Operationalizing your compliance program requires rigor around risk management. This means moving beyond simple risk assessments into a full risk management process. This is a three-step process of forecasting, risk assessment and risk-based monitoring. Many compliance practitioners fail to begin the risk management process with the critical step of forecasting.

At its heart, every business tries to plan for its future. It is a critical aspect of any management of any organization, non-profits, privately owned and of course, publicly traded companies. It is important that management be able to set out what it opines will happen in the next three, six, twelve and twenty-four months. Noted health care process expert Ben Locwin has said this “is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands. Forecasting really at its heart is an educated guess and really as much as it becomes a reliable model more so and less so a guess, is based on the quality of the input data.” It is a process through which you are attempting to “prognosticate what the future will bring to you”. Unfortunately, forecast models are only as good as the data which are put into them or the GIGO (Garbage In, Garbage Out) Principal.

Locwin said that forecasting “should be broadly defined as a technique to estimate future aspects of any sort of business or operation.” He divided forecasting methods into two major categories; qualitative and quantitative. While both methods use past or historical data, in the quantitative method, “you would use time series analysis, for example, to see how certain trends appear in the data in the past.” Contrasting the qualitative method, which Locwin said is “a more subjective, and you’re using less collective data which has been, let’s say, put into some sort of time series plot. It could be finances fluctuating over time or maybe it’s various incidences. In the context of anti-corruption compliance specifically, this would include various instances of bribery and corruption that have been occurring. How would you document these over time? When were there spikes? Those spikes, related to what types of actions by your organization?”

Under either approach whether you are using the qualitative or quantitative method for forecasting, Locwin noted “what you’re really trying to do is say that, “We expect that the trends that we’ve seen will be somewhat predictive of future behavior.” Otherwise, if you don’t consider that past behavior is in some ways indicative of future performance, you would not engage in any forecasting whatsoever.”

Forecasting typically will raise risks (and opportunities) which you might consider going forward. However, it does not assess or monitor these risks. Those are handled by risk assessments and risk monitoring. Locwin cautioned that simply because something is forecast does not mean will occur. He cited to Nobel winning physicist Niels Bohr for the following, “Prediction is difficult, especially about the future.” Locwin went on further to explain, “Whenever you’re trying to say how something will go, really the best you can do is try to look at past data and try to say what’s going to happen with that. In my prior probabilities, my prior knowledge tells me this, and therefore what will that mean for the final outcome?”

This last point led Locwin noted “what we can all do as an industry in order to insulate ourselves from overly adverse outcomes is to be more agile and adaptable in how we respond to the changes that are coming. Standing immutable behind hardline policies can make the necessary operational changes difficult to absorb and lead to more variance and extended costs in the long run. This concept is known as anti-fragility, where the idea isn’t to become more impervious to change and market forces, but to