Risk mitigation and trade-off
The treatment of compliance risks refers to the corresponding strategies implemented by an organization to deal with its risks. A risk treatment plan should consider a range of treatment options, which may include legal remedies as well as financial, operational and reputational remedies for each prioritized risk.
The following factors should be considered when choosing an appropriate option for the treatment of compliance risks:
- the organizational risk management policy, strategic objectives, core values and legal responsibility of the organization;
- a cost benefit analysis of responding to compliance risk;
- the stakeholders’ perception and their values, attitude to risk and tolerance levels, as well as their preferences on certain compliance risk treatment strategies;
- the availability and allocation of resources needed to manage the risk;
- a legal review (including scope and depth) of laws, contractual commitments and limiting risk contractually;
- legal opinions;
- the extent to which the compliance risk can under law be transferred, delegated or insured against;
- the level of risk awareness and maturity level within the organization.
Different mitigation and treatment strategies can be tested to determine which option provides the best value in risk reduction for the cost involved. Different mitigation strategies can be graphically represented as on the diagram below:
Reporting and monitoring
The monitoring and review of the management of compliance risks includes the following:
- staying abreast of changes in the environment, such as the introduction of new laws and the enforcement of such laws, in order to adjust the organization’s strategy accordingly;
- monitoring events triggered by compliance risk, analysing their frequency and patterns, and drawing conclusions from them (including potential correlation with and amplification of other risks);
- considering an early warning system with key stakeholders to identify warning signals for significant compliance risks that could arise;
- monitoring and reviewing:
- outcomes following risk treatment;
- changes in the environment;
- the building of integrated risk treatment plans;
- the designation of the responsible and accountable parties;
- comparing progress with the risk treatment plan, reviewing and updating the risk treatment plan periodically and in a timely manner to seek assurance on its adequacy, suitability and effectiveness in relation to the management of compliance risk.
An organization should consider the following issues in relation to record-keeping and reporting:
- legal professional privilege, attorney–client privilege and work product (or their equivalent concepts and terms under the relevant national law);
- destruction, retention and privacy policies, in accordance with data protection laws;
- the availability and accessibility of documentation for stakeholders to improve decision-making and for internal or external audit purposes.
- whether the relevant documentation needs to be maintained securely, with a chain of evidence process documenting that no alterations have been made to the documents, information or evidence;
- confidentiality and security measures in relation to documentation of a confidential nature, such as setting up limited and authorized access to such documentation.
An organization should report on the progress of changes in implementing the management of compliance risks and adherence to the measures.