1. Definition of Risk & Compliance
From Wikipedia: Risk management is the identification, assessment, and prioritization of risk effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Compliance means conforming to a rule, such as a specification, policy, standard or law.
Compliance with statutes
Compliance with regulations
Compliance with contracts (customer, vendor, supplier (licenses))
2. Strategic Value & Operational Mechanism
- Strategic Value at Board Level:
- Risk, at the Board level, requires a strategic and forward-looking perspective, dealing in uncertainty, if it is to add real value - challenging accepted wisdom, 'thinking the unthinkable' and asking the unpalatable question. Increasingly we need view that strategic risk is a topic for the full board - not only to identify and address key risks, but to understand and convert the best of them to opportunity (the creative side of risk management) for new initiatives and progress. The role of the board is not about 'risk management, more on providing 'risk governance.'
-Compliance: Compliance may also need look at the outside world as well. Compliance is, or should be more than just looking at internal directives. It is also about looking at how the world and the society are developing itself. Compliance is very much a strategic issue and companies that do not recognize this are blindfolding to a great extend. Now more than ever, as the world has become significantly ‘smaller’ due to the modern social media and interdependent relationships. A good example is ‘durability’ and ‘green’. The board should take this into consideration in regarding external social and political developments. Ensuring and overseeing compliance is an essential part of board’s role, as a good reputation to be seen as a good corporate citizen is one of the biggest assets of a company and most definitely a value creator
- Operational Mechanism
-Risk Management is the decision mechanism that should be integrated within all management decision trees including those that impact 'Compliance'. Contracts and Compliance decisions aren’t made without weighting the positive risk versus negative risks
-Compliance risk at operational level is mostly unrewarded risk, something you have to do to keep the regulator of your back to ensure your business maintain its license to operate. Most of the time you are avoiding penalty and fines when it comes to being compliant, in this regard, compliance is “must have” to keep your business light on.
Businesses are focused on risk management and corporate governance as a means of setting guidelines. Both are critical business functions whose responsibility resides with the board and senior executive teams to the point of liability and individual risk.
3. Intertwined Relationship Between Compliance and Risk
As part of the effort to run a successful business we have to manage the risks to business operations with an eye on strategic plan. Requirements to ensure legal compliance are another component of the company’s risks. The challenge is ensuring that the people authorized to make decisions on behalf of the company are able to view the organization and the risks to the organization holistically.
There needs to be a balance and thoughtful approach to manage the risks that could interrupt or negatively impact business, which includes compliance risk. That said, the overarching risk management program should consider compliance risk as part of the enterprise view of risks. Also utilize the Risk Management processes at its core and running through all activities whether by the compliance function or the businesses.
The debate here is: should compliance and risk are treated as sisters to live at the same roof or as separated cousins to visit each other once a while?
- The point of Convergence:
At some organizations, compliance functions saying that they never talk to their cousins of Operational Risks; and very often compliance officers who come from a legal environment don't have a smattering of risk management, not to mention statistics or math. Actually from the company's risk management point of view, such compliance, we may not say it’s useless, but very limited: How do they cover the areas that cross over? How well they cover the gaps? Can you really understand the risks in a solution if you don't understand it from end to end?
Managing compliance is a risk, it is a sub-set of operational risk. It is such a large area of risk that most companies have a group dedicated to it, which may create the impression that it is somehow a separate discipline, but it isn't. It's just one risk area that is large enough that it justifies dedicated staff..
- The Counter-point:
Sadly we have seen too many companies pay the price for grouping Risk with Compliance, and limiting their thinking to the short term, internal perspective. Separation of the Risk and Compliance functions in most organizations should provide the necessary "four eyes" checks and balances to optimize risk mitigation within a firm. This does not mean, however, that there should not be close co-operation between the two areas. Unfortunately, at this point in larger organizations, power politics and point scoring often get in the way of common sense and what is best for the organization!
Unification Point: The organizational structure maybe situational, but we need to have known risks as a part of compliance process. And also draw compliance parameters for risk management. Either as sisters or cousins, risk and compliance should work really closely in order to create value. Possibly, more important, they should use the same (risk) methodologies and talk the same language.
For compliance & risk management professionals, one should aware that compliance is not just about the letter of the law/ regulation, but also very much about the spirit of the law/ regulation. Unwritten rules, based on common decency, mutual respect and integrity should play an equally important role, next to the ‘hard’ compliance