Recently I noticed something interesting.  At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page.  In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa. 

To a certain degree, the confusion makes sense.  Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed.  But the goal of the two activities are significantly different. 

The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis.  How do you know which activity you need right now?  First of all, evaluate the goal of the assessment.

The Goal of a Risk Assessment

The goal of a risk assessment is to evaluate the risks facing the business.  This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause.  The likelihood is then reduced by the mitigating activity already in place.  This may include having policies in place, training being performed, and other controls that manage risk. 

The Goal of a Program Assessment

The goal of a program assessment is to evaluate the strength of your program. This evaluation looks at how efficiently and effectively your program is running, and how well it is currently managing risk.  Most program assessments review the program against best practices, regulatory expectations, and what other similarly-situated companies are doing.  Like a risk assessment, the program assessment considers how well risks are being managed by current activity.  But rather than evaluating how well any specific risk is being managed, the evaluation focuses on whether the controls in place are operating appropriately.

Evaluate Your Goals

To determine whether you need a risk assessment, think about the outcome you want.  Do you want to manage the risks facing the company more effectively?  Do you need to make the case for more resources to manage a specific risk, like anti-bribery or data privacy?  Then you want a risk assessment. 

Are you looking to improve the program holistically?  Do you need to make the case for policy management software, which would benefit the whole program, not just manage a single risk?  Then you want a program assessment.  By evaluating what you want to get out of the review, you’ll know which assessment to perform or have performed for you.

Over Time, You Need Both

As noted earlier, the world’s regulators, including the Department of Justice, recognize the need for both regular risk assessments and regular program reviews.  The Evaluation of Corporate Compliance Programs includes an entire section dedicated to the evaluation of the risk assessment process.  Prosecutors are instructed to ask, “what methodology has the company used to identify, analyze, and address the particular risks it faces?”, and then to determine whether the risk assessment process has lead to changes in the program.

With respect to program assessments, prosecutors are instructed to consider, “whether the company has engaged in meaningful efforts to review its compliance program, and ensure that it is not stale.”  They are also asked to determine whether the company “evaluate[s] periodically the effectiveness of the” program.  The outcome of the evaluation should tell the reviewer what areas of the program are working well, and which need to be updated.

How Often?

Risk assessments should be performed every two to three years, or whenever there is a substantial change in the business (e.g., a new division is created or the business grows into a new region).  Likewise, program evaluations should take place every two to three years.  Since both risk assessments and program assessments are lengthy and time-consuming processes, try to perform them in alternating years.

Risk assessments and program evaluations are critical to the success of your program.  By determining the goal of your review, you can choose the right vehicle to drive you to success. 

Interested in more information about the benefits of having a professional risk assessment or program assessment performed?  Contact us at kgranthart@sparkcompliance.com, or visit our website at www.sparkcompliance.com.