Risk-Free Compliance: An Annual Checklist for Evaluating Effectiveness

Compliance Risk Assessment / Detection & Mitigation Checklist

Extract from Annual Compliance Program Effectiveness Checklist, by Elena Konovalova

·??????Are you looking for a way to evaluate your Compliance Risk Assessment program's effectiveness, completeness, and accuracy?

·??????Do you need help implementing a proactive approach to Compliance Risk Assessment and Mitigation?

·??????Do you want to ensure that your Compliance Risk Assessment program aligns with international standards?

·??????Do you need a comprehensive checklist for Compliance Risk Assessment and Detection & Mitigation?

As a Head of Legal & Compliance, staying on top of regulations and ensuring the #effectiveness of your corporate #ethics and #compliance program is crucial. But with so many #standards and #bestpractices to follow, it can take time to figure out where to start. That's why we have created this Annual Compliance Program Effectiveness Checklist, following international standards such as ISO 37301:2021 , ISO/TS 30423:2021 . This Checklist will help you objectively evaluate the effectiveness of your program and identify areas for improvement. Using this Checklist, you can ensure that your program is well-designed, adequately resourced, and effective in practice.

This Checklist encompasses key areas and aspects of an "adequate and effective compliance program" for you to use as you aim to make informed decisions as to whether and to what extent the company's compliance program is effective, understand areas for improvement, and start developing an annual program development plan.

It helps to address three "fundamental questions" as defined by the U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated June 2020):

• First, is the company's compliance program well-designed?
• Is the program being applied earnestly and in good faith? Or, in other words, is the program adequately resourced and empowered to function effectively?
• Does the company's compliance program work in practice?

Compliance Risk Assessment and Detection & Mitigation are critical to any compliance program. By identifying potential risks, organizations can develop and implement strategies to prevent them from occurring. This can include implementing controls, policies, and procedures, providing training and education, and monitoring compliance. By taking these steps, organizations can mitigate the risk of misconduct and reduce the likelihood of legal and financial consequences.

An effective Compliance Risk Assessment and Detection & Mitigation program can also help organizations maintain public trust and reputation. In today's business environment, reputation is a crucial asset that can help organizations to attract and retain customers, employees, and investors. In addition, by demonstrating a commitment to compliance and integrity, organizations can build trust with key stakeholders and maintain their reputation for ethical behavior.

Learn how to objectively evaluate the effectiveness of your corporate Ethics & Compliance corporate program, following the best international standards. Use this Checklist for clients' & customers' self-assessments as part of your Compliance Covenants Program.

Compliance Risk Assessment / Detection & Mitigation

DOJ (USA): I.A; II.A

ISO 37301:2021: 4.1., 4.3.; 4.4.; 4.5.; 4.6.

ISO 37001: 2021: 4.5.

This section aims to evaluate whether your compliance program is appropriately designed to detect the particular types of misconduct most likely to occur in a particular Company's line of business and regulatory environment.

Key Questions

? Do we understand the external and internal issues related to compliance risks?

? Have we determined interested parties/critical stakeholders and their requirements?

? Have we determined the scope of the compliance risk management system and documented it?

? Does our CRMS reflect the company's values, objectives, strategy, and risks?

? Have we identified and documented our compliance risks' obligations and implications?

? Do we have a process to identify changes to law/regulations and other obligations, and do we evaluate these changes and implement changes as appropriate?

Performance Evaluation

• Does the Company have formalized risk mapping process (i.e., Corporate Risk Management Policy)? Answer Yes/No.
• Does the Board formally approve the process? Answer Yes/No.
• Is there a suitable level of attention for the Corporate Risk Matrix, the broad disclosure of risks, and general engagement in prevention and mitigation measures? Please, explain your assessment
• Are the criteria periodically updated? Answer Yes/No.
• Have you completed and formalized this year's annual update? Please indicate the date of the latest review

Do risk metrics of the Company's Financial Statement (Annual Financial Report) inform the company's compliance program? Please indicate the links

