These are challenging and complex times. COVID-19 is forcing organisations to adapt quickly and change their business model in the process. In an era of compliance, with many regulations and regional “interpretations”, leaders and organisations need to be careful about how they conduct business, who conducts business in their name and with whom. This demands extraordinary attention to the means and mechanisms used by the organisation.
Due diligence, in legal terms, entails taking reasonable steps to satisfy any legal or regulatory requirement, regardless of size or type of business conducted. Businesses also need to take any of a number of mandated steps to ensure that the organisation remains safe from any unwanted or unauthorised action taken in their behalf. For example, when making an investment such a merger or an acquisition, the organisation needs to take the appropriate action on the proper due diligence necessary to make the most informed decision possible. Being casual about the due diligence process is a failure to execute the proper level of investigation regarding the assets being purchased or financed or the management team being backed and vetted.
Where Risk Management Comes into Play…
Risk management is the identification, evaluation, and prioritisation of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application
of resources to minimise, monitor, and control the probability or impact of unfortunate events or to maximise the realisation of opportunities. A formal business discipline that relies on the forecasting and evaluation of any risks, along with identification and (where feasible or warranted) implementation of procedures to avoid or minimise their impact.
> Using ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. Learn more with our “ISO 31000 Playbook”
Risks can come from various sources including your employees. From a risk management perspective, the penalties on conducting business that can result from unwanted or unauthorised third-party relationships or any employee unethical business action are very high—making it imperative to perform due diligence when trying to protect your business and brand. Inadequate due diligence can easily take down an organisation; from damaged reputation to brand devaluation, from regulatory violations to fines and jail terms for directors, the risks are very high. The risks from losses of such potential magnitude should not be ignored. At such cost, implementing the most stringent and effective controls and protections in place even at a cost STILL makes absolute financial sense. And the only way to fully protect a corporation’s assets, therefore, is through a strong and viable 360 due diligence program.
Managing risk and due diligence should begin with a policy and a plan. Here we will focus on the human element of risk management, specifically background investigations. Organisations need to perform due diligence to make sure that their business is adequately conducted by their employees and through their partners’ and vendors. Such insurance invariably includes regular security audits, ISO certification, pre-employment background checks, TPRM, etc…
There are several incentives to practice due diligence and perform risk management to ensure you conduct business appropriately and comply with all applicable laws and regulations. Anything less is just asking for trouble and losses!
What Can (and Should) Organisations and Risk Professionals Do?
The very first step to mitigating risks and exposures starts with a risk assessment. There are plenty of risk assessment checklists and tools available. If you want to dive deeper into how to start a risk assessment, just read our “Risk assessment breakdown: Identification, Analysis, Evaluation” to learn more. Once risk professionals get a handle on their due diligence processes and other compliance regimes, it’s time to start the entry process into the regulatory life cycle:
- Prioritisation and planning
- Implementation of a response
- Integration of related tools, technologies, audits, processes and procedures to integrate compliance into normal operations
The first steps toward achieving compliances are usually big ones and may require substantial time and effort. But after that, it’s just a matter of sticking to a routine to maintain compliance, meet reporting requirements and keep up with changes to governing regulations and day-to-day tools and operations.