Performing a legal and compliance risk assessment. A Step-by-Step Implementation Guide- Planning the Risk Assessment Assessing and Prioritizing Risks Improving Legal Risk Mitigation

2. Why do I need to assess
compliance risks?

5. How much do
you know about
conducting a
compliance risk
assessment?

6. What will I get from these classes?

7. Please, interrupt

8. Risks?
BA

9. Risks?
BA

11. Hernan Huwyler, MBA CPA
Audit SOX ACCG
Risks
SAP/IT
Compliance
@hewyler
@IElaw

12. ISO 31000 Risk Management
Time
Productivity

13. What will we research?
Compliance
ability to deliver on stakeholders´
expectations
compliance with the law and ethics
makes companies sustainable
interpret the impact of existing and
future compliance obligations
(requirements and commitments
that an organization has to or
chooses to comply with)
Risks
effect of uncertainty on objectives
a positive or negative deviation
from what is expected
lack of information causes
uncertainty
with respect to a certain time
horizon

14. Example unclear norms create risks
Abstract, imprecise and intricate
norms
Generic descriptions in legalese
Technicalities
Contradicting specifications
Legal loopholes
Unclear norms
=
Lack of information
=
Risks
I did not have "sexual
relations" with Lewinsky
US federal law on sexual assault

15. 1
3
2
From criminal to ethical risks
Compliance risks
External compliance for
regulations, laws and concession
contracts (legal risks)
Internal compliance for policies
and procedures, organizational
standards, self-regulations, ISOs,
corporate commitments
Criminal risks
Criminal misconduct
Corporate criminal liability
Focused on bribery offenses
Granted resources for
compliance
Ethical risks
Stakeholders´ expectations
Based on business principles
and values
Protect the reputation

16. Producing a compliance
risk assessment is a
requirement to “make up”
policies…
… or an opportunity to
communicate ethical values,
anti-fraud and corruption
controls and best practices
to increase profitability

17. Compliance officer as …
a trusted advisor
by supporting the business and the
executive committee to take new
compliance risks
by recommending easy-to-follow and
cost-effective controls to address
compliance risks (the what + the how)
by setting priorities for strategic initiatives
by gaining commitment from
stakeholders

18. Compliance officer as …
a trusted advisor
prevents, finds and fixes problems
understands where are the compliance
risks to mitigate them (risk exposure)
understands the tolerance, capability and
appetite for risk
improves the risk assessment to
stimulate ethical behaviors

19. Discussion case
you are the CCO at Uber
aggressive business model
massive personal data hack
CEO resigned after allegations of harassment
and discrimination
let´s assess compliance risks
Licenses, FCPA, SOX, data privacy laws, labor
laws (drivers as independent contractors, not
employees), competition laws (price-fixing
conspiracy)

20. Discussion case
Being the CCO at UBER

21. Dissecting compliance risks
Compliance
comply with the ethics and the law
real or perceived violations affect
the current and future business
creates financial losses: fines,
sanctions, credit restrictions,
reputation losses
Consequences
Impact per event
Risks
deviation of processes, controls or
functions from an expected level
occurs due to lack of information,
changes, inabilities, improper
governance
Causes
Frequency in a time horizon

22. Dissecting compliance risks
Consequences
Impact per event
Contingency plans
Crisis protocol
Corporate defense
Investigation protocol
Disaster management
Data backup
Contract clauses
Causes
Frequency in a time horizon
Prevention plans
Policies and procedure
Delegation of authority
Compliance training and
awareness
Compliance helpline
Financial controls

23. Dissecting compliance risks
Impact
magnitude/severity of the possible
consequence
adverse consequence → risk per
se
positive consequence →
opportunity
Frequency
likelihood/probability of
occurrence of each consequence
occurrence per unit time

24. Dissecting compliance risks
Impact * Frequency =
Level of risk
calculate exposition
identify risks requiring most
attention
prioritize critical risks
plan for a target level of risk

25. Compliance risks as opportunities

26. Risks are…
…. the foundation of the #ethics and #compliance
program
identify risks
allocate resources to reduce major risks
monitor leading indicators
anticipate risks
demonstrate a proactive approach to compliance
improve decision-making

27. Regulatory vs. compliance risks
Regulatory risks
Potential loss caused by the creation
or modification of laws and
regulations, or their interpretation
Caused by the government or
regulator
Increase costs of doing business,
restrict activities or affect the
competition
Anticipate to changes in laws and
regulations
Compliance risks
Potential loss caused by a breach of
a internal standard, contract, law,
regulation or ethical value
Caused by internal controls failures,
a defective transaction or a legal
claim
Accidental, deliberate or negligent
misconduct breaches
Fines, payment of damages, voided
contracts, or affect the reputation
Prevention and contingency plans

28. Risks in obligations
Contractual risks
Potential breach in current and future
contracts
Contracts with customers and
vendors
Includes the concession contracts
Big source of regular risks
Controlling that contract terms are
clear and realistic for the business
Non-contractual risks
Fails to meet the duty of care to
customers, markets, environment or
staff
Applied by actions of regulators and
law enforcement authorities
Includes the corporate criminal
liability

