Advice for Risk Managers: Treat Compliance Like a Risk, Not a Checklist
Steven Minsky | Jan. 7, 2016
Many companies share some problematic habits when it comes to compliance management. The worst of them is treating compliance like a checklist. In other words, thinking, “If we meet these specific compliance requirements, our company should run efficiently and securely.” While this is a simplified outlook, the point remains the same. Being compliant guarantees neither efficiency nor security, but failure to meet requirements can have long-lasting negative effects.
At LogicManager, we view compliance as the minimum operating standard, and focus more on aligning our priorities with a risk-based approach. This affects how our own governance structure functions, as well as how we advise our customers.
The shift in how compliance is viewed is gaining momentum. New COSO and ISO updates, like ISO 19600 and COSO’s upcoming ERM update, specifically emphasize a risk-based approach to compliance. Moreover, organizational understanding of the relationship between risk and compliance is changing.
For example, Fitch Ratings, one of only three nationally recognized ratings agencies, has created and assigned a new role: Chief Compliance Officer. This is part of the agency’s plan to “bulk up” its compliance efforts and “broaden” its approach to risk, according to the Risk & Compliance Journal. Who is the new CCO reporting to? John Olert, Chief Risk Officer of Fitch’s parent company. This mirrors the new understanding of compliance, as a subset of risk:
Olert contends the need for a Chief Compliance Officer became evident when he was responsible for handling both risk management and an effective compliance management system. Even though the former contains the latter, compliance’s scope and complexity warrants its own departmental governance (which can also often be said for IT and operational risk). The key is to manage compliance with a risk-based approach. Fitch Ratings is doing just this, widening its risk focus to include more than just market and credit risks.
Fitch identified a few other points of importance for its compliance program, all of which resonate with the LogicManager approach. For example, another point of emphasis is the development of communication between employees and departments. We strongly agree with this assessment. No matter how insightful data and other information are, they cannot be useful unless delivered to the proper party. Organizations with a “stovepipe” mentality often fail to share information cross-functionally, resulting in redundancy. A control used to mitigate risk may also be used to meet a regulatory requirement, and the utilization of ERM systems can help track and manage those complex relationships.