Thought Corner — Schofield Risk Consulting, LLC

January 1, 2025: Regular risk reviews…Initial steps

As I was conducting my annual New Years’ smoke detector inspection at home, it dawned on me that if it wasn’t for the New Year event-marker, I might not check them at all. Similarly, I have come to know that business risks are often left unattended until events strike - and then there is a whole lot of catching up to do on top of the crisis management itself. As such, I thought I’d offer some high-level thoughts, primarily for leaders of small and medium-sized organizations that may not have dedicated in-house compliance and investigative units. Some benefits may also apply for small investigative units and those that support them.

It's one thing to be a start-up; it's another to keep thinking like a start-up when you no longer are one. Same logic applies for small NGOs, values and religious-based organizations, and enterprises of all kinds that employ staff, and utilize suppliers, vendors, partners, clients, or customers. Granted, it can be hard enough to remain mission-focused at times, but if you agree that insurance is fundamental, risk review and mitigation is essential.

So:

When did you last assess your internal risks (even with a simple algorithm such as event likelihood x potential impact)?
How robust is your Ethics and/or compliance program? ESG?
Does your internal training program address ethics, fraud, security, whistleblowing, retaliation, relevant policies, rules, and regulations? Is the training mandatory for all organizational insiders (interns, volunteers, contractors, part-time and full time staff, executives, etc.), and provided at onboarding and annually?
Is your code of conduct current, fully deployed - and certified or agreed to - by your insiders?
Are you set up to field and adequately respond to internal complaints and concerns?

Suffice it to say this list goes on. No points to calculate on the above “test” as organizations are different and nuanced. But answer them honestly, and consider what other steps you need to take to protect yourself and your organization. Don't postpone your risk assessment and never rely on luck, good intentions, or multi-tasking when it comes to risk reduction.