the needs of your entity.

Whatever your decision, start with a reasonable and achievable goal. Going from no assessment to a full-blown
identification and analysis of every federal, regional, and local law that touches your entity may be unrealistic.
Adopting that broad of a scope may even be more unrealistic if your business has a decentralized mindset, an
entrepreneurial spirit, or maybe even a laissez-faire philosophy regarding compliance. A more gradual and
expandable version of a compliance risk assessment might be a better option at the onset.

Start your compliance effort with clear and attainable goals that can be achieved within a reasonable time period
identified in your plan. If your compliance effort is not well thought-out and does not have clear follow-through
with visible, actionable results communicated to the CEO, board, employees, shareholders, and other key
stakeholders, the effort will fail. Restarting the effort after an initial failure will be difficult.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-5-
Chapter 4. Step Two: Determining Likelihood of Occurrence

Chapter Goals:

Develop compliance risk factors that are specific to your business, industry, and
country.

Understand how to prioritize the compliance risk factors, which includes

assessing the likelihood of the risk’s occurrence.

Two compliance risk factors are typically used to determine the risk level of a compliance issue—likelihood of
occurrence and impact of occurrence. It is with these two factors that you will be able to turn your risk universe list
into a risk universe matrix—a graphical representation of risks that can help prioritize your risk mitigation
efforts.

General Overview
In general, likelihood of occurrence is the probability that noncompliance with a law or regulation will occur daily,
monthly, yearly, once every five years, ten years, etc. Impact of occurrence is the degree to which a noncompliant
incident will have a negative effect on the business in terms of financial resources being depleted, your CEO
going to jail, damage to the corporate reputation in the eyes of the public, or even a more practical issue—a data
breach resulting in disclosure of personally identifiable information (PII).

It is both the likelihood and the impact of occurrence that will help your compliance team determine how the
business will prioritize the compliance risks. If the likelihood of an occurrence of noncompliance is every five
years and the impact on the firm is minimal (say, a fine of $1,000), this risk would be relatively low in terms of
concern to the business. Of course, this does not mean that you should ignore this risk. Rather, this scenario of an
unlikely incident coupled with a low impact caused by the incident means that this noncompliance issue is
probably one you will deal with later.

In contrast, noncompliance with the law regarding payment of overtime to your employees every week for a
period of years, which in the United States is a violation of the Fair Labor Standards Act, could have a devastating
impact. Your business would face substantial punitive fines as well as a requirement to pay lost wages and
attorney fees. It also could make a lot of employees angry, cause a tremendous amount of bad publicity, and a
possible Department of Labor or Internal Revenue Service audit. Since this scenario could become a daily (or at
least weekly) occurrence and have significant short-term and long-term impact, it should be prioritized to fix.

Likelihood of Occurrence
What is the probability that your business will violate a specific law or regulation? Of course, you hope the
answer is “never.”

More likely the answer to this question is “unfortunately, probably a lot more than I imagined.” And while it is
desirable that the noncompliance is an unintentional act with no malice intended, measuring the likelihood of
noncompliance also incorporates the possibility of an intentional act.

Likelihood of occurrence uses two factors—controls and frequency—to determine the potential for encountering

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-6-
it.

Figure 1 shows a sample method to evaluate the likelihood-of-occurrence factors for any form of business. This
sample is generic; each business must develop a customized version based on its unique set of risks and
compliance concerns in its universe.

Figure 1: Likelihood of Occurrence Factors

Likelihood of Occurrence Factors

Rank/Scale Measure of Likelihood

Existing Controls Frequency of Noncompliance

1 Rare
Policies mandated and updated regularly May only occur in exceptional
circumstances
Regular mandatory training is provided to the identified responsible person(s)*
and is documented Less than once in 10 years

Regular management monitoring reviews are performed and documented

2 Unlikely
Policies mandated and updated regularly Could occur at some time

Regular training is provided to the identified responsible person(s), but not At least once in 10 years
documented *

Regular management monitoring reviews are performed, but not documented

3 Possible
Policies mandated, but not updated regularly Might occur at some time

Responsible person(s) identified* At least once in 5 years

Training is provided when needed

Some management monitoring reviews are performed, but not documented

4 Likely
Policies and procedures in place but neither mandated nor updated regularly Will probably occur

Responsible person(s) identified* At least once per year

Some formal and informal (on-the-job) training

No management monitoring reviews

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-7-
 5 Almost
No controls in place Expected to occur in most
Certain
circumstances
No policies or procedures, no responsible person(s) identified, no training, and
no management monitoring reviews* More than once per year

*Identified responsible person(s). This term refers to any individual(s) in your organization who is responsible for ensuring that he/she knows
that there is a law and is empowered by your organization to bring the entity into compliance with the law and to monitor continued
compliance the law. Sometimes this person is called a Compliance Partner or other similar terminology to reflect the importance of the
employee within this compliance structure.