29. Ethical risks
an organization can technically comply with all laws but could
still be #unethical
created by the stakeholders‘ expectations
corporate voluntary commitments
depends on the tone at the top
values, transparency, open door communication, sustainability, diversity, social responsibility
controls to meet ethical standards are owned by the
compliance function
related to corruption, fraud and human rights risks

30. Why compliance risks are taken?
What you see
Controls
Compliance rules
Risk policies
What you don´t see
Culture
Tolerance
Motivation
Pay structure
Value statements
Strategy
documents
Assumptions
Personal values
Relationships

31. No control can
compensate
for a bad
culture

32. Stakeholders of compliance
shareholders
government and regulators
investors and potential acquirers
banks and rating agencies
employees, candidates and unions
customers
business partners and suppliers
the media
potential plaintiffs
local communities and NGOs
Expectations of
They want the company to
explicitly address ethics
and compliance risks

33. Materiality matrix
Impact on the company’s business
Importanceforstakeholders
Low High
LowHigh
Consumer
protectionLabor
management
Environmental and
CO2 reduction
policies
Corporate
citizenship and
transparency
Corporate
governance
Legislation
and regulation
Health and
safety
Human rights
Sustainable
supply chain
Anti-bribery
Data
protection
Product safety

34. Stakeholders of compliance
Discussion case: voluntary commitments

35. Compliance risk map (heat map)
Easy to visualize the risk
profile and facilitate
communications
Two-dimensional matrix
→ impact * frequency
axis
Level of risk → scale
levels in red/yellow/green
Boundaries linked to the
risk tolerance
Probability
Impact
AKA: Probability Impact Diagram or Matrix

36. Compliance risk map (heat map)
More actionable than a
list of risks
Bubble color may be
used to show the control
efficiency for each risk
Visualize risks in relation
to others → priority for
mitigation actions
Probability
Impact
Anti-trust
Anti-
bribery
Fraud
Labor laws
Privacy
laws

37. Let´s practice
Help Uber to get a compliance
heat map
Licenses to operate
Bribery laws
Competition laws
Privacy laws
Employment laws
…..
Homework: use MS Excel and
simulate a control level Probability
Impact

38. Discussion case
U.S. Federal Sentencing
Guidelines for Organizations
conducting robust compliance risk
assessments
establishes the potential for credit or
reduced fines and penalties
when an organization be found guilty of a
compliance failure

39. Discussion case
However, 39% of organizations are
not performing an annual
compliance risk assessment
Let´s discuss causes
compliance risks can not be combined
with the global risk ERM assessments
compliance culture is reactive (fines,
whistleblowing, audit findings, litigations) rather than
preventive

40. Guess the company
Compliance and control risks
Ethical misconduct and legal or regulatory non-compliance Ethical misconduct or breaches of
applicable laws or regulations could damage our reputation, adversely affect operational
results and shareholder value, and potentially affect our license to operate. Our code of
conduct and our values and behaviors, applicable to all employees, are central to managing
this risk. Additionally, we have various group requirements and training covering areas such
as anti-bribery and corruption, anti-money laundering, competition/anti-trust law and
international trade regulations. We seek to keep abreast of new regulations and legislation
and plan our response to them. We offer an independent confidential helpline, OpenTalk, for
employees, contractors and other third parties. Under the terms of the 2012 plea agreement
with the US government and the 2014 settlement with the US Environmental Protection
Agency, an ethics monitor is reviewing and providing recommendations concerning BP’s
ethics and compliance program.
1 2 3

41. Guess the company
Regulatory and compliance risks
The company is subject to regulatory and compliance risks, which may expose it to
investigations by governmental authorities, litigation and fines, in relation, among other things,
to its pricing and marketing practices or other antitrust matters. The resolution of such matters
could negatively affect the profitability and cash flows in a particular period or harm its
reputation. The company may be subject to exacting scrutiny from regulatory authorities and
private parties, particularly regarding its trade practices and dealings with customers and
counterparties. Subsidiaries are currently and in the future may be subject to legal
proceedings, the resolution of which could negatively affect the profitability and cash flows in
a particular period. The company operates in a global environment, and, at a time of
increased enforcement activity and enforcement initiatives worldwide, its business straddles
multiple jurisdictions and complex regulatory frameworks, including to the area of economic
sanctions.
1 2 3

42. Guess the company
Internal controls and compliance risks
Regulators may limit our activities, including through the application of increased capital and
liquidity requirements, customer protection and market conduct regulations in which we may
operate or invest. Such limitations can have a negative effect on our business and our ability
to implement strategic initiatives. The internal control systems cycle monitors and analyzes
significant legal and compliance risks, sets limits, caps and triggers on specific businesses to
control significant operational risk exposure, and reviews and assesses the appropriateness
and efficiency of the internal control systems, particularly with regards to valuation risks and
the new business approval process. The audit committee maintained a focus on compliance
topics through briefings at meetings by the Chief Compliance and Regulatory Affairs Officer
on key compliance risks and associated internal controls, as well as dedicated sessions on
specific topics, such as know-your-customer and anti-money laundering requirements, market
conduct and global client tax compliance programs.
1 2 3

