The NCAA March Madness single-elimination tournament is one of the most watched events in sports, and college teams across the nation are whittling down to the Elite Eight on their way to the Final Four and then college basketball’s National Champion. The Cinderella teams are being weeded out (but I’m still pulling for the Florida Gulf Coast Eagles) and the focus is on using the best full-court teamwork to win the game.
If you’re compliance-minded, you just might see the similarity in the “bracketology” of March Madness to a standard compliance risk assessment bow-tie diagram. We use this method to see risks in terms of Causes (and the preventative controls that must be maintained so that the risk doesn’t turn into an issue) and Impact (and the responsive controls that mitigate the risk and establish the remediation process so that the risk doesn’t re-occur).
That’s the whole notion behind a compliance risk assessment: know the causes and effect (as well as the likelihood and severity), and have controls in place to prevent issues and to correct them if and when they happen. By visualizing risk sources and their potential impact, you can analyze threats, know how to address them and take action to keep risk in check.
Ryan McConnell, a partner at Morgan Lewis, wrote a great piece for Corporate Counsel that really brings this analogy to life. Ryan had a neat idea. Just like in office pools all across the land where employees are filling out their brackets for the tournament, Ryan suggested that employers embrace the hubbub by encouraging employees to participate in the basketball tournament picks – but only if they also take the time to complete a compliance risk assessment bracket in the same fashion.
What would this mean? He suggested that employees name compliance risks, then prioritize them down to what he called the “Final Four Compliance Risks.” This has a lot of merit and engages employees who are often left out of the risk conversation.
Increased worldwide legal and regulatory activities (to keep it in the basketball vernacular, we would call these offensive charging fouls) require that an organization approach risk management proactively and be able to identify gaps and risk exposure, document them, mitigate the risks, and implement appropriate training and/or policy modification as needed. An integrated approach to compliance risk assessment offers complete visibility to all parts of the organization, to control inherent risk at all levels.