Existing Controls

Existing controls shape behavior. Controls could be policies, procedures, training, or any method of controlling
behavior that is effective at your business. Perhaps your firm has a particularly strong culture of compliance so
that noncompliant behavior is simply not expected and is clearly not condoned. Perhaps you have a systematic
(and documented) training program that highlights key areas of noncompliance and how to report any concerns
about noncompliance. Whatever your controls, they are existing controls—controls in place at your business
designed to ensure that it is complying with a law or regulation.

The fewer controls in place, the more likely that an issue of noncompliance will occur. The fewer controls that are
known to employees, the more likely an issue of noncompliance will occur. Employees need to know what they
are responsible for doing (and not doing) and need to be aware of the consequences for noncompliant actions.
Taking a very dim view of society, it is possible that when the business does not have controls in place and has
not informed employees of these controls, employees may likely make wrong choices. That is not a culture to be
proud of; it is a reality where taking the wrong action might take less time and energy than taking the right
action. And this could be the case if the employer does not have the right controls in place to stop this action.

Your compliance team should use the factor of existing controls to help determine the level of compliance risk.[1]

Rank/Scale

The first column in Figure 1 is titled “Rank/Scale” and ranges from 1 to 5. Number 1 represents a simple numeric
indication of the lowest likelihood of the risk occurring while 5 represents the highest likelihood of the risk
occurring.

In the adjacent column, a descriptive term for each numeric rank is provided. These range from “Rare” to
“Almost Certain.” “Rare” represents the lowest likelihood of the risk occurring, while “Almost Certain”
represents the highest likelihood of the risk occurring.

The numbers and the terms represent the exact same thing, but it is sometimes helpful for readers of factor
matrixes to see words as well as a numbering system to describe a category.

Existing Controls

Using the five-step rating system, if you or the compliance committee were to evaluate a law and determine that

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-8-
the likelihood of noncompliance with this law was a “1” or “Rare,” that could mean that your business has
existing controls and policies in place that are effective. Regularly scheduled and mandatory training is provided
to the person/people responsible for ensuring compliance with the law within your organization. Their training
is documented and regular monitoring by management is performed and documented.

Similarly, if your compliance team evaluates a law and indicates that the likelihood of a noncompliance is a “5,”
or “Almost Certain,” your business clearly has ineffective or none of the following: controls, policies or
procedures, person responsible for monitoring compliance, awareness training, or monitoring by management
put in place.

Likewise, 2 through 4 rankings are variations of this likelihood of occurrence.

Frequency of Noncompliance

Frequency is the rate at which a compliance risk occurs. Is it likely that this compliance risk will occur once every
10 years, once a month, or once a day? It is this determination of how often a risk might occur that determines
“Frequency of Noncompliance.”

Using the same five-step ranking and analysis discussed above with “existing controls,” if the compliance team
evaluates a law and determines that noncompliance with that law is probably only going to occur in exceptional
circumstances, perhaps less than once every 10 years, then the numerical value chosen for this factor would be
“1.” For example, if a law requires reporting to an agency once every 10 years, then this law would receive a “1”
rating in frequency. In contrast, if the compliance team evaluates a law and determines that instances of
noncompliance are probable in most circumstances and typically could occur more than once per year, then the
numerical value chosen for this factor would be “5.”

Note that this frequency column presumes quite a range of time. Customization of these factors is critical. It may
be that in your industry the frequency factor should be changed to daily, weekly, monthly, yearly, and less than
once a year. Adopting the definitions and frequency ranges should not occur without significant input from your
colleagues responsible for implementing this overall compliance risk assessment.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

-9-
Chapter 5. Step Three: Determining Impact of Occurrence

Chapter Goals:

Develop compliance risk factors that are specific to your business, industry, and
country.

