Few thoughtful people dispute the value of the corporate planning process. Understanding the nature and scope of the big picture, establishing goals and objectives, and identifying associated strategic and tactical activities are all critical to achieving operational and financial success in complex business environments.

A systematic risk assessment is a proactive and basic compliance and ethics program planning function. The process, properly implemented, can both align business and program objectives, and identify and direct attention towards the highest priority corporate risks. The reality, however, is that the planning exercise is often reduced to a quick and dirty process and is not established as a fundamental activity because of competing budget priorities, time constraints and unanticipated crises. Yet, evaluating risk is essential to the development of an appropriate compliance and ethics program. How can an organization know how to allocate its limited resources, or what controls to put in place, if both the inherent and various possible risks have not been defined?

A major hurdle for comprehensive compliance and ethics program planning has been the lack of practical guidance or example. It is easy to find legal treatise information in most defined compliance areas, offering a summary of what is illegal or inadvisable, but these offer far less practical treatment of what actions may help prevent these acts or omissions from happening, or how to handle them when they do occur. Moreover, before the OCEG Framework was established, there was no single resource that set forth a set of activities that align with the core business concepts of Culture, Organization, Process and Technology to aid in eliminating or mitigating the risk of non-compliance and unethical conduct. Six Plan & Organize Topics in the Process section of the Foundation of the OCEG Framework, set out guidelines addressing compliance and ethics program planning, and offer a holistic and flexible approach for undertaking a corporate risk assessment to support such a program.

SCALING APPLICATION OF PLAN & ORGANIZE GUIDELINES
The Plan and Organize section of the OCEG Foundation contains six primary Topics. Each Topic contains Guidelines that document Standards and Guidance from various sources related to planning, and include OCEG’s recommended Core and Additional Practices for ensuring an effective process.

First-time Foundation users sometimes incorrectly assume that the Foundation’s detail and breadth implies that all users are required to commit an extensive and uniform level of effort and resources.This is not the case; flexibility and adaptability are central Foundation principles. Organizations may apply some or all of a given Foundation Guideline, as dictated by individual facts and circumstances.

For example, most businesses, as part of a basic compliance and ethics program planning exercise, will likely recognize the fundamental importance of Guideline PO2.2 - Identify Key Organizational Entities, Units & Groups, the stated purpose of which is to “identify the existing organizational structure including major entities, business units, departments and how these groups interrelate.”

The Core Practices that call for an entity to “define and/or review the organizational structure” and “define formal reporting lines” may well appeal to a smaller organization. Much of this information may already exist within Human Resources and is therefore easily transferable into a compliance planning context.The fact that this activity is suggested and further detailed by a non-legal guidance source (COSO ERM) is probably not relevant or important to the smaller company’s typical planning activity.

Larger organizations, in addition to using the Core Practices, may see value in applying this Guideline’s Additional Practices—creating a matrix which maps organizational groups to each other, processes, assets, etc., and defining informal reporting lines and influence networks. Compliance officers in larger organizations can use these and similar tools to help identify risk areas, better understand organizational dynamics, and communicate the integrated (and often complicated) nature of a given compliance scenario to management and stakeholders.

PROCESS
PLAN / ORGANIZE
PO1 – Scope & Objectives
PO2 – Business Model & Context
PO3 – Boundary Identification
PO4 – Event Identification
PO5 – Risk Assessment
PO6 – Program Design & Strategy

FITTING THE PROGRAM TO THE BUSINESS
Compliance and ethics programs exist to support a business, not the other way around. Thus, the first three Plan & Organize Topics address the important initial contextual elements which relate both to the business and the underlying program.

PO1 – Scope and Objectives involves defining the program scope, stakeholders, planning methodology and team, organizational objectives and program objectives. Organizational support and appropriate subject-matter coverage and thoroughness are more likely if a cross-functional group is involved at this stage, as noted in the PO1 Topic Overview’s “Critical Success Factors.”

PO2 – Business Model & Context sets out methods to understand details of the entity’s organization and structure particularly relevant to program operation, specifically asset and business process identification, and organizational and functional mapping. It is not possible to develop a high performing compliance and ethics program if the structure and context of the organization are not considered.

PO3 – Boundary Identification discusses the importance of identifying the mandated (legal and regulatory) and voluntary (contractual, ethical and policy-related) boundaries which apply to the business model. The process of identifying and visually mapping these boundaries is particularly useful in evolving a more thorough understanding of the full context of relevant stakeholders’ needs and requirements to include societal values and norms.

ANALYZING AND ADDRESSING RISKS
The remaining three Topics set forth a sequence of risk analysis and strategic planning activities.

PO4 – Event Identification focuses on risk and opportunity event identification. This process involves external and internal event recognition and offsetting risk mitigation or related business opportunities. The basic analysis is: what may prevent or assist the business from reaching its objectives? In other words, where are the risks and the opportunities?

PO5 – Risk Assessment addresses the core risk activities—analyzing and defining the likelihood and impact of each identified risk and then prioritizing risks for response and resource allocation purposes. It is important to note that, as part of the independent, but closely related, process of creating and implementing an “effective compliance program” as defined in the United States Sentencing Guidelines for Organizations, the OCEG Framework specifically includes reference to assessing the risk of criminal conduct. Similarly significant, however, is the inclusion of COSO ERM guidance and operationally oriented best practices.

PO6 – Program Design & Strategy follows after risks have been identified and prioritized, turning attention from analysis to implementation. Should the business avoid, reduce the likelihood of, share or accept identified risks? What existing responses are in place for each such risk, and what additional possible responses should be evaluated —and on what qualitative and/or quantitative bases? Who is responsible for taking these preventive measures? In the event of a material corporate crisis, is there a plan in place to target the possible (and usually interrelated) physical, financial and reputational issues—and have crisis response team members been identified and contacted? This Topic covers key processes that respond to these and related questions, and that form the basis of an action plan. Value promotion, strategies for anticipating and dealing with normal-course resistance to change, and authorized resource allocation are among the various activities included within this critical compliance and ethics program component, resulting in a comprehensive risk management plan.

WORTH MACMURRAY SERVED AS CO-CHAIR OF THE 2005 OCEG STEERING COMMITTEE. HE IS A PRINCIPAL OF COMPLIANCE INITIATIVES LLC, WHICH IS A MEMBER OF THE OCEG LEADERSHIP COUNCIL. WWW.COMPLIANCEINITIATIVES.COM