43. Guess the company
Regulatory requirements and compliance risks
As we expand our operations, we will be subject to additional laws in other jurisdictions where
our merchants, consumers, users, customers and other participants are located. Our
continued expansion into cloud computing services will also increase the number of parties
who host data on our system, which will present increased challenges and risks in relation to
data protection and data privacy. Any failure, or perceived failure, by us to comply with our
privacy policies or with any regulatory requirements could result in proceedings or actions
against us by governmental entities or others. A greater attention, scrutiny and enforcement,
including more frequent inspections, could increase our compliance costs and, subject us to
heightened risks and challenges associated with data security and protection. Regulatory
requirements and compliance risks as well as publicity risks that we become subject to as a
result of acquisitions of businesses in new industries or geographic areas or otherwise,
especially for acquisitions of public companies.
1 2 3

44. Gross and net risks
Inherent risk
assessed level of untreated risk
activity without any control or
insurance
before considering the effectiveness
of internal controls
considers the failure of all related
controls
by external auditors and insurance
theoretical, high degree of judgment
Residual risk
assessed level of treated risk
activity with current controls
after the current (or desired) level of
control (ie. after insurance)
by risk managers
current controls can be identified
and audited for its design and
efficiency

45. Gross and net risks
Inherent
Residual
Current
Residual
Desired
Inherent risk excludes all controls:
No budgetary control
No segregation of duties
No compensating controls
No tone at the top
… no passwords, no locking doors!
... no compliance department!
Some risk practitioners include high-level
controls for inherent risk or link inherent risks
to the efficiency of current controls (ie. weak
current controls means high inherent risks)

46. Example University of Washington

47. Risk-taking in compliance
Risk capacity
maximum level of risks that a company can assume
without deliberately violating a law or regulation
critical consequences in terms of compliance breach
costs or the impact on strategic objectives or
reputation
Risk tolerance
level of risks that a company wants to accept
set by the board, needed to meet objectives
influenced by legal or regulatory requirements
communicated:
quantitatively: in terms of a single value
“zero tolerance for fraud or corruption”, or
qualitatively: in terms of acceptable or unacceptable outcomes
depends on the investment returns and strategy
exceeding the tolerance will trigger a management
action

48. Risk tolerance
is not what
you say or
write… is
what you do

49. Discussion French Anti-corruption
Agency Guidelines

50. The only way to reduce the compliance
risks to zero is by closing the business
We manage risks, not security

51. Risk-taking in compliance
Discussion
How can a company to increase its
capacity to assume compliance
risks?
How the company communicate the
tolerance for compliance risks?
For fraud and corruption
For conflicts of interest
For legal claims
For fines
Thresholds for approving transactions
Expressed in granting resources for compliance
Can they be used for monitoring key indicators?

52. Risk-taking in compliance
Risk profile
all risks that affect the company
shaped by the industry
Risk exposure
total exposed amount of risk
multiplying the probability of an noncompliance
event by its potential losses
useful to compare against the risk tolerance
Perceived risks
how employees think about risks according to their
experience and interests
Biases create gaps between perceived and actual
risks

53. Risk-taking in compliance
The “third variable” to be shown as
bubble color, size or shape
Control efficiency
how well the controls are designed and performed
clear and trained policies and procedures
Risk velocity
how fast the company is impacted by the
noncompliance event
Risk persistency
how long the company is impacted
Level of understanding
how well this risk can be predicted

54. Risk-taking in compliance
Risk granularity
how detailed the risks are managed
show how risks are concentrated and managed
together
determines the level of resources in assessing risks
requires a consolidation method
By...
category (corruption, environmental)
activity (solar, wind, waste)
jurisdiction (Spain, US, domestic, international)
business unit (HQ, shared services)
ownership (sales, finance, contracting)
source (internal, third party)

55. Risk hierarchy
Top
risks
Enterprise
risks
Business risks
Project risks
Responsible Accountable
Executive
directors
Board
Compliance
committee
Business and
functional VPs
Executive
directors
Business
directors
BU directors
Project leaders BU directors
Top-down
Bottom-up
Accountability
Monitoring
Assurance
Monitoring action
plans
Risk identification
Action plan
implementation
Control performance

56. Level of control
Controllable risks
good corporate governance
management review
policies and procedures
delegation of authority
authorization levels
segregation of duties
evaluation for new investments
training
Uncontrollable risks
can not be prevented or
minimized
if possible, covered by insurance
human error
complex systems
social media
some third party risks
interconnected global economy

57. Why do cars need brakes?
To go faster!
Compliance controls are set to accelerate growth

58. Tendencies for compliance risks
Direct factors
Increase complexity of laws and
regulations
Regulatory rigor to protect
consumers
International coordination of
regulators
Enhanced disclosure measures
and transparency
Indirect factors
Media scrutiny for compliance
scandals
Global impact on reputation in
multinational companies
Growing awareness among
consumers of their rights
Technological advancements
and cyber risks

59. How is
compliance
addressing
these new
risks?

60. Compliance and personal assistants

61. Compliance and business intelligence
Exploit big data
reporting
dashboards
querying data
statistical inferences and
trends
alarms
Machine learning
reduce false positives
“also look for”
unsupervised deep
learning
Benefits
real time
monitoring
full and
interactive
investigation
visualization
audit trails
less false
positives (listed
OFAC, KYC)
Data
warehouse
Reports
Alarms
other
files

62. Compliance and robotics
Mimic rules-based activities
ask for data
retrieve data
testing transactions
against rules and laws
compile documentation
review calculations
Automate decision-making
workflows
approvals
Benefits
productivity
low op. cost
no errors
full scope
24-hours

