Episode 94: Developing a Risk Matrix for Your Compliance Program

On episode 94 of the CCO Buzz Podcast, Sr. Compliance Consultant Janice Powell joins us to discuss developing a usable Risk Matrix as an integral aspect of your compliance program!


CCO Buzz: Hello and welcome back to the CCO Buzz! We’re starting this season swinging with back-to-back episodes. Today we’re joined by Senior Compliance Consultant Janice Powell. She’s here to discuss her latest Risk Management Update, “Converting Critical Enterprise Risks into a Usable Risk Matrix.” While she’s here, she’ll navigate us through the definition of “risk” and provide us some best practices when implementing the use of the matrix within your program.

With that, let’s begin…

Janice, within your article you dedicated a large part to defining what risk is to firms in the industry. Would you mind shedding some light for our listeners?

Janice Powell: Of course. The dictionary defines Risk as the “possibility of loss or injury; someone or something that creates or suggests a hazard.”  In retrospect, risks can be found at every level or department from a job function to the entity level.  Identifying these risks and gauging the controls formulates an enterprise risk management process.

CCO Buzz: Hmm, so understanding this- risk is everywhere, or rather, the chance of risk is and can be anywhere and everywhere – in your opinion, how would you recommend firm’s keep this daunting task of monitoring and managing their potential areas of risks?

Janice Powell: The team at Core Compliance recommends to clients, that although an annual review is required to be perform yearly, having your firm regularly undergo a risk assessment and then maintaining a risk matrix to monitor these vulnerabilities within your compliance program is crucial for firms to have an effective process to identify risks within the organization that may make them susceptible to violations. The firm must assess those risks as to their importance so resources can be allocated to areas posing the most significant risk.

CCO Buzz: So understanding that assessing risks is an integral part of a risk matrix, what departments, locations, or areas within a firm should be considered for evaluation?

Janice Powell: That’s a great question! Risks can be found anywhere and take any shape to impact the business. Risk can be found in rules and regulations, technology, environment (think, the pandemic), employees, vendors, contracts, firm relationships, [and] compensation, among other areas.  Once risks are identified and defined, the firm should then establish an appetite for the risk.  Determine how much risk the firm is willing to accept while pursuing its objectives before any actions are necessary to mitigate the risk.

CCO Buzz: Ms. Janice, I don’t want to give away too much of your article. But I have to ask – you provide some key steps on how to implement and leverage the use of a Risk matrix within a firm. Do you mind sharing high-level insight for our CCO Buzz listeners?

Janice Powell: Well of course. While I don’t want to give away too much, I think I can share a snippet or two from my article.

To implement and manage a risk matrix, firms will want to develop a risk inventory, assign a risk rating, and map the risks to the procedures and the controls. And then, frequently review and revise accordingly. Each of these steps takes specific measures to execute based on the firm’s business model and internal structure.

When developing a risk inventory focus areas can be generated from numerous areas, such as evaluating whether necessary policies and procedures, with related controls, exist or need to be developed. Recent regulatory updates and regulations, regulatory exam deficiencies, regulatory document request lists, and other methods can be used to create the inventories.

When your firm is ready to assign risk ratings, be open to different rating scales that may work best for your team. For example, a more simplified version of a risk scale can implement a color-coding system where red equates to dangerous, yellow means proceed with caution, and green represents little or no risk. Another method that may work for your team may be a ten-point scale, recognizing that ten (10) might be high, five (5) might be medium and one (1) might be considered low. If your firm chooses a multi-tiered rating system, also consider, how does the ranking differ or prioritize one risk over another, such as a 4 or 6 rating on a 10-point scale. Firms need to ensure that a regulator will be able to focus and understand these particular details.

Within this process each risk identified within the matrix must be addressed and correlated or “mapped” to the appropriate policy and control.  This step will highlight any and all gaps within the matrix that lack the proper protocols within your firm’s program.

CCO Buzz: Wow! Thank you for that Ms. Janice! I cannot wait to have listeners read the rest of your article later this month. Before you go, is there anything else you’d like to add?

Janice Powell: Yes, thank you for having me. If any of the listeners have any questions about developing a risk framework as the basis for their compliance program and how it resonates with regulators, you can reach out to the team at Core Compliance.  We understand that the process of mitigating risk begins with identifying the risks.

To find out about technology solutions and outsourcing services offered by Core Compliance, and how we can further assist with year-end compliance planning and beyond, please contact us at info@corecls.com or (619) 278- 0020. Thank you!

CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn, or Twitter @CoreCls. Thank you, and we hope you tune-in to next week’s episode of the CCO Buzz.



Leave a Reply

Your email address will not be published. Required fields are marked *