Before starting to design and implement policies within an organization, it’s important to conduct a proper risk assessment. Risk assessments ensure company policies and procedures help reduce the risks and potential threats within the workplace. Each company faces different risks based on factors such as location and industry type. There are certain elements that need to be included in all risk assessments. Similar to conducting a basic SWOT analysis, risk assessments encourage HR managers and executives to think harder about different threats and opportunities for the business. A SWOT analysis assists in defining clear goals, making a risk analysis investment worthwhile.
In our previous post, “5 Simple Steps to Conduct a Risk Assessment”, we focused on safety based tips for conducting workplace risk assessments, however, in today’s post we are focusing in on 5 risk assessment tips that help with setting the tone at the top and governing policies.
1. Evaluate ALL Areas of Misconduct
To conduct a proper ethics and compliance risk assessment, address all potential areas of risk- not just the most common or obvious ones. To ensure that all of the bases have been covered, evaluate risks that are specific to both the company and the industry that it operates in. As a starting point, go through previous files or cases relating to complaints or problems that occurred within the company and then focus on risks that are a bit harder to identify. It’s important to examine the factors causing these risks to occur, as well as the ability company’s have to plan for and reduce the impact of risks. This analysis will helps with policy creation, aiding in the development of effective policies fostering an ethical corporate culture.
2. The More The Merrier
During the ethics risk assessment, gather opinions from as many employees as possible. Also, make sure they come from different levels within the company. There are different risks present at different levels and faced by different employees. Including a number of employees allows for a more complete picture of the company’s “risk landscape,” as these employees can identify and communicate risks they encounter on a day-to-day basis. Depending on company size and the number of people included in this step, the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommends using methods such as distributing surveys, holding focus groups or other forms of meetings or individual interviews, to gather information.
3. Benchmarking and Comparison
A useful resource for identifying risks and evaluating ethics and compliance program is to benchmark against competitors or industry leaders. This helps to ensure policies keep companies “in check” with industry laws and standards. When observing the ethics program of an industry leader, look at their code of ethics, corporate culture and corporate social responsibility statements that can be easily accessed on corporate websites. Pay attention to the areas of risk they focus on and see if the policies they have put in place actually work as intended.
For example, Johnson and Johnson is an industry leader in the consumer health care field. If a company is one of their competitors or are looking for a superior quality ethics and compliance program, look at their corporate governance guidelines, annual reports and code of ethics to get an idea of issues that are important to them and how they handle them. Benchmarking is similar to leading by example. Industry leaders and companies known for their commitment to ethics and compliance want to lead the way for other companies to follow and incorporate best practices into their workplace.
4. Training and Awareness
The article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” states that it’s also important to evaluate employee training related to the compliance and ethics program to make improvements to the training program:
“Measure employee knowledge. The ethics and compliance risk assessment should include a measurement of employee knowledge and awareness of the compliance program and supporting controls. Doing so can help pinpoint where training and communications programs need to be improved.”
In our post, “How to Encourage Employees to Use Internal Reporting Tools”, we discussed the impact of increased ethics and compliance program training and awareness at BAE Systems. BAE Systems credits increased employee awareness of compliance and reporting systems as a contributing factor in the increased use of internal reporting systems to help detect and uncover workplace misconduct. Employees must be aware of all policies and procedures that govern employee actions in order to create an ethical corporate culture.
When evaluating and developing training programs, consider the interests of the audience and make training interactive. Taking those two factors into consideration will lead to increased employee engagement and retention of information communicated- take a page out of the books at Cisco Systems, their “Ethics Idol” training program really got employees talking!
5. Set a Re-Evaluation Date
I know that this point was already included in our post “5 Simple Steps to Conduct a Risk Assessment”, but it’s just to important to leave out. Select a time or times each year where to re-evaluate corporate risk assessments. This allows companies to keep policies and procedures up to date and remain inline with updated laws and regulations. As the workplace evolves, adapt policies to these changes to help mitigate risk. To provide an idea of the frequency required for re-evaluation, the authors of the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommend that:
“The frequency with which an organization chooses to conduct ethics and compliance risk assessments depends on the nature of the organization’s industry, but if the methodology and process is adequately defined, it can reasonably be conducted on an annual basis where year-over-year results can be appropriately compared. Since operating environments, regulations and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on a less frequent basis than every two years.”