There are two basic places to find information for your risk assessment: documents and interviews. Ensuring that you have the right documents and that you efficiently review them will make the process much smoother. This sounds easy, but is deceptively so. Wasting time reviewing documents is practically de rigueur. But it doesn’t have to be if you plan correctly.

This is the second in our Risk Assessment Top Tips series. The first one on scoping your risk assessment for success can be found HERE. Like many steps in the risk assessment process, document collection and review has pitfalls that can be avoided. Following you’ll find top tips to ensure that your review goes well.

Top Tip One: Create a Document Inventory Before You Start Review

Many people dive right into the documents without taking the time to create an inventory sheet. An inventory is simply an Excel sheet or Word table that lists information such as:

• The document’s title

• The author/department to which it applies

• The risk or sub-risk to which it relates

• The date of the document

• The most pertinent parts/salient points of the document

Don’t start reviewing until you’ve set up a system to do it effectively. If you start reviewing before you start your system, you’ll end up re-reviewing documents, possibly three or four times.

Top Tip Two: Assign each Document a Number

Assign each document a number. If you’re working with hard copy documents, write the number on the front page. If you’re using electronic documents and you’re able to, save the documents in your system or SharePoint with the number in the title. It will help you to find the most critical documents later.

Be sure to add a column to your document inventory table that lists the number of each document so you can access them easily.

Top Tip Three: Add a Column for Interviewees…

One of the most frequent questions I’m asked is, “While Compliance owns compliance-related policies, I’m being asked to manage all of the policies in the company. This seems ridiculous. Who the heck should own all the policies? HR? Compliance? Operations?”

To no one’s surprise, the answer is, it depends. Upon what does it depend? The company’s structure, size, function makeup, and of course, the availability of time, technology, and human resources to manage policy architecture.

While there isn’t any one answer about who should own the polices or policy architecture, there are best practices for managing this beast. The best way to start is with a “Policy on Policies” that governs the policy architecture. A Policy on Policies should always include:

The Outline of a Singular Structure

Nothing is worse than disparate policies from different departments with no commonality of structure, branding, or style. People like to see consistency in the structure of policies so they know where to find the information they need. A Policy on Policies should lay out the structure required for all polices. Better yet, it should contain an appendix that vividly displays each piece of the standard policy, along with the font, style, and branding required. This will help ensure that all policies are consistent.

The Requirement of a Policy Owner

Each policy needs an owner. This can be harder than it sounds. The truth is, for many policies, there are several stakeholders. For instance, in responding to a data breach, Information Technology, Information Security, Legal, Compliance, Privacy, and Human Resources will all likely be involved. Which should own the Data Breach Response policy? It doesn’t really matter – what matters is that someone does.

The Requirement to Note the Policy Approver

Just as policies need to have an owner, they also need to have an approver. The approver can be either a person (e.g., Raymond Cerano) or a role (e.g., Vice President, Human Resources). An individual needs to be responsible for the content of the policy. Make sure it is clear who has approved the policy so the approver can be identified and asked questions if the policy language is ambiguous.

A Process for Approval…

Let’s face it, this is a tough time. People are breaking down. Especially where children aren’t going back to school, working parents are struggling to manage emotionally on a day-to-day basis. Many are caring for their parents or sick relatives, or alternatively, the pain of being alone much of the time. With so many pressures on top of what was already going on in our daily lives, it is easy to become overwhelmed. I love the quote, “Happiness is managing expectations.” One of the best ways to navigate stress and anxiety of this time is to manage expectations – both of others and yourself.

Managing the Expectations of Others

Many people’s to-do list is so long it doesn’t fit on the paper anymore. When stress runs high, heaven help the person who calls up to ask where their report is at 7:00 in the evening! Instead of getting so close to the edge that we are toppled by the last straw, it helps to manage the expectations of other people upfront. This includes setting realistic response times and refusing to commit to time frames that you know you can’t meet. It is easier to tell people that you can’t meet their preferred deadline during the first conversation, rather than agreeing to the deadline, panicking as it gets closer, and letting someone down at the last minute. It may feel hard in the moment, but over time, it will save you tremendous grief by setting proper expectations upfront.

It pays to be strategic. If your boss gives you yet another piece of work, ask him or her what they would like you to de-prioritize so that you can complete the new assignment. This simple question can remind the boss that there must be trade-offs, at least in terms of prioritization of work, if more is to be assigned. The conversation about priorities and shifted deadlines also helps to put you and your boss on the same page as to what is the most important piece of work to complete. You are much likely to keep your boss happy if you agree on what is most critical to finish.

Managing Expectations of Yourself

When we think of “managing expectations,” we don’t often consider the application of the phrase to ourselves. But it’s a cliché that we are our own worst critic. When we don’t live up to our own expectations, we may punish ourselves more than anyone at work ever could without being arrested. Managing your expectations of yourself is critical for your long-term success.

How do you manage your expectations of yourself?…

I recently had the pleasure of talking compliance with the one and only BROADCAT. If you don’t know the Broadcat, you should check it out. They create the best customizable infographics, posters, and communication content out there. Plus they have a wicked sense of humor. Read below to find out what tacos, white chocolate, and chardonnay have in common, and the biggest challenge I faced that I had to push back against when starting my career. (FYI - the Broadcat is now selling a special enterprise version of the Risk Assessments Made Easy and Wildly Effective Foundations course with BONUS content through their exclusive Design Club - more details HERE).

Give us the story of your life in two tweets.

Three passports: Born Canadian, turned American actress/producer, turned lawyer, turned married-to-British-man, turned British myself, turned Compliance Officer, turned CCO, turned law professor, turned CEO of a consulting company, turned entrepreneur running a West Virginia cabins business, turned property developer, turned compliance video star/producer. Turned full circle.

Why did you start your company?

When I was a CCO, the advice I got from BigLaw firms and the Big Four accounting firms was never useful in real life. It was clear that most of the lawyers and advisors from those firms had never been in-house and didn't understand how to give practical, proportionate, pro-business advice. I knew I could bring that perspective to the market to help people make their programs better in pragmatic ways.

What makes your approach and your services different from everything else out there in compliance?…

“Helllloooo…can anybody hear me? Hellooooo? Is anyone there?” Training remotely can be a lonely endeavor. You’re home, the audience is home, and it frequently isn’t clear if anyone is listening, much less actually learning.

As the world has shut down from the COVID crisis, remote training is becoming more and more of a reality. No matter how big of a challenge remote training is, the training doesn’t have to be bad.

Remote training takes place online. Some of it will be live via webinar software, some will be via eLearning platform, and some will be via recording. No matter what type of system you’re using, there are ways to make it engaging.

Too many training sessions begin and end with legalistic PowerPoints in ten-point font which are read out loud to an audience who can see exactly what is going to be said next. Instead of going through the same tired exercises, try some of these techniques:

Start Strong

Instead of welcoming everyone to the training and showing an agenda slide, surprise people. For instance, you can:

Launch Straight into a Story

Try launching immediately into a juicy scandal involving the compliance topic on which you are training. For instance, if you’re giving antitrust training, make your first slide a picture of a tuna fish and launch into the story of Starkist’s $100 million price-fixing prosecution. Add puns for additional pizazz. Describing how the price-fixing scam went (tuna) belly up can entertain even the most jaded listeners.

Put up a Visual Puzzle

Start with a visual puzzle. Continuing with our antitrust training example, you could open with a slide that looks like this:…