Skip to main content

Dynamic risk assessment in the digital age

Embedding legal and compliance frameworks into ERM models

Global regulatory bodies now require technology and media organizations to conduct proactive risk assessments across specific domains, products, and business areas. Compliance and legal risks have traditionally been evaluated as part of an enterprise risk management (ERM) risk assessment. With additional risk assessments now needed to manage compliance at business and product levels, ERM teams should rethink their strategies for leveraging available data points. Furthermore, teams should explore how dynamic risk assessments can potentially enhance business functions, improve decision-making, and reduce costs.

Formulating a consistent risk assessment framework

ERM is essential for companies to systematically identify, assess, and manage organization-wide risks. Enterprise-level risks typically focus on critical issues that could affect the business, such as financial, operational, and legal risks.

The US Department of Justice (DOJ)1, National Institute of Standards and Technology (NIST)2, Committee of Sponsoring Organizations of the Treadway Commission (COSO)3, and the International Organization for Standardization (ISO)4 have recently increased their focus on improving organizational risk management processes, including risk assessment. At the same time, global regulators, including the EU Commission and Data Protection Board, require technology and media organizations to assess risks related to various topics affecting society, including using artificial intelligence (AI), evaluating trust and safety, and mitigating workforce-related risks. These newly required risk assessments are typically carried out by a business unit or functional area and are not conducted across the whole enterprise.

To enhance the approach to ERM and leverage more available data points from across the organization, ERM teams can evaluate their strategy for managing risk in collaboration with product, business, and functional teams required to conduct risk assessments due to new and emerging compliance requirements.

Leveraging compliance data for ERM

To determine the best approach to deliver enterprise risk management and leverage the data available from across the organization, there are some key questions that organizations should consider: 

  • Which risk assessments are conducted, where in the organization, and what data is being created?
  • Where and how is compliance managed within the organization?
  • Is the current approach to ERM sufficient?
  • How engaged is leadership at all levels throughout the risk management process?

Compliance processes can often generate exceptional data. Compliance risk assessments are typically tied to associated business controls or policies, which are reviewed or audited as part of the compliance due diligence process. Using this compliance data to inform enterprise-level risk assessments can enable the organization to better define the likelihood and vulnerability scores given to a defined risk. Furthermore, if this compliance data shows that a risk is well managed, there may be less of a need to mitigate that risk for the organization, potentially reducing overall cost.

Several approaches can be taken to use compliance data and the associated risk assessments created in the ERM process. One approach is for the ERM team to collate existing compliance data as is and leverage this to inform the enterprise-wide risk assessment. Another approach could be to emphasize a consistent “tone at the top” with ERM teams creating an organization-wide risk taxonomy followed by business and functional areas as they conduct compliance-focused risk assessments. Additionally, a middle-ground approach could leverage common key risk indicators (KRIs) and some existing risk management components while providing a more limited oversight of the risk management processes conducted across the organization. The right approach will depend heavily on the organization, its resources, and the value required in the risk management process.

Approach 1: Integrating existing legal and compliance risk assessment capabilities into the ERM model

This approach integrates compliance risk assessment data from business or functional areas into the ERM process by collating risk statements along with any associated controls, coverage, and assurance documentation. It can be a low-cost, value-added strategy that aims to leverage existing risk management components from the business and enable more granular visibility into specific product or functional area risks.

  1. Identification and documentation
    • Conduct workshops with relevant business or functional area stakeholders to identify the risk assessment processes in operation, gather detailed risk statements from available reports, identify tools in use, and analyze control documentation.
    • Develop a combined risk register that includes risk descriptions, potential impacts, likelihoods, and existing controls.
  2. Integration with ERM framework
    • Assess the alignment of risk assessments conducted at the business and functional areas with the organization’s ERM framework, and create an integration plan that aligns with the organization’s risk appetite and current governance structure.
  3. Training and communication
    • Develop and facilitate training programs to assist relevant stakeholders in understanding the overarching ERM process and integration requirements.
  • Provides granular visibility into specific risks and their management without changing current roles.
  • Enhances the ability to identify and mitigate additional risks proactively.
  • Increases the available data used in the ERM and evaluation process.
  • It may be challenging to integrate varying risk assessment processes across the enterprise.
  • An inconsistent approach across business functions may lead to inconsistent reporting processes.

