Amadeus International  
Français

Risk Assessment Best Practices

Overview
21 CFR Part 11
Audit Management
Change Control
Corrective Preventive Action
Competency Management
Customer Complaint Management
Electronic Content Management
ISO
Risk Assessment
Sarbanes-Oxley
Validation
Home / Best Practices / Risk Assessment  

Compliance Risk Assessment

Whereas the past goal of maintaining compliance focused on the known, day-to-day operational activities (tactical activities), the programs fell short in identifying and managing the more sporadic and unplanned events that affected their operations.  These unplanned events posed risks as they could potentially harm the organization to a greater magnitude because of liability and operational continuity issues.  In addition, increasing pressure from the market, including globalization, increased competition, and the rising costs of regulatory compliance, and greater corporate accountability and visibility, organizations are looking to enterprise risk management (ERM) as a strategic way to reducing operational costs, improving efficiency, and ensuring long-term stability.    

Enterprise Risk Management specifically is defined as “a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” 1  Under ISO 14971, it is more simply defined as the “Systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk”.

As stated by Governor Mark W. Olson, “…One of the biggest risks facing businesses and governments today is the risk of not preparing for how the world will change over the next five years…A key question to ask is whether your organizations have the tools and risk-management processes that will allow them to cope with inevitable changes…” 2  Thus, ERM is becoming essential for organizations to survive in the volatile market.  In an effort to scope out the real potential of possible events, many organizations have developed programs to manage and control their risks.  They are seeking to move away from the silo approach to a holistic view of risk across their organization.  They want to achieve a top-down view of their risks across the organization in an effort to identify, assess, control, and track highly vunerable (i.e, high risk) areas of their company.  At the same time they want to preserve the level of detail and records emanating from the various risk-based assessments, such as job hazard risk, process safety risk, etc., conducted under the specific regulatory programs.


Risk Assessment

It is impossible to construct an effective compliance plan to control risk without conducting an initial risk assessment. A risk assessment is a high-level, mandatory compliance exercise that varies in complexity based on the size and business profile of an organization.
As an example of one type of risk assessment, a compliance risk assessment, includes an assessment of people, processes, and technology required to effectively manage the business in a compliant manner.

A comprehensive compliance risk assessment includes several key steps. These steps are:

  • Identify all key compliance requirements;
  • Identify those that apply to your staff, processes and systems;
  • For each area of potential compliance risk, identify the nature of that risk of non-compliance as it applies to the firm;
  • Use a risk rating scale, score the risk and record it;
  • For each identified risk, prescribe a mitigating, controlling or corrective action and timescale for completion (including assigning it to a person or function). 
Risk Management

Risk management is achieving continuous control over the incidence and impact of risk. It requires:

  • Comprehensive understanding of the business and operations environment;
  • Detailed risk assessment process founded on quality principles;
  • Experienced resources to identify risks and assess their importance and implications;
  • Creative minds to develop cost-effective risk mitigation strategies that control and neutralize unacceptable risks;
  • Top-down management commitment to implement protective strategies and monitor progress;
  • Continuous management vigilance to control new risks.

1 COSO Enterprise Risk Management – Integrated Framework.  2004, COSO.
2 Fiduciary and Investment Risk Management Association’s 20th Anniversary training conference April 10, 2006.
Copyright © 2008 Amadeus International Inc. | Privacy Policiy | Terms & Conditions | Site map
Print