86
5
Management of Risks
2. Gathering and analyzing relevant sources, such as lawsuits the company has been and is involved in; complaints on the helpline of whistleblowers and the ethics department of the company; complaints from clients, employees, contractors, partners, etc.; internal and external audit reports; information on ethical and compliance risks that company’s competitors dealt or are dealing with; materials regarding general legal risks that may apply to the company; and publications in the area on this matter. Here it must be taken into consideration not only the already existing risks but also the activities that could generate risks in the future, even if they are legal when the analysis is performed. 3. Evaluating the types of ethics and compliance risks the company is likely to deal with. At the same time, here the types of behaviors that lead to these kinds of risks will be identified. 4. Implementing activities that can generate relevant information, such as surveys, workshops, interviews, polls, and focus groups on the theme of ethics and compliance risks. In order to obtain the best results, here employees will participate from all levels and departments, with diverse seniority levels. 5. Organizing risk categories. In other words, it means organizing and ranking the previously identified risk areas. As a rule, risks will be submitted in one or many of the following categories: corruption and bribery; antitrust and disloyal competition; private information security; discrimination and harassment; human rights; conflicts of interest; the environment, health, and work security; protecting whistleblowers; influencing the public decision; theft, embezzlement, and other financial crimes; fraud and income management; and money laundering.
5.3.2
Identifying the Risks
A life lived with integrity, even if it misses the traps of fame and fortune, is a shining star whose light can be followed by the others in the years that follow.—Denis Waitley, consultant and author
We may order risks according to their importance, probability of taking place, and the severity of their consequences. Through risk assessment, a company’s initial risk profile is then developed. This must contain an array of the risk factors, and, for each factor, the factors that make them prone to appear, the consequences and the existing mechanisms in order to prevent them, and the existing mechanisms in order to control their consequences must be specified. Once this initial evaluation is complete, the managers will be able to make the initial decisions regarding the nature, applicability domain, and the necessary diligence degree in applying them, according to the company’s circumstances and risk profile. After evaluating the situation, the management process of the dishonesty risk can be adapted to the specifics of the identified risks and will be readjusted later, as the company’s activity brings out new information.