63. Compliance and blockchain
Securing data
legitimate transactions and
ownership
verify information
checking platforms with
business rules
trade confirmations
settlement (legal points)
Keep records
smart contracts
distributed ledgers
Benefits
standardized
compliance
contract, tax,
data privacy
compliance
data quality
audit proof
Cryptographic
verification
Blocks
Part of a chain
Token to proof
ownership

64. Compliance risks cover
the “known unknowns”…
and the “unknown unknowns”

65. How to assess risks?
2

66. ISO 31000 2018
scope, context, criteria
assessment
treatment
recording and reporting
communication
consultation
monitoring
review
identification
analysis (i*f)
evaluation
ranking
Non certificable principles
risk management policy
objectives and leadership
by top management
focus on strategies
iterative process
feedback from the
external environment
different methods to
identify risks (ISO 31010)

67. When to assess compliance risks?
Standalone
before creating an ethics and
compliance program
annual updates to evaluate the
efficiency of
large organizational changes
• acquisitions and changes in strategies
• reorganizations
• new products
• operations in new countries
• changes to compliance obligations
• noncompliances
Using synergies
part of the global risk
assessment (recommended
integrated approach)
when evaluating fraud risks
(SOX, internal audit)
part of a data protection impact
assessment under the GDPR
in quality, environmental and
information security initiatives

68. Roadmap
Planning
buy-in, scope, resources, participants
Assessing
risks identification and valuation, analysis,
action plans
Reporting
risk communication and monitoring, result
evaluation, improvement

69. Get the buy-in from the board
link the risk assessment to the planed decisions and sensitive
risks for the board and top management (ie. cyber-security)
board members are responsible for the ownership of top risks
adjust the risk methodology to the maturity of the company
culture
inform about the project's confidentiality
explain that the assessment will offer new resources for
managing compliance risks
more budget, training, top level support
1

70. Get the buy-in from the board
How to “sell” the assessment?
focus the ethics and compliance program
prioritize controls, training and budget to key controls
identify factors that are likely to affect the reputation
create awareness of compliance breaches and threads
clarify responsibilities in managing requirements
understand compliance requirements and controls
de-risk processes and contracts
identify the constrains for the assessment
1

71. Identify the risk universe
define the scope of the risk assessment
simple categories of compliance risks to assess
sorted by categories and sub-categories
spotting broad areas of risks customized for your company
no “one-size-fits-all”
based on the list or regulations, laws, standards and obligations
allow to consolidate similar risks
work as accounts in accounting
lead to better reporting to the stakeholders
2

72. Identify the risk universe
Desktop review to understand the context
2
External
breaches by competitors, industry
reports, news on compliance
breaches, regulator reports, external
advise, regulatory investigations (for
peer companies or beyond),
proposed regulations and rules
Internal
statistics of litigation, fines and
claims, helpline use and
investigations, customer complaints,
audit reports, frauds, insurance
claims, contract breaches,
compliance narratives, compliance
exception reports, policy waivers,
current contracts, future commercial
plans, compliance tasks in job
descriptions, culture surveys

73. Identify the risk universe2
Ethics Service delivery Environmental IT
Anti-bribery laws Export controls
Emission and
waste
Data security
Fraud
Restricted
transactions
Product safety Privacy
GDPR / HIPAA
Conflict of interests
3rd Party
management
Hazardous
materials
IT vendor
compliance
Insider trading
Document
retention
Labor laws Certifications

74. Identify the risk universe
Categories and sub-categories
2
Fraud
Corruption
Conflicts of
interest
Purchasing
schemes
Sales
schemes
Bribery
Bid rigging
Invoice
kickbacks
Asset miss-
aproppiation
Theft of
cash on
hand
Theft of
case
receipts
Cash larceny
Skimming
Fraudulent
disbursements
Payroll schemes
Billing schemes
Expense reimbursement
Check tempering
Inventory
and other
assets
Misuse
Financial
statements
fraud
Revenue and
asset
overstateme
nts
Liability and
expense
understatem
ent
AKA: risk domains, taxonomy, typologies,
areas, types or families
Tip: link the categories to types of objectives

75. Identify the risk universe2
Let´s practice
Good news! You have been appointed as the new compliance
officer and you need to sort the following sub-categories into:
1- Ethical risks, managed by the CEO
2- Cyber security risks, managed by the CISO
3- Financial reporting risks, managed by the CFO
4- Safety and environmental risks, managed by QHM
5- People risks, managed by the CHRO
6- Commercial risks, managed by the COO

76. Identify the risk universe2
Anti-trust and consumer
protection
Anti-money laundering
Financing terrorism
Conflict minerals
Government contract
Sales and marketing laws
Credit and collection laws
Contract management
Animal testing
Anti-boycott
Litigation
Quality standards
License and permits
Fair trading
Tax and transfer pricing
SOX and financial
reporting
Political contributions

77. Identify the risk universe2
Intellectual property
Donations
Sponsorship
Advertising
Human rights
Non-financial reporting
and disclosure
Currency exchange
controls
Product regulation
Whistler blowing
Product labeling
ISOs and in-house
standards
Sanctions and exclusions
Modern slavery
Diversity
Intellectual property
infringement
Business continuity

78. Identify the participants3
Level of seniority
Board members, executive leadership and
CXOs, internal/external legal advisors,
managers, supervisors
HQs and subsidiaries
Business lines
Functional areas
Process owners, SMEs, auditors, risk
managers, HR, CSR, sales, purchasing, IT
External experts
Which
participants
should cover
the risk
universe?

