The cornerstone of any compliance program is the ability to conduct regular and thorough risk assessments so that the nature and extent of all company risk is unearthed, including where risk lies, and who it lies with.
Complacency, the enemy of vigilance, too often sets into organizations for a host of reasons. An organization may rationalize; a) our system works; b) little has changed in business operating practices; c) our monitoring controls will flag such risk; d) it’s too costly and time consuming.
Sometimes we even see an expression of conceit or over confidence by a corporate executive immediately prior to the occurrence of any number of unforeseen calamities.
To avoid being lulled into complacency and a false sense of security, continuous and planned assessments should take place based on functional and operational risk levels.
It is imperative that the board is also properly exercising the due diligence demanded of it with respect to exactly how the organization’s strategic plan is being implemented and managed.
Managing Anti-bribery and Corruption Compliance is no different!
Appropriately, section 4.5 titled “Bribery Risk Assessment” of the ISO 37001 Anti-Bribery Management System standard states, “4.5.1 The organization shall undertake regular bribery risk assessment(s), which shall: a) identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4.1; b) analyze, assess and prioritize the identified bribery risks; c) evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the risks.”
Specktrum’s experience performing risk assessments is highlighted by having its risk assessments relied on for ISO 37001 certifications.
Specktrum employs a strict methodology fashioned to a degree by the classic top-down risk assessment internal audit often conducts as part of its annual general risk assessment. Our version takes key vitals (elements) that relate to bribery and corruption and applies them organizationally.
Specktrum’s scope for risk assessments can be wide or narrow depending on organizational needs.