Understand how to prioritize those compliance risk factors, which includes

assessing the impact of occurrence of the risk.

Two main risk factors must be quantified to determine the risk level of a compliance issue—likelihood of
occurrence and impact of occurrence.

The previous chapter explained how to determine the likelihood of occurrence. This is the probability that
noncompliance with a specific law or regulation will occur daily, monthly, yearly, once every five years, once
every ten years, etc. Next, let’s consider how different risk factors can create a range of impacts.

Impact of occurrence is the probability that a noncompliant incident will have a measurably negative effect on the
business, such as financial resources being depleted; damage to the business’s reputation; destruction of vital
documents due to a data security breach; or even the potential incarceration of the CEO, CFO, or other key
management personnel.

Just as likelihood of occurrence factors are used to determine the level of risk your business faces, impact of
occurrence factors must also be considered. Each risk factor is unique and independent of other factors. Thus,
each factor needs to be evaluated separately and an appropriate numerical value established.

Figure 2 shows how to quantify the impact of occurrence factors on a business. Obviously, customization of this
tool for your business and industry is required.

Note: This example considers factors ranging from compliance to financial outcomes to reputation. If your
organization is conducting a narrowly defined compliance risk assessment, it is possible that you may only want
to consider the compliance outcomes detailed in the “Level of Noncompliance” column. And, from a strictly
construed compliance risk assessment model, that factor truly represents one way to establish the impact of
noncompliance on the business.

It is also possible that your entity’s compliance risk assessment may require use of more factors—perhaps all
the factors identified in this sample. After all, while the impact of noncompliance with a law, regulation, or
established rule can involve going to jail or getting a fine, noncompliance can also affect a business’s reputation,
financial assets, health and safety, strategic direction, and operations.

The importance of customization in impact of occurrence factors cannot be stressed enough. Quite frankly, it
would be easiest to simply use “Level of Noncompliance” to establish impact and ignore the impact emanating
from that outcome. However, from a practical perspective, it is likely that upper management will want to see not
only the legal risk but also the associated impact factors quantified. A decision on what factors to consider must
occur prior to designing and utilizing the assessment tool.

Figure 2: Impact of Occurrence Factors

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 10 -
 Impact of Occurrence Factors

Rank/Scale Measure of Impact

Level of Health and Financial Outcomes Ability to Potential Change in

Noncompliance Safety Pursue Disruption Reputation
Outcomes Monetary Non- Strategic of

monetary Goals Business

Operations

1 Insignificant In compliance No injuries TBD dollar Little or Little or no < ½ day Unsubstantiated,
amount or no impact impact low impact, low
percentage profile, or no
of budget news items

2 Minor Civil violation with First aid TBD dollar Minor loss Minor < 1 day Substantiated,
little/no fines treatment amount or or damage impact low impact, low
percentage news profile
of budget

3 Serious Significant civil Medical TBD dollar Major Major 1 day–1 Substantiated,
fines/penalties treatment amount or damage impact week public
percentage embarrassment,
of budget moderate
impact,
moderate news
profile

4 Disastrous Serious violation, Death or TBD dollar Significant Significant 1 week–1 Substantiated,
criminal prosecution extensive amount or loss impact month public
probable injuries percentage embarrassment,
of budget high impact,
high news
profile, third-
party actions

5 Catastrophic Significant violation, Multiple TBD dollar Complete Loss of > 1 month Substantiated,
criminal conviction deaths or amount or loss of accreditation public
probable, loss of several percentage assets or license embarrassment,
accreditation or permanent of budget very high
licensure disabilities multiple
impacts, high
widespread news
profile, third-
party actions

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 11 -
 This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 12 -
Chapter 6. Step Four: Conducting the Compliance Risk Assessment
Survey

Chapter Goals:

Develop a compliance risk assessment survey that is unique to your business.

Decide who will conduct the survey.

Remember the cake baking exercise? Well, at this point, you have identified what cake you want to bake (Step 1:
Defining Your Compliance Risk Universe) and you have identified what ingredients are going to be part of the
batter (Step 2: Determining Likelihood of Occurrence and Step 3: Determining Impact of Occurrence), so, you
must be ready to actually bake the cake, right? Sorry—you are close, but are not ready yet to even turn on the
oven. In order to develop your risk universe matrix, you need to assess your company’s status with each of the
laws and regulations in your risk universe. That process will require you to gather information from those most
involved in complying with the laws and regulations.

