Let’s start with what’s not a corporate compliance risk assessment – reviewing internal controls. At best, that is benchmarking or an audit of sorts. These reviews have their place, but they’re a health check to my mind. We need a lifestyle analysis for a more rounded risk assessment – a proper corporate compliance risk assessment.
We can’t estimate risk without understanding the organisation’s external lifestyle. A five-person technology start-up developing NFTs in a coworking space in Hong Kong faces almost none of the same risks as a sizeable Honduran aquaculture business supplying some of the United States’ biggest restaurant chains.
If you’re struggling to conceptualise these ideas, we have developed a straightforward (and high-level) external risk assessment tool here, which you can complete for free. You can gather this information using a blend of surveys, workshops, and interviews, usually quite quickly. The trick is to avoid asking complex questions or using risk jargon. For example, avoid asking people to estimate likelihood using words like “possible, sometimes, probable, etc.”. If you’re inviting many people (via a survey), it’s often easier to ask us to estimate in percentage terms. When we pick numbers or values as a group, we tend to be accurate at the median point.
Comments