A few weeks back I asked what was most helpful when assessing risk.

As you can see, assessing the operating environment was the winner (41% of the votes).

How can we do this better? Common methods include indexes, violations trackers, and experience. I’ve spoken before about the limitations of indexes, as they don’t consider sector, regional, and business model impacts on risk. Think Bay Area start-up selling art into ritzy offices versus a port operator in New Jersey, the risks are not the same universe.

Guesstimation

It can get confusing when we ask colleagues, especially if we’re asking them to estimate likelihood (which seems the most common method). A few quick hacks if your organisation uses likelihood to estimate risk:

1. Choose probability/likelihood words that don’t overlap.
2. Or, better, ask them to estimate numerically (within a range, e.g., 25%-50% chance).
3. If they struggle with the numeric concept, a simple follow-up is “If anything were to fall outside of that range, it would be shocking”.
4. Get multiple inputs (survey tools/ease the admin load), as we tend to be quite accurate when aggregated and averaged.
5. Ask simple questions!

Scaling up

If you’re not wedded to likelihood questions, ask simpler ones on a scale (strongly disagree -strongly agree), but don’t allow a middle option (forces people off the fence). For example:

1. I trust the legal system.
2. Human rights are respected and protected.
3. We do not work with politically-connected people, agencies or enterprises.
4. We do not use intermediaries to win business or handle customers

These are straightforward examples, but they’re illustrative.

Keeping it simple

If you’re starting from a lower base of risk (and ethics & compliance understanding), or people are possibly fearful of speaking up, it’s okay to ask leading questions and score them on a slider from 0% chance to 100%. Just emphasize these are all hypothetical scenarios, for instance:

1. A licensing official requests a small bribe to properly process [a crucial license in your sector].
2. When winning business, a customer requests we take them out for an expensive meal.
3. Our clients recommend suppliers, including those with whom they have (personal/financial) relationships.

The point is there are many ways to gather the data if you’re doing it internally. You can of course also conduct external research (open source and speaking to people), focused on common practices, experiences of others, and so on.

What else?

In terms of other less intensive approaches, inconsistent data remains the challenge. We don’t have many accurate models, given the uneven global definitions of violations, patchy enforcement, and little public disclosure by companies of internal reporting data.

I want to address the lack of benchmarking data, and there will be more on this throughout 2022. But in simplest terms, the more people we get to provide anonymous data on their experiences and perceptions, the better it is for all of us.

Any ideas on how to incentivise that (noting that most nascent ideas, like India’s “I paid a bribe” site, haven’t sustained or globalised)?