Who Does the Work?

The next decision point you’ll need to make—who is going to bake the cake? In other words, who at your
business is actually conducting the compliance risk assessment survey? What follows are some action items to
consider when thinking about your assessment method and how the method will actually work at your business.

Ideally, your first action will be to head to your in-house legal department or external legal counsel. Before any
assessment work begins, you will want to clarify whether your compliance risk assessment needs the protection
of attorney-client privilege or attorney-work product. Basically, having such protection may be necessary if the
attorneys have reason to worry the business could be facing a criminal investigation or private litigation. The last
thing you want is for your assessment of compliance risks to be requested during a government enforcement
action or in the discovery phase of a civil lawsuit. Depending on what your assessment uncovers, the report could
be used as evidence that your company had prior knowledge of improper conduct. If this is your situation, some
careful planning will be needed to preserve the confidentiality of the assessment report. However, those details
are beyond the scope of this book.

Let’s assume you’ve been cleared to move forward with the compliance risk assessment. If your business has a
one-person compliance office with responsibility for this entire compliance initiative, then it is possible that the
assessment format may look different than the assessment format for a larger business that has a structured
compliance committee and/or a large compliance department. In either scenario, the assessment will involve
gathering information from the organization’s compliance partners and compiling it to prepare for creating the
compliance universe matrix. Note—compliance partners are individuals who have the most day-to-day
knowledge of one or more compliance risks and who are empowered by your organization to take responsibility
for ensuring compliance.

For example, a large compliance staff may use a method that would include making personal visits throughout
the organization, chatting with the persons who are responsible for implementing certain laws, and then
recording the data. This method has pros and cons. It would enable the compliance staff to establish positive
long-term relationships with key employees who serve as compliance partners. But this process could be very

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 13 -
time-consuming, depending on the number of laws you have identified in your compliance risk universe and the
number of employees who serve as compliance partners. Also, this method has the potential for creating
response bias. Perhaps the interviewer is a close friend with a particular employee and determines the employee
has not created a needed policy nor done the required training nor has any clue about what the law requires for
compliance. It is possible that the interviewer might record responses that are not as clear and direct as they
should be.

An alternate method involves providing printed surveys to the compliance partners who have the most
knowledge about relevant laws and what is being done to ensure the organization is in compliance with them.
This method would be less time-intensive for a single compliance officer. But recognize that this method cannot
be done without requiring all the compliance partners to receive significant training on use of the survey
instrument. Also, this method could be time-consuming if the compliance partners need a lot of nudging to
complete the survey.

In conducting a risk assessment survey, concerns about the reliability of the responses are another issue. Will the
compliance partners be truthful in their responses or will they be concerned about consequences if they divulge
negative information? Those concerns must be dealt with up front in the training. The compliance partners must
be told that honesty is important and that there will not be ramifications for negative information such as not
having the policy, training, documentation, etc. in place. They need to be told that this is their opportunity to tell
the business and upper management what needs to be done and what resources they need in order to accomplish
the goal of compliance. The more buy-in you receive from the compliance partners, the more detailed and
truthful will be their responses, and the better your compliance initiative will be. Of course, you will have to audit
the responses to ensure that the responses correlate with what you know about the business and its processes.

The choice of having one person conduct in-person compliance risk assessment surveys or having each
compliance partner complete a printed assessment survey should be based on your organization’s culture and
simple logistics of which method will be more effective at your business. Both methods will work; both methods
are effective ways to collect the data. And, obviously, there may be other methods for this data collection to occur.
Customization for your business cannot be stressed enough.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 14 -
Chapter 7. Step Five: Compiling Results and Constructing a
Compliance Universe Matrix

Chapter Goals:

Understand how to transform survey results into numerical scores.

Understand how to generate a risk universe matrix—a visual heatmap of risk

levels.

Understand how to prioritize risks.

