There has been, for many years, an ongoing debate as to the relationship between Compliance Management and Risk Management. Some have believed they are separate disciplines, others that risk management is a subset of compliance and yet others, that compliance is a subset of risk management.
The new ISO 19600 standard (December 2014) provides a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. The 29600 standard on “Compliance Management Systems” reflects largely the existing AS 3806-2006 standard, which it will replace.
It is clear that the standard is closely aligned with the ISO 31000 risk management standard. This is most prominent when comparing the seven processes in each standard.
Fig 1. Management processes in each standard
In addition, Compliance Risk is defined as “the effect of uncertainty on compliance objectives” while the ISO 31000 standard defines Risk as “the effect of uncertainty on objectives”.
The 19600 standard, amongst many other things, “recommends” that organisations: “adopt a risk-based approach to compliance” and “develop a risk appetite for compliance risks”.
The standard fully supports integration of compliance risk management with enterprise risk management as far as possible. This is good news for business as greater value can be extracted from risk and compliance cultures that feed off each, and support” each other. It means that compliance risk management becomes part of enterprise risk management using, by and large, the same processes. The key overlaps are:
- Compliance Risks are generally the same as operational risks. The only difference is that “compliance risks” lead to an actual or potential compliance breach (impact). Many of the risk events that cause compliance breaches will also lead to other “operational” impacts such as financial loss, reputation damage etc.
- The processes of operational risk management can be equally used for compliance risk management including:
- Risk and Control Self Assessment. Compliance risks should be considered in the overall risk assessment.
- Stress Testing. Stress scenarios leading to severe compliance breaches should be considered as part of the overall stress testing program.
- Key Risk Indicators. Early warning indicators should be put in place around the key risks that could cause major compliance breaches.
- Incident Management. Compliance breaches should be considered as “risk incidents” and be subject to the same, if not tailored, approach to management.
- Controls Assurance: The key controls over key compliance risks should be subject to ongoing control testing and validation as for all other key controls.
- Issues and Actions. Issues identified in the above processes should be recorded and remediated as for any other risk issue identified.
This means that compliance risk management should form an integral part of the overall enterprise risk management (ERM) framework and risk professionals should consider compliance risk as part of their overall portfolio of risks.
Being compliance, there are some nuances that have to be separately considered. These include:
- Compliance obligations must be identified, recorded and linked to the source legislation, standard of guidance. This requires and obligations register to be maintained.
- Taking a risk based approach to compliance, the application of all of the standard ERM processes as outlined above may only be considered appropriate for the key compliance risks. For other compliance risks, as a degree of comfort should be acquired, this may come in the form of other techniques including attestations, process reviews, checklists, mystery shoppers etc. The combination of all techniques should provide reasonable assurance that the compliance objectives are being met.
If you would like to know more about how Protecht can help you with your compliance risk management, especially in relation to the new ISO 19600 standard and the integration with your overall risk management framework, please contact Luna Restrepo via email firstname.lastname@example.org.