Assess your risks

Table of Contents


On this page:

What this means

All businesses, no matter their size, are likely to market products or services, or have contact with competitors. These activities can expose your business to serious risks. The nature and size of your organization could also make it susceptible to specific types of risks, like abuse of dominance. Your risk assessment will help you understand the risks that affect your specific business so that you can take steps to manage them.

Know your business environment. Understand your industry, your employees, the activities undertaken by your organization including marketing and promotional initiatives, and the compliance risks that you face under Canadian law. This information will help you build a credible and effective compliance program tailored to your organization’s needs.

Compliance with the law does not have to be a difficult task. Minimize the risk of non compliance by:

  • regularly assessing your risks to understand potential trouble areas
  • implementing a compliance program that addresses these risks
  • fostering a culture of compliance to reduce those risks

A small reminder on what makes a compliance program credible and effective

Your compliance program needs to be credible and effective to truly help you.

To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.

Why it matters

To be credible and effective, your compliance program should clearly identify the risks for your organization.

Assessing your risks is one of the most important things you can do to prevent non-compliance. When you understand which parts of your business expose you to risk, you can effectively build and maintain a tailored program. Your program will then be stronger and more cost-effective.

However, risk assessment is not a one-time project. As your business and the market change, your risks will change too. If your compliance program does not recognize and address new risks as they emerge, it will become less effective in protecting you and your organization from non-compliance.

If you’re a small business...

Smaller businesses should also carry out a risk assessment. You don’t need to recruit a separate person to perform this task. Any person with authority and status in your organization who is aware of your business’ legal risks and knows the compliance management steps needed to mitigate the risks can do the assessment. You can apply the principles on how to build a credible and effective compliance program for your business to your operations and available resources. Also, consider reaching out to your trade association or local chamber of commerce for resources, workshops or seminars on risk assessment.

How you can assess risks

The compliance officer should coordinate the risk assessment. Senior management should fully support the compliance officer in this task. Every department in your organization, including human resources, sales, marketing, legal, procurement, and information technology, should cooperate with the compliance officer and their team, and give them the information they need to understand all business operations and to identify risks.

If your business practices are particularly complex, consider providing the compliance officer the services of a subject matter specialist, such as a competition lawyer.

To identify risks, the compliance officer should carry out a three-pronged assessment :

1. Identify business areas and practices exposed to risk

  • Examine your organization’s culture, business and marketing practices, industry, competitors and interactions with them
  • Examine your organization’s regional offices, business units and subsidiaries
  • Be mindful of business and marketing practices that could expose you to risk under Canadian law
  • Sometimes, the conduct of employees in their personal lives could also expose them and your organization to risk (for instance, using personal social media to promote your organization’s products)
  • Flag any unusual circumstance or unique scenario that could lead your organization or others to break the law

2. Identify roles exposed to risk

  • Identify the at-risk roles, that is, employees and managers who are exposed to legal risk
    • Employees with direct exposure to risk: certain employees and managers are more likely to face compliance risks due to the nature of their role
    • Administrative staff: support staff who work with the employees in roles with direct exposure to compliance risks
    • Gatekeepers: employees in roles that can identify any wrongdoing, such as governance, legal, or finance and audit
  • Employees and managers in at-risk roles must be adequately trained
  • Consider asking the employees and managers in at-risk roles to certify in writing that they have read and understood the company’s programs, policies and procedures

3. Identify business changes that may lead to risk

  • Risks will change as your business and the market evolve, especially with the rapid changes brought on by digitalization. Assess your risks on an ongoing basis
  • New compliance risks may arise for your organization in many situations, such as when:
    • launching a new product
    • adopting new marketing strategies
    • entering a new geographic market
    • your business grows
    • reorganizing your business into a new business
    • reorganizing your existing business
    • adopting new technologies
    • changing an employee’s role
    • assigning new duties to specific positions
  • Changes in the market may also affect your risks, such as:
    • new regulations
    • mergers or changes in ownership of competitors, suppliers or customers
    • changes in the law
    • development of new technology
    • decisions of courts and tribunals
    • the Competition Bureau’s enforcement policies

Everyone benefits when companies act fairly and according to the law. Therefore, your organization should also encourage third parties, such as those acting for your organization and trade associations, to address the risks associated with their operations. You could monitor the third party’s conduct and require that they have their own credible and effective compliance program.

Tips for assessing your risks

  • Conduct assessments regularly

    Your compliance officer and senior management should conduct risk assessment routinely and whenever circumstances change, to identify risks and assess compliance issues.

  • Understand the risks involved in your business practices

    To understand your exposure to risk, start by looking at the key takeways for each of these activities:

  • Review impactful changes to your business or in the market

    Your compliance officer must monitor new risks arising from changes within and outside your business. They should develop an appropriate strategy to minimize those risks.

  • Think about the roles in your company that are exposed to risk

    Use job descriptions to assess risk factors for different positions. Revisit your assessment regularly, and whenever conditions change that could expose employees to new risk factors.

    Also, when creating new roles, consider how they may be exposed to risk.

  • Talk with people in your business units and regional offices

    People outside of your headquarters could be aware of activities and developments that could affect your organization’s risks. If you have limited resources, think about which business units or regional offices are most likely to expose your business to risk and focus on them.

DISCLAIMER: Because every situation presents unique facts, the information set out herein is provided for general information only. This content is not a substitute for legal advice, nor is it a binding statement of the Commissioner of Competition’s position on the requirements or efficacy of any particular compliance program. Indeed, there is no one-size-fits-all approach when it comes to achieving credible and effective compliance.

The Competition Bureau launched a Compliance Portal to help you and your business stay on the right side of competition and labelling laws. It replaces the Corporate Compliance Programs Bulletin. We’re currently reviewing the feedback we received during the recent consultation on the form and substance of this portal. An update will follow later this year.