There has been, for many years, an ongoing debate as to the relationship between Compliance Management and Risk Management. Some have believed they are separate disciplines, others that risk management is a subset of compliance and yet others, that compliance is a subset of risk management.
The new ISO 19600 standard (December 2014) provides a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. The 29600 standard on “Compliance Management Systems” reflects largely the existing AS 3806-2006 standard, which it will replace.
In addition, Compliance Risk is defined as “the effect of uncertainty on compliance objectives” while the ISO 31000 standard defines Risk as “the effect of uncertainty on objectives”.
The 19600 standard, amongst many other things, “recommends” that organisations: “adopt a risk-based approach to compliance” and “develop a risk appetite for compliance risks”.
The standard fully supports integration of compliance risk management with enterprise risk management as far as possible. This is good news for business as greater value can be extracted from risk and compliance cultures that feed off each, and support” each other. It means that compliance risk management becomes part of enterprise risk management using, by and large, the same processes. The key overlaps are:
1. Compliance Risks are generally the same as operational risks. The only difference is that “compliance risks” lead to an actual or potential compliance breach (impact). Many of the risk events that cause compliance breaches will also lead to other “operational” impacts such as financial loss, reputation damage etc.
2. The processes of operational risk management can be equally used for compliance risk management including:
- Incident Management. Compliance breaches should be considered as “risk incidents” and be subject to the same, if not tailored, approach to management.
- Controls Assurance: The key controls over key compliance risks should be subject to ongoing control testing and validation as for all other key controls.
- Issues and Actions. Issues identified in the above processes should be recorded and remediated as for any other risk issue identified.
- Risk and Control Self Assessment. Compliance risks should be considered in the overall risk assessment.
- Stress Testing. Stress scenarios leading to severe compliance breaches should be considered as part of the overall stress testing program.
- Key Risk Indicators. Early warning indicators should be put in place around the key risks that could cause major compliance breaches.
This means that compliance risk management should form an integral part of the overall enterprise risk management (ERM) framework and risk professionals should consider compliance risk as part of their overall portfolio of risks.
Being compliance, there are some nuances that have to be separately considered. These include:
Image Source: Bryan Whitefield