79. The extent and level of detail
of the compliance risk
assessment are dependent on
the risk situation, context, size
and objectives of the
organization
They can vary for specific subareas
such as environment, financial and
social
ISO 19600 4.6

80. Design the assessment4
The risk registry
database to communicate risks and action plans
to track, report, sort and filter risks and produce risk maps
calculates and consolidate metrics and indicators
access restricted for user types
check for double-counted risks
useful to compare with loss databases
risk and action plans should be approved and updated
AKA: risk library, inventory, database, log, tracker

81. Design the assessment4
Solutions for a risk registry
Dedicated
compliance or
ERM solutions
Off-line On-line >

82. No software can compensate for the lack
of talent of a compliance officer

83. Design the assessment4
Fields to consider
Unique risk number
Risk owner
Stakeholders
Business lines affected (risk scope)
Category (and sub-category)
Risk title (consequence + by + cause)
Risk statement or description of the event
Breached law, policy or compliance
requirement
Description of contingency controls
Impact value (score or EUR)
Risk sources (AKA factors)
Description of preventive controls
Description of past events (even by
competitors, loss experiences)
Detectability (how easy to detect)
Frequency value
Level of control (I*f)
Third variable (ie. risk velocity)
Treatment strategy (4Ts)
Action plans for mitigation (tasks, due
dates, investment, owner)
Date of identification
Key risk indicators
Risk status and evolution

84. Design the assessment4
Risk registry fields
Riskuniverse
Risk class Risk description Imp Freq
3 years
Anti-bribery
The anti-corruption laws may be violated by
sales managers offering cash, gifts and
other perks to public officers to illegally
secure a government contract
€100k 10%
Fraud
The code of conduct may be breached by
procurement staff buying overpriced or
nonexistent goods to get a kickback
€20k 10%
Conflict of
interests
The code of conduct may be breached by
employees using company time and assets
for an undeclared second job
€10k 20%
3rd Party
management
GDPR may be breached by IT cloud
vendors improperly transferring personal
information of our clients
€20k 10%

85. 1
3
2
How do I identify risks?
Interviews with risk
owners
Compliance risk
self assessment
Risk workshops
4

86. 1
3
Compliance risk self assessment
confidential questionnaires based on the risk universe
circulated to the participants on the scope
general for the company or adjusted by area or function
participants complete their perceptions about
compliance risks
spot attention areas, but not how compliance risks are
materialized and controlled

87. 1
3
Compliance risk self assessment
Question Comments Yes/No/NA
Support
or
test
Is strict control maintained over the transfer of
personal information?
Is personal data classified to determine
sensitive data?
Do you receive guidance and training about
how to manage privacy risks and to comply
with obligations about personal information (ie.
GDPR, HIPAA)?
Do you have an effective method(s) to limit the
access to personal data only for fulfilling
tasks?

88. 2
3
Interviews with risk owners
one on one meetings with participants on the scope
allows a guided and detailed collection of risks
allows to collect and discuss evidence of materialized
risks (ie. loss statistics)
provide background information before the interview
great level of understanding
avoid biases and perceived risks
could be supported by analyzing risks in flowcharts

89. 2
3
Interviews with risk owners
What to ask…
what can prevent your department to meet compliance requirements?
what are the biggest risks facing the company and/or your
department now? In the next three years?
what key processes are at the greatest risk?
what compliance missteps could cause you to miss the annual
targets?
in what areas would you benefit from additional controls, policies and
compliance training?

90. 2
3
Interviews with risk owners
What to ask…
what compliance and ethics issues do you frequently face in your
job?
which compliance breaches, wrongdoing and issues had materialized
in the past?
what are the compliance requirements that the company and/or your
department is not addressing very well?
what kinds of risks could emerge in the future?

91. 3
3
Risk workshops
wide range of perceptions about risks and their controls
ensure the consistency of the assessment and
ownership of action plans
provide background information before the workshop
data driven to avoid subjective discussions
internal audit can validate the efficiency of current
controls
legal can validate the impact assessment
can be done after the interviews

92. 1
3
2
How do I value risks?
Quantitative
assessment
Qualitative
assessment
Quali-quantitative
assessment
4

93. 1
3
Qualitative assessment
uses a numeric pre-defined ranking (AKA risk criteria, score or
rating scale)
is based on stakeholders inputs and judgments
(adjectives, lack of analytical rigor)
impact from minor to catastrophic compliance breach
scales: 1 very low, 2 low, 3 moderate, 4 high, 4 very high
frequency from rare to almost certain
produces a 5*5 or 7*7* heat map
useful when lacking time, knowledge or budget to
assess risk, initial assessment, 3P due diligence

