We all assess risk – but what do we do with it?


deann bakerby Deann M. Baker, CHC, CCEP, CHRC

Risk assessment is key to the success of implementing a compliance and ethics program within an organization. That doesn’t mean that all the other elements of an effective compliance and ethics program, defined by the Federal Sentencing Guidelines (FSG), are not equally important. However, none of the other elements will be as successful if an organization does not implement a thorough risk assessment process.

The FSG states “organizations, to demonstrate the implementation of an effective compliance program, shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.” Subsection (b) addresses the promotion of organizational culture that encourages ethical conduct and a commitment to compliance with the law.

“Risk assessment” refers to finding and evaluating operational and organizational risks and taking steps to minimize those risks. It is every organization’s goal to fulfill their mission, achieve growth, continually improve quality, and be financially viable. An organization can best accomplish this through the risk assessment process, which can help determine how it needs to allocate its financial and human resources to minimize its risk to accomplishing those goals.

Risk can be identified in a number of ways. It might be identified because a pattern of problems emerged during the past year with a particular program or process. Changes made to laws or regulations may impact processes, or new technology may have increased risk to an operational area. The most important part of the process is the discussions that should occur at various levels of the organization to ensure that all concerns are brought to light and evaluated. Once the risks are identified, they can be weighed and prioritized, and a plan can be developed.

Everyone has the potential to identify some level of risk within the work they do. Housekeeping might identify a potential infection risk because of improper disposal. Perhaps a janitor identifies confidential documents thrown away, rather than being shredded as the organization’s policy requires. An individual might identify a pattern of approved reimbursement requests that don’t meet requirements, or perhaps he/she becomes aware of a conflict of interest with a manager and a vendor relationship. It’s important to share concerns, either with the supervisor of that area, through chain of command, to the compliance professional directly, or through the confidential message line (hotline). The scenarios above are the sort of matters that can sometimes be addressed early and quickly, without going through the compliance professional or the risk assessment process. However, sometimes they also need to be considered within a risk assessment to determine if additional resources (e.g., equipment, people, processes) need to be dedicated to address an area of risk, especially when there is a pattern of failures and consequences that occur due to these failures.

All organizations have risk and all of us have the potential to identify risk. What individuals and the organization choose to do about that risk is important to the success of the organization.


Y-Comply, a service of the Society of Corporate Compliance and Ethics, is a compliance-related article delivered quarterly to subscribers via email. To subscribe to this newsletter, please click here.

Y-Comply is intended to help communicate the value and purpose of compliance and ethics to the general workforce. You are free to copy this article to your organization’s website or electronically distribute it to your workforce; no attribution to either SCCE or the article’s original author is necessary. Click here to view past issues.


  1. Thanks very much for your very relevant, timely and insightful tutorial particularly when the entire global corporate and government sectors are having to deal with multiple risks of varying degrees. Surely risk assessment and determinant procedures are the very basic in dealing with risk factors and events but the actual implementation and completion process is equally necessary as well, through for instance access to very effective technological and human resources to precisely and directly deal with risks and other related issues.

Comments are closed.