Congratulations! You have persevered and proven that the naysayers who said this compliance initiative would
never gain the support and buy-in necessary to make it work were wrong. You have tuned out the employees who
did not want to take the time to complete the compliance risk assessment survey. You even survived the IT data
collection disasters that surely happened. So, what are your next steps?

Eating the entire cake as a reward is certainly a good option, but not great for your diet. Throwing data at your
compliance committee or other decision-making body and saying “your turn now” is not a good option for your
company or career. This leaves you with the only viable option: morphing the raw data into useable data. Thus,
your goal is to take the compliance risk assessment survey results and transform them into scores that can be
plotted on a risk universe matrix—also known as a heatmap, dashboard, or risk map.

Creating a Risk Universe Matrix

Go back to your compliance risk assessment survey results. Someone (possibly you or a compliance committee)
needs to review answers to the survey questions and determine how to turn them into numerical data. Look at
whether or not policies or training are in place, whether or not the fine for noncompliance is jail time or a slap on
the wrist, whether the law needs to be complied with on a daily basis, or whether this is a law that requires a
simple report to an obscure agency every five years. Evaluate each law you have identified to be assessed in your
universe of risk.

Someone (again, possibly you or a compliance committee) will then identify the level of compliance risk
associated with a specific law. Quite frankly, this is the difficult part. How does a person or committee assess how
likely your business is to violate one law or another as well as the potential impact on your business if an
employee violates the law? But remember the charts from chapters 4 and 5 that delineate the different levels of
risk involving likelihood and impact factors? These can guide you in determining a scoring system.

You or the compliance committee will sit down and look at survey answers for every law in your assessment.
Soon you’ll get a sense of the laws dealt with daily, laws without policies or processes in place for your business
to even begin to be in compliance, and laws that create the most liability in terms of compliance with the law and
other factors. You’ll look at both the likelihood of noncompliance occurring and its impact on your business. You
will then try to assign two numerical scores to the compliance risks—one for likelihood and one for impact. You
can then use these scores to plot each risk on a chart—your risk universe matrix. This matrix is also known as a
heatmap, because the risks with high ratings on both factors are the hottest (or most in need of attention).

To generate this matrix, plot each risk by locating the likelihood score along the vertical axis and the impact

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 15 -
score along the horizontal axis. The risks that lie closest to the top right corner are the biggest problems, and
those laying closest to the bottom left corner are the smallest.

The likelihood score is determined by two numbers, both represented on a 1–5 scale (see chapter 4). Add those
two numbers together and your likelihood score will range from a low of 2 to a high of 10. Similarly, the impact
score is produced by adding the numerical ratings for all impact factors—the example in chapter 5 has seven
columns of factors represented. Added together, these become one score that ranges from 7–35.

As an example, let’s plot three laws on a sample matrix (see Figure 4: Risk Universe Matrix Example). If an
assessment of a particular law generated a 2-point Frequency Score on the Likelihood axis and a 7-point Severity
Score on the Impact axis, that law would be identified as having a low risk. It would be represented by a dot in the
bottom left corner of the risk matrix. If color-coding your laws, this would be in the green zone and classified as
low risk. If an assessment of another law generated a 6-point Frequency Score on the Likelihood axis and a 20-
point Severity Score on the Impact axis, it would be represented by a dot in the middle of the risk matrix and be
classified as a medium risk. If color-coding, this would be in the yellow zone. If another law had a 9-point
Frequency Score on the Likelihood axis and a 35-point Severity Score on the Impact axis, it would lie in the upper
right corner of the matrix and would be identified as one of your chief risks. A color-coded matrix would put this
in the red zone.

Figure 4: Risk Universe Matrix Example

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 16 -
Chapter 8. Step Six: Implementing a Compliance Risk Mitigation Plan
—Monitoring, Reassessing, and Modifying

Chapter Goals:

Understand why continual compliance risk monitoring is needed.

Determine how to develop a customized system to continuously monitor the

compliance risk assessment initiative.

Determine your compliance risk reassessment time schedule.

Decide how to document monitoring the compliance risk assessment program.

At this point in your compliance risk assessment program, you have completed the following:

Identified the compliance risk universe;

Determined the compliance risk factors, such as likelihood of occurrence and impact of occurrence;

Conducted the compliance risk assessment survey;

Scored the survey results and generated a risk universe matrix; and

Developed and had approved by the CEO or other upper management your initial compliance risk
mitigation plan.