94. 1
3
Qualitative assessment
Impact 1 2 3 4
Regulatory Possible interest
from regulators
Heighted interest
from regulator,
possible
investigation
Regulator
investigations,
probable fine and
public censure.
Regulatory
probation
Regulator fine and
potential business
closure. Massive
recall.
Legal Threats of
litigation or small
compensations
Numerous minor
litigation and
default notices in
contracts
Numerous
litigations and
contract defaults
Numerous major
litigations and
termination of
contracts
Reputational Local headlines
for less than a
week
National
headlines,
customer
complains
International
headlines,
individual actions,
class actions
possible
Sustained
international
coverage, large
loss of customers
Frequency 1 2 3 4
Unlikely Occasional Likely Frequent

95. 1
3
Qualitative assessment
Words of estimative probability
We know it is misleading since 1964! Sherman Kent study

96. 2
3
Quantitative assessment
calculate single potential loss in monetary value (EUR)
and its probability (%)
predicts likely outcomes in monetary value (an
approximation)
models to facilitate calculations
statistical methods, loss databases, fines
useful to justify countermeasure costs, analyze key
risks, use available data, need to reduce the subjective
level, needs for consolidation, in a mature compliance
culture

97. 2
3
Quantitative assessment
Where is the data?
amount of fines in a period
losses for legal proceedings
accruals for legal contingencies
tax, client and vendor disputes and claims
fraud losses

98. 3
3
Quali-quantitative assessment
hybrid approach (AKA semi-quantitative)
links both qualitative and quantitate assessments
pre-defined conversion of reputational, operational,
safety impacts into a monetary value (multi-criteria
analysis)
assessments remain done on qualitative base
acceptable level of bias

99. 3
3
Quali-quantitative assessment
Impact 1 2 3 4
Regulatory Possible interest
from regulators
Heighted interest
from regulator,
possible
investigation
Regulator
investigations,
probable fine and
public censure.
Regulatory
probation
Regulator fine and
potential business
closure. Massive
recall.
Legal Threats of
litigation or small
compensations
Numerous minor
litigation and
default notices in
contracts
Numerous
litigations and
contract defaults
Numerous major
litigations and
termination of
contracts
Finance (cost
per event)
0-100k EUR 100-250M EUR 250-1M EUR > 1MEUR
Frequency 1 2 3 4
Unlikely Occasional Likely Frequent

100. Scenario assessment
Base case
Average
scenarios
Worse case + Best case
2
Triangular
distribution
s
Worse + ( Base * 3 ) + Best
5
Montecarlo
simulation
Software
1
2
3
+10k
. E1
. E2
. En
Best guess
Most-likely scenario
Base case

101. Scenario assessment
Frequency
Risks affecting the
corporate sustainability
in the long term
Operational losses by
no relevant compliance
breaches
Non-routine and
material losses
Impact
Frequency
Impact–to+
Base case
Best case
Worse case
Prudential regulations in banking are
increasingly demanding the
assessment of worse plausible
scenarios (extreme risks)

102. Compliance risk assessment policy
document the risk assessment methodology
supporting a company-wide global risk policy
simple, realistic and auditable
approved by the board
accountability and responsibility
reporting process
measure performance
4

103. Evaluate and prioritize risks
identify with process, business units or activities are the more
vulnerable for an ethical and compliance breach
focus the treatment on the highest relative potential impact
compared against the risk tolerance
consolidate by category to identify accumulations of similar
compliance risks and interactions
review the consistency of the assessment
sort by exposition (risk velocity suggests the treatment
urgency)
5

104. Identify action plans
enables a business conversation about mitigation alternatives
respond to significant risks by improving the ethics and
compliance program
prevention plans by resourcing controls
contingency plans by planning reactions
clear responsivity of ownership, due dates and tasks
revise responsibilities, budgets, policies, training, 3P due
diligence
document decisions
6

105. Identify action plans6
Insurance, outsourcing, liability
clauses in contracts
Transfer
Ceasing the activity
affecting the corporate
sustainability, leaving a
jurisdiction
Terminate
Frequent
monitoring,
emerging regulation
Tolerate
Preventive and
corrective
internal controls
or remove the
sources
Treat
Prevention plans
Contingency
plans
Black swans, remote
and hard to predict
catastrophic events
Prevention plans
policies and procedures
segregation of duties
authorizations and supervision
checklists
training and compliance audits
Contingency plans
crisis protocol
self-disclosure
corporate defense
investigation policy

106. The risk-based approach to
compliance management does
not mean that for low
compliance risk situations for
noncompliance are accepted
by the organization
It assists organizations in focusing on higher risks as
a priority, and ultimately will cover all compliance
risks. All identified compliance risks should be
subject to monitoring and corrective action
ISO 19600 4.6

107. Identify action plans
Example actions plans for bribery risks
revise policies addressing anti-bribery laws
design training for sales personnel to government customers
issue guidance on how to hire and retain foreign agents
require approvals for sales to a foreign government
require preapproval for gifts and entertainment
develop and monitor gift and entertainment reports
audit and monitor risk mitigation efforts
6

108. If you want
something to be
done, ask a person.
If you want
something to fail,
assign it to a
committee.

109. Case circumventing controls
Credit Suisse AG includes training of
regulatory updates as part of its
compliance program
3 executives gave their logins to
secretaries to complete the eLearning
exercises for them
It was discovered during a regulator
audit
How the risk of circumventing controls
should be mapped?
Three bankers in the Swiss
bank's loan-bundling unit got
administrative assistants to
complete required compliance
training courses on their
behalf. As punishment, they
had to give back a portion of
their 2015 bonuses.

