Too often, companies are siloed in their approach to assessing risk in foreign jurisdictions. FTI Consulting’s Ken Jones and Lindi Jarvis explore what companies should keep in mind when developing and refining their overarching risk assessment methodologies.
For many companies, breaking down the organizational barriers that impede seamless interactions and operations is a clear priority. However, this is easier said than done, which is why many organizations have not figured out how to effectively collapse these walls.
In risk management, silos prevent management from having a view into all the risks impacting a business at any given time. Far too often, companies are siloed in both their organizational structure and their approach to assessing risk, especially in foreign jurisdictions, resulting in management being unsure about the true risks and if they are funding the right programs. This leads to confusion regarding how to prioritize certain risks, which is inefficient and costly.
For example, a pharmaceutical company may have research and development operations in six countries, processing facilities in nine countries and sales and distribution in another 20. Similarly, financial services firms may have some combination of retail banking, broker-dealer and asset management in various countries. Understanding the risks associated with the types of facilities, products and services – while at the same time considering the global and local country regulatory requirements – is a daunting task, especially when management doesn’t have a clear view of risk across all operations.
Far too often, companies develop siloed strategies for one risk, such as fraud or money laundering. However, by looking at related risks (fraud, anti-bribery and corruption, money laundering, export sanctions and cyber) simultaneously, management can have a true understanding of the entire risk landscape and a roadmap to address top priority risks.
Instead, companies should focus on developing a global risk strategy that might include annual risk-based rotations, surprise assessments, proper exchanges and coordination between the first, second and third lines of defense.
The Benefits of Holistic Risk Management
The benefits of reviewing related risks in tandem are plentiful. Companies can determine which risk assessments make sense for each country based on knowledge of investigations, regulations, products, services and operations in that specific country.
For example, a company might be planning a Foreign Corrupt Practices Act (FCPA) risk assessment of offices in foreign jurisdictions. But by simultaneously conducting a fraud and FCPA risk assessment, the company will be more likely to succeed in identifying the greatest risks for that country and addressing related procedures and controls. The result is that the company will spend time, effort and resources on the areas in greatest need of remediation.
Understanding the full risk landscape allows companies to prevent incidents proactively or help improve a compliance program after a criminal or ethical violation. Regulators are far less tolerant of repeated risk failures in their country. For example, if a company addresses control failures after an insider fraud incident, then later experiences a bribery and corruption scandal, regulators might believe the broader compliance program is sub-par.
A second incident has a significantly larger impact, ranging from regulatory fines, enhanced scrutiny, diminished reputation, reduced ability to expand operations and other costs. Conducting a cross-functional risk assessment can reduce the likelihood of a repeated offense and the related impacts and costs.
Well, how do we get there?
Organizations have struggled to break down barriers and silos for years. However, there are ways to assess risk in other countries that can be fruitful, efficient and cost-effective. Here are four examples:
1. Evaluate the Current Risk Assessment Methodology
For many organizations, it will be critical to review and refine the current risk assessment methodology to be more comprehensive. Risk assessors should completely understand the business environment, including products, services, locations, workforce and clients. They should know related policies (fraud, anti-money laundering, bribery and corruption, export controls and sanctions), procedures and past assessments. Additionally, it’s important for companies to have an understanding of the most pressing regulatory guidance – including both within the country of the assessment and the regulations with global reach.
Sending a team to execute a risk assessment in a foreign country is expensive and often these individuals may not have the in-depth knowledge of domestic laws, regulations and customs. Without cross-training, cross-functional risk assessments generally require several people, which increases costs even more.
By cross-training risk assessors, companies can reduce costs and further develop compliance personnel by broadening their understanding of inter-related risks, such as fraud, money laundering, bribery and corruption. By expanding the knowledge of individuals, barriers are inherently broken down as people can take on more tasks and greater understanding of risk.
Risk assessors who have experience conducting fraud, money laundering, anti-bribery and corruption, sanctions and cyber risk assessments across a broad industry spectrum bring an added benefit to companies, such as a knowledge in a variety of schemes, governance, controls, data, intelligence, analytics, alerting and management information, which is adaptable and highly beneficial to any company.
3. Tap into Outside Resources
The daunting task of maintaining familiarity with both global regulations and local laws is essential to understand the true regulatory risks impacting global corporations (such as the U.S. FCPA and the U.K. Bribery Act) and local laws, such as Brazilian Antitrust laws.
Many companies seek external support simply because it can be difficult to keep up with the changing regulatory environment if the company has operations in a large number of countries. Additionally, peer comparisons can be extremely helpful. While they might not always be available, in some cases industry associations, regulatory guidance and regulatory orders can reveal risk failures and best practices to consider.
4. Create a Risk Radar
Companies should align compliance risks with broader operational and regulatory risks by creating risk radars. These risk radars can provide leadership with a coherent roll-up of risks on a broader organizational level. Risk radars start with a singular risk, like money laundering, then a broader radar can show comparative risks, such as fraud, export sanctions, bribery/corruption and cyberattacks. An even broader radar can show all operational or regulatory risks. Radars can be adapted to also demonstrate country-specific risks and multiple jurisdictional risks.
It’s easy to understand how siloes create barriers to efficient and effective risk management programs. However, there are practical strategies for overcoming these barriers and creating a holistic view of the global risk landscape for any given organization. By cross-training individuals, leveraging third-party resources and creating risk radars, organizations have the opportunity to truly understand the risk landscape across their operations.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.