What is next? With all that work completed, one might be tempted to sit back and congratulate oneself on a job
well done. Well, the job might have been performed “well,” but it certainly is not “done.”

For your compliance risk assessment program to be of ongoing use to the overall compliance program, best
practice requires ongoing monitoring of all compliance risks. And clearly, compliance work is never really
finished. Laws change, employees change, and the focus of upper management changes. It is certain that there
will always be change; you just cannot predict how the change will affect a compliance initiative. Just know that it
will.

The key is having a continuous improvement system in place that provides enough flexibility to adapt to a
changing environment. But the key also requires having enough rigidity in the system to ensure that the
compliance initiative will not falter when the new hotshot manager arrives in your division and wants to shake
things up.

If you are the compliance officer, your job is to develop and maintain this continuous improvement system. How
do you begin accomplishing this task?

Monitor
The first step is to develop a continuous daily compliance risk monitoring process. Customization for your
business is critical. What should you include in your plan to keep the risk assessment process going for your

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 17 -
employees and management? And how should you monitor continued effectiveness of the program? Here are
some tactics you can try:

Develop and publicize a compliance calendar. Identify when reports are due to federal or state agencies and
even when reports are due to internal departments.

Perform random audits. If training on a law or policy was supposed to occur, ask the employee responsible
for documenting such training to show you the documentation.

Attend the training sessions. Are they well prepared, well presented, informative, and engaging? What
changes could be made to make them more effective training programs? Is the information up-to-date? Is
it accurate? Are you training everyone or are you spending time to determine who should be trained on
what policies and just training those employees?

Ensure that employees responsible for compliance with certain laws can attend training specific to their
needs. Stress the importance of training the trainer. Professional development budgets will always be tight,
but this does not mean that the business should ignore this important element.

Do not fear external or internal auditors. Use their audit findings to determine the existing holes in your
compliance risk assessment program and then work to plug the holes.

Review trends in employee discipline. What do the trends mean? Is it possible that the trends mean that
ineffective policies are in place or that training on those policies is ineffective?

Ensure you have a reporting policy (whistleblower policy) in place. Best practices require an organization
to have and publicize a system for reporting noncompliance. A method for anonymous reporting must be
included. Make sure that this reporting policy is written so that every employee understands what needs to
be reported and to whom.

Review your nonretaliation policy. Does the reporting policy include a prohibition against retaliation for
reporting or does your sole standard policy focus only on “no retaliation if involved in a discrimination
case”? Make sure it is the former and not just the latter.

Bottom line: Nothing is as effective as getting out of your office and walking around to talk with employees
dealing with day-to-day implementation of a policy, procedure, training, etc. These are the employees who know
what works and what doesn’t. Is the training effective? Are employees consistently disciplined for
noncompliance with a policy? Find out the facts from employees who should know the most about the
effectiveness of the compliance program in their particular area.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 18 -
Chapter 9. Beyond the Compliance Risk Assessment Process

Chapter Goal:

Understand the basics of an effective compliance and ethics program.

You’ve made it through the basic steps for developing and implementing a compliance risk assessment and
mitigation plan, ranging from identifying the universe of risk to putting a monitoring system in place for the
compliance risk mitigation plan. Time to sit back and finally get to eat that cake, right?

While tempting, you’re not done yet. If your business intends to adopt a complete ethics and compliance
initiative, you need to consider some other elements and how they fit with compliance risk assessments to form
an effective ethics and compliance initiative.

Compliance Structure
The model used in this chapter describes an effective compliance and ethics program as defined by the USSG.
These guidelines represent best practices for organizations based everywhere in the world.

Just as you cannot design, implement, and monitor a compliance risk assessment program on your own, you
need the support of the CEO, board, and upper management to establish the structure for a compliance and ethics
program. At a minimum, the compliance structure needs to have high-level personnel who’ve been assigned
responsibility for the program.[1] How the team effort is structured within your organization is a decision that
should be made based on conversations with the CEO, other upper management, the board (if your organization
has one), and industry leaders. The structure must work for your organization, not for someone else’s
organization.

Hiring a full-time compliance officer sounds like an easy fix. However, that may not be the right fix for a
decentralized business with no previous history in compliance initiatives. Perhaps that organization might
benefit from a committee structure with direct reporting lines to the board and/or CEO.

