• Home
• Current Issues
  • Boards
  • Executives
  • Ethics Office
• About Us
  • Mission, Vision & Values
  • About Frank Navran
  • Our Associates
  • Clients
  • Testimonials
  • Photo Gallery
• Services
  • Services Overview
  • Presentations, Workshops & Retreats
  • Codes of Ethics & Value Statements
  • Hotlines & Helplines
  • Audits & Assessments
  • Coaching & Facilitation
• Resources
  • Resources Overview
  • Tool Archives
  • Articles
  • Case Studies
  • Downloads
  • Links
• Contact Us

“How Much?” and “How Long?”
What Clients Want  to Know about Risk Assessment

One of the most common requests we get from clients is for an objective assessment of the risks associated with the effectiveness of their overall ethics and compliance initiative. Invariably, that request is accompanied by a companion request – “And could you give us a ballpark estimate of how long that assessment will take and what it will cost?”

Navran Associates operates from a professional perspective that to properly answer either or both of those questions we must first define the processes involved and the outcomes that can be expected.

Our practice draws from the example of medicine. There are three basic tenets of the practice of medicine that are analogous to the practice of organizational ethics and compliance risk assessment

1. Medicine operates from the premise that, “Prescription without diagnosis is malpractice.” Who among us would trust a physician who was willing to take a patient’s description of symptoms as the only evidence necessary to prescribe a course of treatment?


2. Doctors will listen to the patient describe symptoms but will then examine that patient, utilizing sophisticated diagnostic tools, to understand causes. Tenet two is that “We do not cure symptoms. We seek to understand and address causes.”


3. Tenet three simply recognizes that the single most valuable skills of the medical professional are those of a good diagnostician. No matter how skilled the surgeon, if the diagnosis was incorrect the patient will suffer.

With that “philosophy” behind us, we approach risk assessment from the position that to assess an organization’s ethics and compliance risks we must first understand both where the organization is and where it needs to be relative to those risks that are most significant to that specific entity.

Some risks are widely understood and easy to assess. Legal compliance with broadly applicable laws and regulations comes to mind: OSHA, EEO, privacy law, anti-trust law, financial reporting requirements, FSGO, SOX, et al.  So too is whether the organization has created the appropriate policies and procedures needed to facilitate compliance with those laws and regulations.

Other risks are more subtle and difficult to assess: To what extent do the actions, decisions and judgments of key personnel conform to policies and procedures? As we saw with Enron, having all the appropriate policies and procedures in place is no guarantee of ethical and legal conduct.

Even more subtle but perhaps also more critical, what are the attitudes, beliefs and values of people within the organization? Attitudes, beliefs and values drive actions, decisions and judgments independent of law and regulation, policy and procedure. Those are also the drivers of what we do when there is no rule telling what we ought to do.

So where to start?

Risk assessment would typically include an understanding of the legal and regulatory context. It would also, of necessity, include a review of the expectations and requirements of management regarding actions, decisions and judgments as well as an examination of the policies and procedures employed to inform and satisfy those standards. It would, of necessity, require an examination of the organization’s operational philosophy, attitudes, perceptions, values, standards of conduct, the presence or absence of pressures to commit misconduct, effectiveness of internal communications, as well as ethics and compliance related risks and vulnerabilities. 

We would examine the degree to which its values and ethics have been internalized among its stakeholders (board, executive management, employees, members, suppliers, etc.).  We also study the philosophical, structural and informal factors that contribute to stakeholder buy-in and/or resistance to those values and ethics.

Ultimately, we need to understand both the formal standards and the informal standards – often characterized as the “culture – the common understanding of “how things really work around here.”. 

That is the beginning of understanding where the organization is. It also allows us to assess how near the organization is to where it needs to be, and what is required to move it towards that goal. The process also recognizes that different organizations have different desired outcomes. Some are content to be “in compliance” Others strive to be “principled and ethical” and still others want to raise the bar and be the best in class – in their industry, market, or simply “best”.

So what about the questions of, “How long? and ‘How much?”

The best we can do, absent the specific knowledge described above is to suggest that, at a minimum, for most medium to large enterprises, we need 15 “consultant” days to learn what we need to know to assess the risks that truly answer the questions.

The larger, more diverse or complex the organization, the longer it takes to assess. For a 100,000 person organization operating in 67 countries on five continents it may require 45-60 consultant days to gather the necessary data. It can be another 20-30 day’s work to consolidate the data, define what we have learned, determine what it means and develop recommendations for how this specific organization might best proceed from where it is to where it wants to be.

It is neither rocket science nor brain surgery but it is complex and challenging. It is also important that it be done right – because like rocket science and brain surgery, the cost iof doing it wrong dwarfs the costs of doing it right.