Sunday, May 26, 2013

Should Risk & Compliance Stay under the same Umbrella

Risk and compliance should work really closely in order to create value.

As part of the effort to run a successful business, organizations have to manage the risks to business operations with an eye on strategic plan. Requirements to ensure compliance are another component of the company’s risks. However, in some businesses, compliance functions saying that they never talk to their cousins of Risk Management, what are ideal reporting lines for risk and compliance, should they stay under the same umbrella?

1. Compliance Maturity

Compliance Management covers all (relevant) laws, regulations, internal standards and policies (including the Operational risk policy). It stands to reason to assume that the laws, regulations, internal standards and policies imposed on- or adopted by a company are the source/ starting point for the definition of any underlying (operational and system) process to remain compliant. 

  • Compliance is typically (at average maturity) an inward, detail focused function. Ensuring and overseeing compliance is an essential part of the governance body, but it’s largely as a means to 'preserve value,' rather than to 'create value.' Compliance obligations is a mostly unrewarded risk, something you have to do and keep the regulator of your back to ensure your business maintains its license to operate. Evaluating risk for compliance obligations is needed to better manage compliance programs effectively. 
  • At high maturity level, Compliance is all about looking at the outside world as well. Compliance is or should be more than just looking at internal directives. It is also about looking at how the world and society are developing itself. Compliance is very much a strategic issue and companies that do not recognize this are blindfolding to a great extent. Now even more than in the past, as the world has become significantly ‘smaller’ due to the modern social media and cross-border relationships. A good example is ‘durability’ and ‘sustainability. If the organization does not take this into consideration and advice, the Board may disregard external sentiments or external social and political developments. A good reputation is one of the biggest assets of a company and most definitely a value creator. 
  • Plus, compliance focus should more naturally shift in line with the view of the marketCompliance should be in the frontline of developments to provide guidance to the business where this is needed. This also means that Compliance is not only telling the business what they cannot do, but they can also point them into the direction of alternatives and opportunities within the regulatory frameworks. 

2. Managing Compliance is a Sub-set of Operational Risk

Businesses are focused on risk management and corporate governance as a means of setting guidelines. Both are critical business functions whose responsibility resides with the board and senior executive teams to the point of liability and individual risk. Risk, at the Board level, requires a strategic and forward-looking perspective, dealing in uncertainty and - if it is to add real value - challenging accepted wisdom, 'thinking the unthinkable' and asking the unpalatable question. Sadly many companies pay the price for limiting their thinking to the short term, internal perspective. 

  • The overarching risk management program should consider compliance risk as part of the enterprise view of risks. Compliance of risk management and appropriate Operational Health & Safety (OH&S) practice is commonplace across the business to be seen & acting simultaneously. There seems a little point of establishing risk management policies & processes and having no cultural penalties or disincentive if the processes and mitigating risk strategies are not implemented across the business. There are companies that focus on compliance, the heavily regulated companies for obvious reasons however if that is their only focus or primary strategy they can miss risks that might be pretty obvious to someone else. 
  • The challenge is ensuring that the people authorized to make decisions on behalf of the company are able to view the organization and the risks to the organization holistically. There needs to be a balance and thoughtful approach to manage the risks that could interrupt or negatively impact business, which includes compliance risk.  Organizations get into trouble when they focus on compliance because a compliance-focused GRC program could also be reactive and backward-looking. "Making the regulators happy" frequently _does_ turn into window dressing, many regulated organizations follow that path only to suffer a loss due to risks not adequately addressed by compliance-focused risk management. 
  • Risk is a topic for the full board - not only to identify and address key risks but to understand and convert the best of them to opportunity (the creative cousin of risk) for new initiatives and progress. At an operational level, the management of risk does usually align well with the compliance function. But the role of the board is not just about 'risk management': directors are here to provide 'risk governance.' 

3. Balance the “Four Eyes” Checks & Co-operation between Compliance & Risk Management

The debate point is upon how to make compliance and risk management work more effectively, how do they cover the areas that cross over? How well do they cover the gaps? Can you really understand the risks in a solution if you don't understand it from end to end? How to strategically align compliance as part of the overall process to manage risks?

  • Separation of the Risk and Compliance functions in most organizations should provide the necessary "four eyes" checks and balances to optimize risk mitigation within a firm. The Compliance function often reports directly to the firm's governing body, whereas Risk goes into the board via C-Level executives (depending on the size and complexity of the firm). As Risks and Compliance Management typically require different skills and mindsets. This does not mean, however, that there should not be close co-operation between the two areas. Unfortunately, at this point in larger organizations, power politics and point scoring often get in the way of common sense and what is best for the organization! They usually claim that compliance and risk are working side by side but in fact, they sometimes act as each other’s biggest internal competitor, trying to dominate each other in the chain of command and hierarchy 
  • Utilizing the Risk Management processes at its core and running through all activities whether by the compliance function or the businesses. It is going down well, also by leveraging the risk management process the level of evidence and reporting be required by regulators these days should also be facilitated without extra processes. It is such a large area of risk that most companies have a group dedicated to it, which may create the impression that it is somehow a separate discipline, but it isn't. It's just one risk area that is large enough that it justifies dedicated staff. While the reporting lines could certainly be aligned, there is a definite need and benefit for a dedicated compliance staff because these folks represent very specific subject matter experts, whereas your risk management staff maybe more generalists. 
  • Risk and compliance should work really closely in order to create value. Many have been advocating integrated GRC for years. Integrated GRC includes more vital business perspectives, each providing a check and balance on the others, two disciplines require to a different set of specialism and depending on how much regulated the entity is, it may require the functions to operate independently although the risk issues should be addressed jointly in one Risk and Compliance Committee as compliance does have an impact on strategic matters. More importantly, they should use the same (risk) methodologies and talk the same language. Failure to comply with any operational process is in the bigger picture primarily a failure to comply with the operational policy from which the process (in the end) is defined.        
Therefore, there’re pros and cons for Risk and Compliance get merged completely, but risk management and compliance are as closely linked as they need to be under the GRC umbrella. 


Thank you for more detailed information very well written compliance management software. especially about the features or benefits a compliance management software should provide. Automate your enterprise risk & compliance management by utilizing 30-day free trial of Compliance Management today!

Very informative Blog. Thank you for sharing this information.
Compliance management | Employee Payroll Services

It was a wonderful experience of visiting this helpful post. It is very interesting….Thank you for sharing.

Very useful information. Nice post and thank you for posting this.
service management certification

Informative piece!
A dedicated compliance management firm offers compliance as a service that includes Labour Law Compliance, Factory Compliance, Industrial Licensing, Payroll Compliance and Industrial Law Compliance, etc.

The blog is very detailed and gives essential information on risk management. I have written a blog on this topic. Feel free to give a read here -

Post a Comment