Regardless of the structure you pick, the key is to remember that the individual(s) leading this effort must have
unfettered and direct access to the decision-makers (CEO, other upper management, or board). And the
employees held accountable for developing policies, procedures, and training regarding compliance with a law
need training on the law and resources to help your organization comply with the law.

Hiring Practices
Best practices require that the organization use reasonable efforts not to hire “substantial authority personnel”
whom the organization knew, or should have known, engaged in illegal activities or other conduct inconsistent
with an effective compliance and ethics program.[2] Simply put, you should hire employees who are willing to
work to ensure that your company will comply with the law, attend trainings to gather knowledge about the
laws, and understand their responsibilities to report noncompliance with the law. In other words, are your hiring
practices netting employees that can embrace your corporate culture of compliance?

If those types of employees aren’t being hired or, alternatively, if your organization’s employees do not embrace
a philosophy of compliance and you continue to employ them, are you really surprised that you have issues of

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 19 -
noncompliance? Your business needs to do a good job vetting candidates to find those applicants, and ultimately
employees, who will be able to contribute to your effective compliance and ethics program.

Written Standards and Procedures

According to best practices, for an organization to have an effective compliance initiative, the organization must
have written standards and procedures and communicate those standards and procedures to its employees. [3]

This requirement sounds easy, right? Just write standards down and hide them in the employee manual that
everyone signs on the first day of employment. And, of course, expect the employees to know these policies and
follow these instructions. Sorry—that is not likely to work. An employer needs to develop standards of behavior
and communicate those standards to employees. Typically these standards, policies, and procedures are called a
Code of Conduct or Code of Ethics.

Think of these policies and procedures as the backbone of the compliance initiative. Clearly articulated policies
written in easy-to-understand language will bring this initiative one step closer to being successful. Find a
centralized spot (on an internal website, in a policy manual, in an app, or whatever method of communicating is
best) and make sure all the policies are there. What can be worse than disciplining an employee for failure to
comply with a policy when the employee is sobbing in front of you and saying, “I didn’t know we had a policy; no
one told me. Where is it?”

One other hint for developing policies—make the process of developing the policy as transparent as your
business, industry, or country allows. You will get more buy-in and compliance with a policy if employees
perceive that the policy was written to help them, its authors actually had the expertise to write the policy, and
noncompliance with policy will not automatically result in a “gotcha” mentality.

Training and Education

Best practices require you to conduct effective compliance training programs.[4] This requirement is critical; if
your company does not value training and education, then a compliance initiative is doomed from the beginning.
You cannot have a compliance initiative without a well-trained workforce that is aware of compliance issues.

One hint—however you decide to implement training about a particular policy, consider these following ideas:

Make sure that whomever is being trained really needs to be trained about compliance with a particular
law.

Make the training as interactive and interesting as you can, based on the subject matter.

Remember who your audience is and adapt the training method and training time accordingly.

Document the training and who attended the training.

Compliance Program Communication

Implementing a compliance risk assessment initiative could make your employees believe that the Orwellian Big
Brother has arrived. Likewise, the most basic misconception about an ethics and compliance program is that it
involves all new actions and represents something management dreamt up over the weekend to add more work
to an already overburdened workload. This perspective could not be further from the truth. In order to have an
effective ethics and compliance program, the organization must take reasonable measures to periodically

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 20 -
communicate the elements of the program. [5]

Focus on building awareness that this effort is nothing new and the program is simply a method of formalizing
the process. Communicate how the initiative was developed and how and when it will be implemented in order to
lessen possible employee resistance.

If you are a Star Trek fan, you will understand this reference: “resistance is futile.” If you are not a Star Trek fan,
just note that employee resistance to the initiative will occur, and it is your job as a compliance professional to get
ahead of the resistance and smooth the path to achieve a relatively painless implementation process. Having a
well-developed communication plan will result in the path of least resistance.

Publicized Reporting Mechanisms and Follow-up

An effective compliance program also needs to “have and publicize a system, which may include mechanisms
that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or
seek guidance regarding potential or actual criminal conduct without fear of retaliation.”[6] What does this mean
for your business?

