I recently spoke with a friend who works for an organization that is just starting to consider implementing an ethics and compliance program. His first question to me was “What should I do first?”
His question prompted one of my own, although I was pretty sure I already knew the answer. “Have you conducted a risk assessment?”, I asked.
Of course he hadn’t.
Going through a risk assessment has many benefits. In terms of an E&C program, a risk assessment:
- Informs what topics should be included in your code of conduct
- Identifies the policies that your organization needs
- Determines the scope of your training program
- Points to the controls you need to put in place
- Highlights the processes that must be regularly audited
So before you start implementing an E&C program, start with a risk assessment. And if you already have a program, then let your regular risk assessments guide your improvement efforts.