Risk-driven Compliance Management

Like everything in life, managing the risks surrounding regulatory compliance at any good size enterprise is as much about setting priorities as it is about risk or compliance management. We’ve worked with some of the biggest, most highly regulated companies on the planet for years and we’ve seen a lot of approaches to managing compliance risk and priorities.

Those who get truly organized around managing compliance risk do it because it lowers the cost of compliance and it provides clarity and consistency around the risk and the business response.

With the focus lately on risk management many are forgetting one simple fact. It is usually human beings that expose these risk and compliance failures, not mega trends in the markets. And it is usually not that these risks weren’t considered but how they were managed day to day among the employees or partners. So the act of risk identification and measurement on the front end and audit on the back end are key GRC components, but in the middle must reside a thorough compliance management system that addresses the behavioral aspects of risk response.

In other words, with such an intense focus on risk management, I wanted to make sure we are keeping this in perspective.

1) A risk management program alone will not produce a compliance program aligned with the US Sentencing Commissions Federal Sentencing Guidelines - 7 elements of an effective compliance program standard.
2) The practices, disciplines and objectives of risk management are considerably different than those of compliance management.
3) A robust internal audit function is not the same as a robust risk management function. These too are significantly different disciplines.
4) Risk Management and Compliance Management must be connected for either of them to provide optimal benefit to the enterprise.

So, how does a company cost effectively deal with these realities given such a dynamically changing environment and the mounting regulatory, financial and societal pressures?

The answer is quite simple, Risk-driven Compliance Management TM

The leading companies we work with have a process, primarily led by the General Counsel and the Chief Compliance Officer, working with other senior management and the board, whereby they leverage risk management practices to prioritize their compliance risks. Once they are prioritized, those that are viewed as the most material can be addressed within an enterprise framework of a seven element compliance management process, aligned with the business.

As a provider of a value added service to their management peers, the corporate compliance office can provide and manage this capability without unduly interfering in how other functional areas run what they do, and in fact, are viewed as a value added partner in assisting the business develop practices that both address the risk and support the operational needs of the business. Furthermore, this process and structure creates risk and compliance experts imbedded within the business to support the risk and compliance values, goals and business objectives. We have seen this work and work well.

These compliance risks, as they are prioritized and addressed, then allow the business to work down the list in a more efficient and formalized manner creating a scalable, repeatable process that can start in a single area and be expanded as the maturity of the process and organization grows.

Just as the CFO designs an effective budgeting process and then involves other functional managers in that process in effect as a service, it is up to those that oversee compliance risk to perform the same service-oriented role in organizing and executing a best in class risk-driven compliance management system.

We have clearly entered an era where risk management and compliance management should be combined into a modern GRC program. Where the roles in GRC are understood and distributed across the business but the oversight and management is driven by focused experts equipped to run a risk driven compliance program.

Axentis, Inc will be publishing a white paper entitled “Risk-driven Compliance Management” as well as a related survey analysis document in the coming days that dives much deeper into the Risk-driven approach. I encourage you to continue checking the website and let me know what you think.