Simply put, your organization must design a reporting system and have that system in place for employees to
report noncompliance issues—and those reports must be made without employees fearing retaliation. In order to
achieve this requirement, your business must have a reporting process—either internal or third-party reporting.
Typically referred to as a hotline, this reporting mechanism allows employees to anonymously report
noncompliance issues.

A few items need to be in place before a reporting process can work effectively. First, be careful when naming this
policy—typically either “Reporting Policy” or “Whistleblower Policy” has been used. Your industry practices
may decide this for you, but if you have the choice, consider using the label of reporting policy rather than
whistleblower policy. “Whistleblower” has a connotation of “I am getting my business in trouble” while
“reporting” has a less-threatening connotation that empowers an employee to feel that he or she is doing the
right thing by reporting noncompliance.

Second, establish what “types” of noncompliance can be reported through your internal or external process.
Ideally, the business should not only encourage the reporting of criminal acts but also other forms of
misconduct. And each business needs to clearly articulate what the disciplinary actions will be if an employee
fails to report noncompliance.

Third, you need to have a nonretaliation policy in place. This policy needs to state that anyone who makes a good
faith report of noncompliance through the reporting system will not be subject to retaliation. There are different
ways to handle this; just ensure that every employee knows that they will be protected from retaliation if they
report instances of misconduct.

Monitoring and Auditing

For an ethics and compliance program to continue to be effective, simply following up on reported incidents of
possible misconduct won’t be enough. A system for continual monitoring and/or auditing of all risk areas must
be established.[7] The good news: If you have completed your initial compliance risk assessment then you are in
an excellent position to establish a schedule for ongoing monitoring and auditing. Typically, the highest risks
will be scheduled for the most aggressive reviews, while low-risk issues can perhaps be scheduled for a once-a-
year audit. An advanced program will mesh the compliance risk assessment initiative with its monitoring and
auditing schedules.

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 21 -
Enforcement and Discipline

To ensure employees know that your organization will appropriately respond to reports of misconduct, each
reported case needs to be investigated. In addition, fair and consistent forms of discipline must be established.[8]
Employees have ways of finding out if C-suite officials have committed misconduct and the episode was swept
under the rug. So, for instance, if a higher-level manager gets caught padding expense reports, he or she must be
disciplined in the same way as a lower-level employee. Likewise, if a low-level supervisor is found to have
committed sexual harassment and fired as a result, then a top-level manager committing a similar form of
sexual harassment will also need to be fired.

Response and Prevention

After a compliance failure has been discovered and dealt with, best practice requires that an organization review
its ethics and compliance program to understand what caused the failure and then modify its program to prevent
similar forms of future misconduct.[9] Continuous improvement is key for ensuring ongoing effectiveness of an
ethics and compliance initiative.

These standard elements of an effective ethics and compliance program have been time-tested by organizations
around the world. Putting these pieces together into a systematic process takes time and effort. But conducting a
compliance risk assessment can be a great springboard into developing a full ethics and compliance program.
Don’t despair; keep your focus on the prize.

Action Item:

Determine whether your organization is ready to establish an ethics and

compliance program, or if it already has one, make sure all major elements are
included.

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 22 -
Chapter 10. Compliance Risk Assessment Buy-In

Chapter Goal:

Determine a sustainable compliance risk assessment initiative.

Imagine forcing employees to partake in a compliance risk assessment process by insisting that they participate,
do the assessment as part of their daily workload with no recognition for their efforts, and then do a “gotcha”
when it is determined that the employees were not promoting or adopting best practices to ensure compliance
with the law. A really bad idea, right?

Knowing your organizational culture will help you begin your quest to start a compliance risk assessment
process. Did you start this process with an edict from the CEO or board? Did you start this process with a
grassroots initiative involving employees who may know that the organization is not complying with a specific
law?

Customize this process to best fit your organization. Ask these questions: What works best at your entity? Does
the CEO command the loyalty and trust needed to successfully start and implement this assessment process? Do
your employees feel empowered to raise ideas to upper management with the presumption that they will be heard
and that good ideas will be addressed? Or is the culture mixed—the CEO pushes the idea and leaves it to the
employees to determine the who and what to make it work?

This document is only available to subscribers. Please log in or purchase access.

Purchase Login

Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US
Government works. All rights reserved. Usage is governed under this website’s Terms of Use .

- 23 -