Where Do Compliance and Risk Management Meet?
A recent article by A-J Secrist of Parker Poe Adams & Bernstein examines the relationship between risk management and compliance. Some analysts distinguish between these two things, with risk management more a strategic concern and compliance an operational one driven by regulatory oversight. Others might go in the opposite direction and confuse a compliance program with performing risk management.
There is no doubt that there is a distinction between risk management and compliance, simply because the functions may be performed by different people within an organization, and at different levels. However, as Secrist points out, “In essence, noncompliance is a type of risk.”
Compliance is a key element of a comprehensive risk management plan.
Regulatory Risk Management
According to Secrist, the blurring of lines between risk management and compliance has been driven by the big regulatory pushes of the past decade, the 2002 Sarbanes-Oxley Act and the 2010 Dodd-Frank Act. These pieces of legislation incorporated risk management functions as part of regulations, thereby making “compliance” part of risk management.
Nevertheless, legal requirements should not determine an organization’s comprehensive risk management strategy. Companies need to identify and evaluate all the risks they face, and allocate resources to mitigate them appropriately. Compliance will be one of the tactics used to address risks.
In some ways, compliance may actually point at risks that companies want to control anyway. For example, some laws set requirements for organizations to act legally and ethically, and to ensure that the employees understand the standards and the expectation that they will comply. Compliance with these rules may directly mitigate certain human capital risks, such as exposure to organizational fraud.
Bring Compliance Issues into Risk Management
Organizations face a challenge to make certain that overlapping risk and compliance activities are properly integrated.
To the extent that risk and compliance are segregated in an organizational structure, managers need to set up lines of reporting that include compliance within risk management planning and execution to bring the pieces together.
Are your compliance and risk management activities intertwined? Should they be? Talk with a Lowers Risk Group consultant for more information and insight.