• Does the Company have a matrix of senior management's responsibilities for detecting and mitigating risk factors? Answer Yes/No.
• Does the Company's Risk Matrix include the risks discovered through misconduct or other parts of the compliance program? Answer Yes/No.
• Is the risk assessment current and subject to periodic review? Indicate the date of the latest review. Check whether you specifically evaluate the following high-risk areas in your Risk Matrix:

1. High-risk Geographies (locations of operations)
2. Industry Risks
3. Competitiveness of the Market
4. Regulatory Landscape
5. Transactions with Foreign Governments
6. Payments to Foreign Officials
7. Use of Third Parties
8. Gifts, Travel, and Entertainment Expenses
9. Charitable and Political Donations

(update the list with individual high-risk areas)

• Check whether you track your high-risk geographies of operations. Indicate them
• Do you indicate the levels of exposure for detected risks? Are they aligned cross-functionally? Answer Yes/No.
• Evaluate a proportion of the company's attention to the different risk areas. Specifically, does the company devote a disproportionate amount of time to policing high-risk areas instead of low-risk areas?

Examples: questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors.

• Does the company give greater scrutiny, as warranted, to high-risk transactions? Answer Yes/No.
• Are mitigating factors clearly identified? Answer Yes/No.
• Are materializing action plans created and monitored? Answer Yes/No.
• Has this year's annual periodic review of the Risk Matrix led to updates in policies, procedures, and controls? Please indicate them
• Does the company have a process for tracking and incorporating lessons learned and best practices into its periodic risk assessment to be reapplied within the geographies of its operations? Answer Yes/No.
• Is there a suitable level of cooperation between regional/operational locations for the lessons learned/best practices deployment? Answer Yes/No.
• Is there an ongoing assessment of the Risk Matrix conducted by independent auditors (internal and external)? Answer Yes/No.
• Does the Company have a process for tracking and incorporating benchmark measures into its periodic risk assessments with other companies operating in the same industry/high-risk geographies of operations? Indicate the list of your peers to benchmark

Improvement Plan

? Take Actions to control and correct

? Evaluate the need to eliminate

? Manage the consequences

? Make changes to the system as necessary

? Evaluate Resources

? Review the effectiveness of corrective action

The #improvement Plan is an essential part of the Annual Compliance Program Effectiveness Checklist. It serves as a guide to identify areas for improvement and create a plan for addressing them. By completing this section of the Checklist, you will be able to take a proactive approach to enhance your compliance program and minimize the risk of misconduct.

To use the Improvement Plan, review your answers to the questions in the Checklist and identify areas where your program may be lacking or in need of improvement. Once identified, then use the Improvement Plan to take specific actions to address these issues.

This Improvement Plan includes several key steps to ensure a comprehensive approach:

The first step is to take action to control and correct any identified issues. This may involve implementing new policies or procedures, training employees, or taking other steps to prevent and correct the problem.

The next step is to evaluate the need to eliminate any identified issues. This may involve identifying and removing underlying causes of the problem, such as outdated policies or procedures, or eliminating a particular process or activity that is found unnecessary.

Once the problem has been addressed, it is important to manage the consequences of the actions taken. This may involve communicating the changes to employees, customers, or other stakeholders and minimizing any potential negative impacts.

After managing the consequences, make changes to the compliance system as necessary. This may involve updating policies and procedures, revising training materials, or making other changes to the system to ensure that it is functioning effectively.

Finally, evaluate resources and review the effectiveness of any corrective action taken. This may involve assessing the effectiveness of new policies or procedures, examining the impact of training programs, or evaluating the effectiveness of other changes made to the compliance system. By regularly monitoring and assessing the effectiveness of the corrective actions taken, organizations can ensure that their compliance program remains effective and continues to evolve.

To conclude, the Improvement Plan is a powerful tool that allows organizations to identify areas for improvement, take proactive steps to address them, and monitor their effectiveness, thus ensuring that their compliance program is functioning effectively and minimizing the risk of misconduct.