The Department of Justice's watershed Evaluation of Corporate Compliance Programs Guidance Document made it very clear: a risk-based approach is necessary to avoid "devot[ing] a disproportionate amount of time to policing low-risk areas instead of high-risk areas." The Guidance goes on to describe all of the areas where a risk-based approach is required. Having a risk assessment is just the beginning. Monitoring the right metrics relating to the risk assessment is critical to judge the health of the program. In this blog, we're going to explore metrics relating to risk assessments. This is Part 8 of our series. If you haven't read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen. We've already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, third-party risk management, which can be found HERE, governance, which can be found HERE, and communications and tone from the top, which can be found HERE. What Needs a Risk-based Approach? The phrase "risk-based approach" is used by many compliance officers, sometimes without an understanding of what it means. The DOJ Guidance defines several areas in which risks should be managed using a risk-based approach. These include third-party due diligence, assignment of training, gathering metrics and reporting for the Board, and the allocation of resources (both human and financial). Without a proper written risk assessment that is effectively monitored, this is impossible. The Most Important Question...
