BY: ComplyLog|May 16, 2023|Risk
In 2021, the national competent authorities (NCAs) in the European Union issued 366 administrative and 29 criminal measures and sanctions for infringements of the Market Abuse Regulation (MAR). The aggregated penalties for these indiscretions totalled nearly €60,000,000.
With MAR comprising just one weapon in the union’s regulatory arsenal, it is evident that proactive compliance measures are the only way to reduce the risk of financial damage to organisations. And a compliance risk assessment questionnaire can aid your attempts to prevent wrongdoing within your company.
Non-compliant companies risk more than financial penalties. Failing to manage compliance risk can also lead to:
This article discusses the purpose of a compliance risk assessment questionnaire, as well as examples of what to include in yours in order to shore up your compliance efforts.
Table of Contents
II) What to include in a compliance risk assessment questionnaire
Your compliance risk assessment helps you to identify, analyse, prioritise and mitigate legal and regulatory threats to your business. The questionnaire allows you to canvas the opinions of stakeholders in order to create a more rounded assessment of the risks that your organisation faces.
Consulting with employees from different areas of the business ensures that you gain valuable insight into your compliance risk from a variety of points of view. What seems innocuous to one stakeholder may be more pressing to someone in another department. Without the latter’s input, the compliance function might have under-prioritised it, putting the company at risk.
From the results of your questionnaire, you can understand more clearly where you need to deploy your resources to gain the greatest impact in your battle against non-compliance.
The larger portion of the questionnaire should be dedicated to questions about specific areas of the business. This approach is likely to elicit answers that can expose risks the interviewee might not have considered as such before they were asked. However, it is a good idea to start off the questionnaire by asking specifically about areas that are known to be related to compliance risk.
This allows interviewees to have their say on how they view the company’s compliance risk strategy, point out weaknesses and offer suggestions. Ask them about the functions and controls in place, as well as the procedures for identifying and assessing risks.
Following on from your compliance strategy, the next step is to ask about the company’s current compliance policies and procedures and how effective they are at mitigating those risks.
For example, you might have a procedure in place to create and maintain insider lists. But is it efficient and effective? Using InsiderLog to create your lists and record all changes helps you build an audit trail that could be invaluable in the event of an investigation. Another feature that helps in such cases is its functionality to send automated emails to insiders until they acknowledge their inclusion on the list. This provides you with evidence that you have done all you can to inform insiders of their responsibilities, something that your current procedures might not provide.
This section should include details of how the compliance team communicates regulatory changes to stakeholders and how it ensures that the company is working within the scope of these legislative requirements.
Understanding how employees view these aspects of compliance procedures helps you understand whether the current framework is adequate or if you need to adjust the strategy to reduce the risk of compliance breaches due to ignorance or confusion.
The company’s leadership sets the tone for the organisation and is responsible for the prevailing culture within the business. If leadership is seen to value compliance and encourage whistleblowing, you can build a speak-up culture that reduces compliance risk because employees feel comfortable reporting misconduct before it can become endemic.
Where there is ambivalence or even antagonism towards reports of wrongdoing, including retaliation against reporting persons, misconduct can prosper unchallenged. This increases the risk of the company being found to have contravened legislation and being issued with a sanction.
This is why it is important to understand how key employees feel about the attitude and competence of senior leaders in relation to compliance matters.
Understanding how the process of compliance works in practice is key to how effective your procedures are. Look into the culture within the organisation and whether people do feel comfortable reporting on wrongdoing. In order for you to mitigate risk, employees must believe that they will be taken seriously and that the company will monitor and investigate misconduct.
Find out if key stakeholders believe the company responds to reports of wrongdoing in an efficient and appropriate manner.
Also, look into how the business reviews and refines its monitoring and response to compliance incidents. Effective organisations continually review and refine their risk management in order to create the most robust systems possible.
Training and compliance communication provides two main benefits. Firstly, it ensures that the company has done all it can to arm employees with the information they need in order to meet compliance requirements. Secondly, it reinforces the message that the company values compliance above all else.
Your compliance risk assessment questionnaire should canvas opinions on the manner, frequency of training and compliance communications. This helps you gauge how effective you are at delivering your message.
It is essential to understand how training is received by stakeholders, who must then use the information in order to be sure they are working within the correct regulatory framework. Effective training can reduce compliance risk, but poorly executed communication from the compliance function increases that risk.
A compliance risk assessment questionnaire should include questions about the organisation’s compliance programme, relevant laws and regulations, potential compliance risks and the effectiveness of existing control measures. It should also feature questions about the likelihood and impact of each risk from the point of view of that stakeholder.
You should involve key stakeholders from across the organisation, including compliance professionals, legal and regulatory experts and representatives from various business units. This allows for a range of different views, providing a 360-degree view of your compliance programme.
By using this range of stakeholders during the risk assessment process, you gain a more full, and therefore accurate, view of the state of your compliance efforts. To support this, regularly review and update the questionnaire and use a combination of quantitative and qualitative data to evaluate risks. It’s also good practice to consider seeking input from independent experts, such as legal or regulatory advisors, to ensure that their assessments are comprehensive and accurate.
Your compliance risk assessment questionnaire is designed to help you gain the benefit of multiple perspectives on the risks that most impact your business and the compliance efforts that you have in place to mitigate them. Your stakeholders will help you gain an insight into the effectiveness of your compliance programme and how you can improve your knowledge of risk-based requirements for mitigation.
ComplyLog offers a suite of tools to help you maintain compliance with a variety of EU regulations and directives. This includes:
To find out more about how ComplyLog aids your business, request a free demo today.