While I am of a certain age to have enjoyed the glory days of one of my favorite bands, I am not talking about rocking out to great 70’s music while preparing your risk assessment. When I say KISS your risk profile, I am talking about the four little words every student in business school hears from their teacher when thinking of a product / idea to start a new business. K.I.S.S. – Keep It Simple Stupid!
Risk professionals save their businesses time by implementing a risk profile; one that succinctly identifies risk so senior management can make the risk-based decision to accept, transfer, control, or avoid the risk. This knowledge empowers these individuals to make informed risk-based decisions that move the business forward safely. It is important that when you are creating a risk profile to remember K.I.S.S.
I have seen over the years too many risk profiles that are too convoluted, too wordy, and too off the point. Succinctly written risk profiles keep your audience focused on making the best risk-based decisions to achieve the company’s goals. Keep your risk profile simple! I have worked with many risk officers in highly regulated industries, and I have found that the strongest and most appreciated risk officers have the ability to present the risk profile in a clear, concise manner with three main elements in mind 1.) Know who your target audience is, 2.) What are the risks to your company’s goals and objectives and 3.) Present the best risk mitigation options. What do these risk officers all have in common? They follow the principles of K.I.S.S.
Target Your Audience
In most cases the target audience for your risk profile is the Board of Directors and senior management. This is the internal audience that must know the risk to provide support and make appropriate risk-based business decisions, and to agree on a risk mitigation plan. While the risk profile may be shared with others, by K.I.S.S.ing the risk profile, it can be easily understood by many potential readers without losing its effectiveness.
Understand the Risk to Your Company’s Goals and Objectives
Once you know your audience, now focus on what your company’s goals and objectives are. Clearly identify the residual risk that is most likely to keep the company from achieving these goals. Consider the following: your audience already has the knowledge and history of the company and they understand the laws and regulations. Instead of bloating your risk profile, focus on those risks that will impact the company’s goals and objectives. Identify those risks, report on their impact, and put them in the context of how they impact the business’ objectives.
An example is Anti-Money Laundering (AML) risk. Our business has an obligation to report certain cash transactions over $10,000 to the government. Failure to report these transactions can result in civil fines or criminal penalties that cannot be transferred to a third party. We currently have 5-10 cash transactions of this size per quarter and we expect this number to increase next year. We currently rely on our third-party accountant to file these reports, but the business must fill out the form. We do not currently train our staff or have a formal process to report this to our accountants. We rely on our facility manager to remember to fill out the form and tell the accountants about these cash events.
K.I.S.S.ing the risk analysis makes it clear how the risk could impact the business in its current state.
Join ACCCE’s complimentary webinar to save time identifying more techniques to put your risk assessment to work for you.
Present the Best Risk Mitigation Options
Following on the K.I.S.S. model, present the facts of the risk so that the audience can draw their own conclusion. Provide your professional opinion on the best practices to mitigate the residual risk.
Following on the example above, let’s review one way the risk officer can present this risk to the target audience. This risk is currently outside of our risk appetite because the business could be subject to fines above $40,000 a year in aggregate, and possible jail time if our facility managers or accountants fail to report these transactions correctly. To reduce this risk within our risk appetite, we should assign the responsibility for identifying these transactions in our facility managers’ job description, provide the facility managers training to fulfill their duties, create formal procedures that the facility managers can use to fulfill their duties, and require our accountants to reconcile all large cash receipts on a biweekly basis. The risk function will sample large cash transactions on a quarterly basis to assure our accountants do not miss a reportable transaction and inform the board if a transaction was not filed appropriately. These risk mitigation activities should reduce the possible fines to less than $10,000 a year before they would be detected, and provide a strong defense against criminal prosecution for noncompliance. The above example clearly identifies the risk and the negative consequences of failure to address the risk. This allows your target audience to make an informed decision.
How to Be a K.I.S.S. Rock Star
Working with risk officers in highly regulated industries, I have found that the strongest and most appreciated risk officers can present the risk profile in a clear and concise manner that allows the board of directors and senior management to agree to the best risk mitigation plan for the business.
By following the three steps above, you can be confident in presenting your risk profile. By keeping your risk profile simple and sticking with the facts you are more likely to actively engage and empower your audience with the knowledge to make well informed risk-based decisions. Then you too can become a K.I.S.S. Rock Star!
Chris Gunias is the Managing Director of Compliance at CorCom LLC. Chris has over 18 years of compliance experience working at industry leading international money transmitter, including several years as a BSA and Risk Officer. He is an advisor on the ACCCE Education Advisory Board.
Click here for more information about how CorCom LLC. can assist you in implementing or performing your annual risk assessment.