| "Take calculated risks; that is quite different from | | | | management system is the systematic application of |
| being rash." | | | | processes and structures that enable an organization |
| -- General George S. Patton, World War II General | | | | to identify, evaluate, analyze, optimize, monitor, |
| Being a new Chief Compliance Officer (CCO) and | | | | improve, or transfer risk. |
| having to establish a new risk function can be a | | | | The only way an organization can manage risk |
| daunting challenge. While there is not a formula that | | | | appropriately is if acceptable and unacceptable risk is |
| guarantees success of the CCO, there are steps that | | | | defined. The CCO should clearly define, establish and |
| can be taken that will be instrumental in obtaining the | | | | communicate the environment of risk taking, |
| desired success. The first step is to build a risk | | | | acceptance, tolerance, and appetite. If the CCO does |
| oriented culture. The second step is the development | | | | not do this - risk taking is up to individuals and the |
| of a risk based environment and management | | | | integrity of the organization is in jeopardy. |
| system. The third and last step is the creation of an | | | | Actions to Build a Risk Environment and Management |
| internal control system which surrounds the culture | | | | System |
| and management systems. Here is some practical | | | | The first action in the developing a risk based |
| advice for success of the second step. | | | | environment is to identify the risks and potential |
| Step 2: Developing a Risk Based Environment and | | | | areas of vulnerability in the business. Risks can be |
| Management System | | | | identified from many sources including the following |
| Compliance is more than adhering to laws and | | | | -- Internal Audit Reports |
| regulations - it is making sure that risk culture, policies, | | | | -- Ethics Reports |
| procedures, and controls are being adhered to. The | | | | -- Regulatory Examinations and Inquires |
| CCO should steer and direct the organization to stay | | | | -- Management Reports |
| within mandatory boundaries of laws and regulations | | | | -- Self-initiated Risk Assessments |
| as well as the voluntary boundaries of risk culture, | | | | -- Results from preventive controls |
| tolerance, appetite, and values. | | | | -- Information gleamed from Business Partnerships |
| So how does the CCO do this? | | | | Secondly, once the risks have been identified, the |
| First and foremost, the CCO should establish a risk | | | | CCO needs to determine the proper action regarding |
| based environment and management system with a | | | | the risk. This requires the CCO to establish an |
| zero tolerance for absolute risks. No doubt, | | | | acceptable risk appetite. There are three options for |
| compliance with all laws, rules, and policies is the | | | | managing inherent risks: |
| primary responsibility of the CCO. An environment of | | | | (1) Reduce or mitigate; |
| zero tolerance for absolute risks should be the case | | | | (2) Transfer or |
| without exception. | | | | (3) Retain and accept; budget for positive exposure. |
| Absolute risks are defined as risks that are | | | | Reduce and Mitigate. This option is chosen for those |
| unacceptable because a law, rule, regulation, etc., | | | | risks that are too great to accept. Action and |
| clearly makes a lack of adherence unacceptable. | | | | strategies are developed and implemented to reduce |
| Compliance thereto is mandatory; absolute risks must | | | | or mitigate exposure. |
| be avoided. They are never acceptable risks since to | | | | Transfer. The exposure for some risks can be |
| do so would violate the law. The risk management | | | | transferred with outsourcing or by the purchase of |
| system should eliminate them. Zero tolerance is the | | | | insurance. |
| rule. | | | | Retain and Accept. Some risks will be acceptable |
| A quality risk based environment and management | | | | without any mitigation efforts. However, the |
| system communicates and ensures absolute | | | | organization should consider budgeting for the |
| compliance with all mandatory laws, rules, regulations, | | | | exposure. |
| public policy standards... | | | | Each identified risk should be evaluated to determine |
| However, not all risks can be avoided or eliminated. | | | | the desired course of action. One of the three above |
| Thus, the CCO should establish an acceptable risk | | | | courses should be applied to each risk. |
| appetite and risk mitigation process to manage these | | | | Finally, once the risks have been identified, a risk |
| inherent risks. Inherent risks are intrinsic to a business | | | | appetite has been determined and a management |
| activity and arise from exposure to, and uncertainty | | | | plan has been implemented, a monitoring and |
| from, possible future events, or changes in business | | | | reporting process needs to be instituted. |
| or economic conditions. Inherent risks may or may | | | | This is a continuous process. It never ends. The CCO |
| not happen. Under a risk management system, | | | | must continually identify risks, determine risk |
| controls are designed and built to identify, manage, | | | | treatment, implement and monitor. |
| monitor and mitigate inherent risks. The risk | | | | |