Just in time for Halloween, I’m joining with Compliance Line in a webinar to reveal the Top Ten Third-Party Risk NIGHTMARES. In this fast-paced webinar, we’ll be diving into the fear-filled world of bad third-party risk management and poor due diligence practices, plus share practical, real-world advice on what to do about them. You don’t want to miss this exploration of the dark underside of poor risk management. Learn how to wake up feeling great about your third-party program with straightforward solutions to these nightmarish problems.

THIS THURSDAY (October 29) at 12:00 p.m. Eastern. SIGN UP HERE.

Recently I noticed something interesting. At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page. In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa.

To a certain degree, the confusion makes sense. Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed. But the goal of the two activities are significantly different.

The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis. How do you know which activity you need right now? First of all, evaluate the goal of the assessment.

The Goal of a Risk Assessment

The goal of a risk assessment is to evaluate the risks facing the business. This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause. The likelihood is then reduced by the mitigating activity already in place. This may include having policies in place, training being performed, and other controls that manage risk.

The Goal of a Program Assessment

The goal of a program assessment is to…

A couple of weeks ago I gave a webinar with Compliance Line that has created a huge amount of buzz. It’s topic was the Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments, and people were so engaged we couldn’t get to most of the questions! If you didn’t have the chance to see it, you can watch it HERE. In it, we explore the top ten mistakes (and what to do to fix them!). We look at:

1. Taking on too many risks at once

2. Tackling too many regions/business units

3. Creating document disasters

4. Religious adherence to the interview outline

5. Questioning knowledge instead of activities (this one is my favorite)

6. Not using a repeatable methodology

7. Throwing away the current program plan

8. Letting every score be medium

9. Using red/yellow/green on the heat map (ooh, this one is controversial!)

10. Shoving the report in a drawer

Risk assessments can be difficult, but they don’t have to involve self-sabotage. Find out how to make them better. View the video HERE.

p.s.: Don’t miss our next webinar on The Top Ten Third-Party Risk Management NIGHTMARES (just in time for Halloween!). Get more information and sign up HERE.

We’re in strange times aren’t we? Normally at this time of year I’d be writing about the excitement of the upcoming in-person conferences, with top tips for maximizing your learning, networking, and career development. Sadly this is not the case this year. The proliferation of virtual conferences is pronounced. I’m sure all of these conferences were being held last year, but as one can only attend so many in person, I wasn’t really aware of just how many are going on. It feels like every third email I get is an invitation to another virtual conference.

In some ways, the opportunity for learning and professional development has never been greater, but the networking opportunities have never been lesser. Since this is the first virtual conference season for all of us, let’s look at some top tips for maximizing your learning and networking experience.

No. 1: Choose an Attendance Strategy

Attending all of the conferences would simply be exhausting. You’d also fail to get any work done for about four weeks, which would certainly be detrimental to your career! There are two major attendance strategies from which to choose. Pick one and stick with it.

Strategy 1: Choose one or two Conferences and Dive In

One strategy is to choose one or two of the most interesting conferences and dive in. Block out your calendar for the conference days, sit back with a coffee, and enjoy the festivities. This strategy is analogous to choosing the prix fixe meal or blue plate special – you get what they give you. On the plus side, you’ll be done with the conference learning quickly. On the downside, you’ll get a narrow perspective, and your opportunity to speak with a wide variety of speakers will be limited.

Strategy 2: Choose the Best Sessions from Each Conference

Another strategy is to sign up for all of the conferences, then look at all of the sessions in aggregate to pick the most interesting ones from each conference to attend. This strategy is like choosing from the a la carte menu. On the plus side, you’ll get a variety of information most suitable for your needs. On the negative side, you’ll be utterly inundated with reminder emails and have to navigate numerous platforms, only some of which will work some of the time. You may find it difficult to schedule sessions over several weeks instead of all at once over one to three days.

Whichever strategy you choose, don’t deviate from it.

No. 2: Participate in the Chat to Show You’re There and Engaged…