The question raised in our previous edition became the starting point of this article and will help us to better understand the relevancy of this tool. Remember: “Is there a specific risk assessment that suits with your business, and if so - how to define educational actions to your leadership and employees aiming to leverage Corporate Integrity – CI as a competitive advantage for your company?”
The risk assessment becomes a relevant methodology for the strategic development of companies. Thru this tool it will be possible to analyze each potential risk that your company needs to address and identify with the objective to establish structured internal procedures, value chain, policies, including mechanisms and monitoring controls, if existent.
In fact, the assessment must be made in all potential areas of the company, such as operational or commercial, besides those that involve internal and functional controls to help develop the risk matrix. We propose that some specific analysis regarding the company relevant market shall be done considering its regulatory environment, risk impact, and probability of occurrence of individual risks.
Examples of risk areas to be analyzed and understood aiming to create concrete and specific goals. It is recommended to develop an analysis for each specified ompany considering their maturity degree and structure of internal disciplines. Here we are going to highlight areas that might or might not necessarily compose a risk assessment for the company:
- Competitivity: potential risks of commercial practices that might violate the legislation of commercial defense, cartel practices, and risks associated with combination of prices and or similar commercial behaviors that are not allowed by the legislation.
- Contracts: risks related to contracts, commercial and services definitions, price formation, choice of suppliers and definition of customers, bidding procedure.
- Information Policy: risks associated with the right use of information, restricted and privileged use, and data storage according to the company’s policies.
- Document retention: risks related to management and appropriate storage of data according to company’s policies.
- Tax report: risks of non-compliance with tax legislation, definition of tax incentives programs and impacts of non-compliance.
- Bribery: anti-corruption risks, interaction with governmental authorities, certification, authorizations, and regulatory approvals.
- Reputational risk: risks that might affect the company’s image, brand, and relationship with civil society and or social responsibility.
- Human Rights and social inclusion: risks related to disrespect of human rights, compliance with labor legislation, diversity, inclusion, and HR rules.
- Credit recovery of suppliers and clients: risks related to discount concessions and guarantees with partners, clients and suppliers; negotiation of debts and companies´ credits, and offer of credit lines, if applicable.
- Sale practices: risks of commercial policies, allocation of commercial resources, relationship with clients, practices of free competition, discount policies or rebates.
- Confidential information: risks from inadequate training of privileged and restricted company information.
- Regulatory matters: risks related to non-compliance of legislations and regulations that affect the company’s business and or products, including requests from governmental agencies.
- Real estate and respective taxes: risks regarding to non-regularization of company’s assets and associated tax obligations.
- Inadequate use of company’s equipment and assets: risks related to inadequate usage of corporate equipment and work related tools.
- Internal controls related to expenses or entertainment applied to clients and suppliers: risks related to inadequate expenses reports related to interaction with clients and suppliers; authorization expenses policies and guidelines for entertainment with clients, events, training, and others.
- Corporate ethics and conduct policies: risks related to compliance structure, compliance committee formation, channel for reporting complaints, investigation processes, application of disciplinary measures, application of internal controls and evaluation of independent performance processes.
- Third Party Intermediary: risks related to hiring partners or intermediaries that interact with government and regulatory agents, including customs agent, freight fowarders, commercial and sales representatives, or other partners that act on behalf of the company.
If your company have already completed a risk assessment adequate to the size and priorities of your business. Joint with the employees and reflect about the identified risks of each area or function in order to establish efficient models of controls. Besides that, you shall also consider that thru the detected risks, you can define how to handle them and if it is still necessary to make specific adjustments or actions to get efficiency and better results for your company.
This risk analysis review must be constant and dynamic in your company. It must be incorporated in the company’s routine to assure the effectiveness of results within a continuous improvement processes.
The result of self- review together with a detailed action plan will be substantial to generate your company’s success as well as to assure your company to reach expected high standards. Find below some samples of questions for your reflection:
- Do you, as an entrepreneur or functional leader, review if the expense reports from your employees contain adequate reasons of the expenses; are the physical receipts attached and the description of the expenses are aligned with your company´s control guidelines?
- Do you and your team understand the travel expenses policy? Are there trainings and certifications applied for the authorization policy?
- How do you describe the work environment in your company? Do employees have more than one vacation period due? Do your HR policy include diversity and inclusion as part of growth initiatives? How are the mechanisms for reporting compliance complaints?
- How is the regulatory environment in your company? Does your segment or products have any specific regulatory requirement or a specific permit or license necessary t o operate ? or is there any legal requirement to be provided by any specific governmental agency that affects your business or commercial activity?
- How do you manage confidential information in your company? How do your employees assure the confidentiality is respected?
- Do Purchasing or Commercial Departments have adequate procedures to mitigate compliance risks? Are those risks aligned and defined by formal procedures to be followed the employees?
- How are the documents or strategic information being filed and storage in the company? Are the retention policies required by the local legislation being followed?
It was recently published the Personal Data Protection Law in Brazil (August 15th) which represents a relevant advance of Brazilian Legislation as in other Latin America countries, with the implementation of defined mechanisms within Digital Compliance Era. By the legislation it will be mandatory that companies review the means of safeguarding information from individuals, specially the following ones: ownership of data, personal data, sensible information, collection, treatment, consent, legitimate interest, among others. Specific handling of personal data will have high level importance as well as the adequate treatment and management of the individual data. This law will come into effect 18 months after its publication. We shall apply necessary attention to evaluate and adequate the information already in use to avoid risks that can be substantial to the core value of the companies.
The Compliance initiatives do not represent cost or bureaucracy steps but it has been performing an outstanding financial factor for the success the organization. The Risk Assessment aligned to the company profile represents the essential tool of Corporate Integrity Area and it may represent the key of your business’ priorities.