Once the risks of Compliance In the organization, taking into account the analysis of controls carried out and the risk appetite that has been defined for the organization, the time comes when Senior Management must decide what attitude to take towards risk.
In this sense, the standard COSO (Committee of Sponsoring Organizations of the Treadway Commission), In its control framework it lists that the response options that Senior Management can consider in the face of risk are: avoid it; reduce it (mitigate it); share it; or accept it.
ISO 31000 Risk Management standard
The ISO 31000 Risk Management standard tells us that the options that top management has, after having identified, analyzed and evaluated the risks, are:
- Avoid the risk by making the decision not to start or continue with the activity that causes the risk
- Accept and even increase risk in order to take advantage of an opportunity
- Eliminate the source of the risk
- Modify the probability
- Change the consequences
- Share the risk
- Maintain risk based on an informed decision.
How should organizations respond to Compliance risks?
As you can see, risk treatment consists of evaluate the options that are presented to be able to take a decision in this regard. Whether you take into account ISO 31000 or the COSO control framework, the Compliance Officer you will have to study and analyze the need to implement additional controls, either to avoid (preventing or prohibiting the performance of the activities that give rise to the risk materialising) or to reduce the risk (this could be done, for example, by eliminating the source of the risk or trying to reduce its probability or impact), to share or transfer it (by modifying contracts with third parties or subscribing to insurance policies, among others) or to accept the risk (through monitoring it).
Now, it will be important to keep in mind that the possibilities that the organization has to act against the risks, when deciding how they are going to be managed, they are not exclusive of each other, nor are they all appropriate at any time, so you must pay attention to the circumstances of each case and each moment to be able to make a decision "ad hoc".