Approach 2: Drive consistency across the organization through ‘Tone at the Top’

This approach focuses on establishing a unified ERM-driven, consistent risk assessment methodology, including a curated risk taxonomy and standardized aggregation, tools, and templates used across the organization. This approach will likely require additional management and training from the ERM team and aims to provide enhanced value by setting a consistent understanding of risk across the organization, with ERM in the driving seat.

  1. Leadership commitment
    • Secure commitment from leadership to champion the risk management initiative and set a strong ‘tone at the top.’
    • Develop and communicate a clear risk management policy that outlines the company’s risk appetite and governance structure.
  2. Risk taxonomy development
    • Create a standardized risk taxonomy that categorizes risks, focusing on risk identification and assessment consistency.
    • Align the risk management methodology with the company’s strategic objectives and operational processes.
  3. Training and operations
    • Develop communication materials to educate employees on the importance of the risk taxonomy.
    • Communicate the importance of detailed risk management to the broader organization, fostering a culture of risk awareness.
  4. Integration with ERM framework
    • Integrate the risk taxonomy across business and functional areas, driving consistency across the organization.
    • Use technology solutions to support the implementation of the risk taxonomy, providing tools for risk identification, assessment, and reporting.
  • Creates a unified understanding of risk across the organization.
  • Simplifies the risk assessment process at the enterprise level, reducing the complexity of integrating organization-wide risk assessment data.
  • Enhances the organization’s ability to align risk management with strategic objectives.
  • Requires strong leadership commitment to maintain the “tone at the top.”
  • Difficulty in achieving organization-wide buy-in for the new risk taxonomy.

Finding the middle ground

While both approaches have their own value, implicitly choosing one approach might not be possible for many organizations, considering the scale of operations, investment, and stakeholders involved. A pragmatic starting point could be a balance of the two approaches to help manage complexity and optimize value.

This could involve defining KRIs relevant to the organization’s business and functional areas. The KRIs will directly link to the enterprise risk taxonomy, helping to inform risk management methodologies and foster some level of uniformity in the organizational risk assessment process.

Considerations

These proposed approaches offer distinct benefits and challenges, catering to different levels of complexity, resource requirements, and value. By carefully considering the company’s risk appetite, governance structure, and technology infrastructure, the ERM function can leverage compliance data to implement an enhanced risk assessment framework that aligns with its strategic objectives and enables the organization to manage risks more effectively and facilitate better decision-making across organizational levels.

Conclusion

Risk assessment and mitigation in a large organization is a complex process often defined by stakeholder opinions. Leveraging organizational data sets can enhance the organization’s approach to overall risk management. Through structured processes and reporting, compliance-driven risk assessments completed at a product or business-function level can enhance an enterprise-level risk assessment and help to drive down the cost of managing risk for the business.

1 US Department of Justice, “Evaluation of Corporate Compliance Programs,” updated September 2024.
2 Gina M. Raimondo and Laurie E. Locascio, “NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide,” National Institute of Standards and Technology (NIST), July 2024; NIST Joint Task Force, Assessing security and privacy controls in information systems and organizations, January 2022.
3 Society of Corporate Compliance and Ethics (SCCE) and Health Care Compliance Association (HCCA), Compliance risk management: Applying the COSO ERM framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), November 2020; Paul L. Walker, “Enabling organizational agility in an age of speed and disruption,” COSO, February 2022.
4 International Organization for Standardization (ISO), ISO 31000:2018 Risk Management Guidelines, 2018.

Get in touch