110. Communicate the assessment
approve the assessment by the top management
report to all stakeholders
tailor reports for each type of stakeholder and risk owner
reader-centered report by function, by business units, consolidated
executive summary, heat maps, risk lists, dashboard, KRIs,
supplemental info and aggregated workshop discussions
define target metrics associated to risks
highlight interrelated risks.
7

111. Monitor risks and action plans
continuous monitor that risks are treated according to the
action plan
use progress report about efficiency of the action plans
use key compliance risk indicator
compare the assessment against losses
update the risks, at least annually, to adjust risk perceptions
assess the control efficiency by partnering with internal audit
identify emerging risks
revise the compliance risk policy and framework
8

112. Example in software

113. OECD Corruption Risk Assessment

114. Example Tullow Oil

115. Example Tullow Oil

116. US Organizational Sentencing Guidelines
Risk assessments need to be made at all stages of the
development, testing, and implementation of a compliance
program to ensure that compliance efforts are properly
focused and effective.
To benefit for an effective compliance program and the
reduction in the culpability score, the organization shall
periodically assess the risk of criminal conduct and shall take
appropriate steps to design, implement, or modify each (of the
components of an effective compliance and ethics program) to
reduce the risk of criminal conduct identified through this
process.

117. US Organizational Sentencing Guidelines
Prioritize periodically the elements of the program in order to
focus on preventing and detecting the criminal conduct
identified in the risk assessment process as most likely to
occur
What is expected?
A reasonable risk based approach
Stronger controls addressing higher risks
Consistent application of controls to risks
Documenting the risk assessment
Periodic review of the risk analysis

118. Potential impacts to assess
Penalties, fines and punitive damages
Private settlements
Legal fees and investigation costs
Product liabilities and recalls
Disadvantage with suppliers
Withdrawal of capital
Increased staff rotation
Increased costs
Lost of revenue, voided contracts
Lost of market capitalization
Impact on the
profit and loss
(before taxes)

119. Compliance risk radar
RegulatoryLegal
Ethics Contract
inability to prevent a personal
data breach (GDPR)
lack of regulatory certainty
on new markets
failure to perform
concession obligations
inability to prevent
corruption by 3Ps
failure to resolve tax
disputes
poor controls to prevent
accounting fraud
violation of IP rights in
vendor agreementspoor anti-bribery controls in
public tenders

120. 1
3
Tips for assessing compliance risks
avoid the paralysis of over-analysis: continuous
improvement, start with a pilot or a group think
start with the mayor areas of requirements to expand
the scope over time (by department, by seniority, by country, by
risk categories)
involve managers with practical experience in dealing
with compliance requirements
explain that the exercise is future oriented

121. 1
3
Tips for assessing compliance risks
Traditional legal approach
reactive when a breach already occurred
defense to minimize legal consequences
Compliance approach
preventive to avoid breaches
managing resources to address key risks
need for compliance risk assessments

122. The goal of assessing #compliance risks
is not to produce a colorful heat map…
but to improve the decision making

123. Case study Performing legal risk map
toolkit to set priorities
among different legal and
compliance risks
template to develop plans
to mitigate risks
focused on US companies
or multinational companies
with US operations

124. Discussion case Bank secrecy bank and
anti-money laundering examination manual
Risk assessment
Identify and measure risks
- Products and services
• retail vs. private banking
• domestic vs. foreign accounts
• merchant accts. vs. 3P payment
processors
- Customer
• face-to-face contact vs. electronic
banking
• financial institutions vs. non-banking
institutions
• politically exposed persons
• nonresident aliens
- Geographic locations
• tax havens, sanctioned
Develop applicable
- Policies and procedures
• consolidated BSA/AML
compliance risk assessment
• reporting suspicious activity
- Systems and controls
• customer identification
program
• customer due diligence
Internal controls
Risk-based BSA/AML
compliance program
Should result in
- Internals controls
• risk-based controls to identify,
research, and report
suspicious activity
- Audit
• risk-based and independent
- BSA compliance officer
- Training
Pag 18 to 26

125. Discussion case Bank secrecy bank and
anti-money laundering examination manual
Bank examiners should evaluate the adequacy of the BSA/AML risk assessment
process
Review the bank’s BSA/AML risk assessment. Determine whether the bank
has included all risk areas, including any new products, services, or
customers, entities, and geographic locations. Determine whether the bank’s
process for periodically reviewing and updating its BSA/AML risk assessment
is adequate.
If the bank has not developed a risk assessment, or if the risk assessment is
inadequate, the examiner must complete a risk assessment.
Examiners should document and discuss the bank’s BSA/AML risk profile and
any identified deficiencies
Pag 27

126. Discussion case
An organization contributes to
development through compliance
with laws and regulations
In some circumstances community groups' failure to operate
within the intended legal framework is a consequence of
poverty or development conditions. In these circumstances,
an organization that is involved with groups operating
outside the legal framework should aim to alleviate poverty
and promote development. An organization should also seek
to create opportunities that will enable these groups to
achieve greater, and ultimately full, compliance with the law,
especially concerning economic relationships.
ISO 26000 Social Responsibility 6.8.7.1

127. Risk culture
Top down
compliance risk
policy
reaching many
stakeholders
common reporting
and treatment
understanding of
most activities and
controls
routine assessment
Initial
ad hoc
only sponsored by
the compliance
officer
reactive
Fragmented
narrow focus
different reporting
channels for IT
compliance, contract
and criminal risks
Mature
integrated approach
defined risk
tolerance
consistent
measuring,
treatment and
reporting
escalation
procedures
scenario planning
key risk indicators

128. The compliance risk-taking culture will
take a long time to change, but is worth
to measure it

129. 3P Risk Assessment

130. 3rd party compliance
Third parties
Joint venture partners
Consortium partners
Manufactures
Distributors and resellers
Intermediaries and sales agents
Marketing and sales agents
Logistics and supply chain
Contractors
Tax, legal and business advisors
Consultants
Outsourced services providers
Customs or visa agents
Lobbyists
Regulatory compliance
Contract compliance
Fraud risks
Risk factors Risks
Anti-money laundering
Data privacy
Export controls
Anti-corruption
License and contract term
controls
Cost recovery
Conflict of interests
Use of intellectual property

131. Examples of 3P risks
A distributor pays bribes to customs
officials to move goods across borders
A company´s supplier is not providing
safe work conditions or complying with
labor laws
An agent uses part of its fees to bribe
procurement officials to award a
contract to the company
A supplier offers a kick-back to a
company employee to award it a
contract

132. FCPA requires due
diligence in dealing
with 3Ps and
knowledge of red-flag
issues
around 90% of reported cases
involved third-party intermediaries

133. Discussion case Carlos in Mexico
The new Mexican branch of your company is bidding on a public
contract
The local law on public procurement is based on a statute
detailing a complex bidding process modified by many
government decrees
Carlos, the local Sales Director, needs an advisor to navigate
the public procurement process
A friend of him recommended Jose who helps multinational
companies with bidding regulations
Jose has a reputation for getting things done and appears to
have a very good relationship with key people in the procuring
public agency
Jose has not adverse information in the media or public
databases
Carlos contacted you (corporate compliance officer) to identify
3Ps risks and controls

134. A company
that pays
bribes is not
longer in
control of its
business

135. 3P risks
Legal and regulatory
bribery
money laundering
financing terrorism
personal information
conflict minerals
reporting requirements
restricted transactions
labeling
labor and working conditions
Compliance
contractual
supply chain disruptions
IT security
health and safety
environmental
operational
quality

137. Discussion case Rana Plaza
5-story garment-factory collapse
death toll of 1,134
illegal addition of 3 floors above the
original permit
customer demands to the fast fashion
and low-cost clothing industry
pushed the UK modern day slavery law
oversight of working conditions in the
supply chain
audit direct and second-tier suppliers

138. 3P compliance
Identify business partners
ERP and CRM vendor masters
Accounts payable records
Contracts
Define 3Ps and its categories
Remove duplicates to consolidate
Create a centralized database:
Assess a risk rating to 3Ps
Link 3Ps to requirements
Risk of a compliance breach
Classify 3Ps into segments
By risk factors (contract value, legal
requirements bribery, fraud PEPs,)
Perform due diligence
Risk-based process to manage
each third-party relationship
Vendor accountability
Performance measurement
Contracts and amendments
Code of conduct for 3Ps
Training and certification
requirements
Report and monitor
compliance
Incident response
Remediation plans
Audits
Continuous reasessment
1 2 3

139. 3P risk factors
High contract value
Provision of critical services
Conflicts of interest
Regulated services
Authorization to represent the company
Dependence on critical licenses to
operate
Operations in countries with high levels of
corruption (Transparency International)
Operations in sectors vulnerable to
corruption
Interaction with public officials
Personal data management
Use of second-tier contracts
Unusual payment demands, methods or
amounts
Poor 3P governance

140. Country risk ranking
Legal and political
Rule of law index by the World
Justice Project
Regulatory quality by Worldwide
Governance Indicators
Regulations and enforcement by
doing business
Political Risk by Coface
Change “governing law” and
"jurisdiction" clauses
Fraud and corruption
Corruption perceptions index by
Transparency International
Basel ABM index for money
laundering
Country of registration, operations
and payment
Enhanced anti-corruption clauses
and screening

141. Contract reviewinitial
screening
3P Risk Level Approved by
HighMediumLow
Compliance
officer
Regional
compliance
heads
Local
management
Approved
Rejected
Further investigation
Conditionally approved
enhanced contract terms
additional internal controls
extended audits and
monitoring
annual re-certifications
Contracting
Amendments
Renewal
Assessment
Monitoring
Decision Continuous reassessment

142. 3P risk treatment
Due diligence
Companies and individuals
Background checks
Questionnaire and documentation
completed by the 3P after a
request by a business unit
Pre-contract
Audits
compliance with
codes of conduct and policies
regulations and laws
contract stipulations

143. Learn more…
ISO 31000 and 19600
Compliance and Ethics Leadership Council - Performing a
Legal and Compliance Risk Map
Tabuena, Jose - Conducting the Compliance and Ethics Risk
Assessment (SCCE Manual)
Whalley, Matthew - The Legal Risk Management Handbook
Archbold, Carol - Police Accountability, Risk Management,
and Legal Advising

144. 2.0 links
mydailyexecutive.blogspot.com
www.linkedin.com/in/hernanwyler
@hewyler

145. What have you gotten from the classes?