Managing Regulatory Changes and Political Risk with Enterprise Risk Management (Part 2)
Steven Minsky | May 3, 2017
Read part 1 of this series, “Domestic Political Risk: Operating in the Uncertainty of a New Era.”
Here’s Why Compliance Solutions Are Inadequate for Managing Regulatory Changes
Regulatory compliance is mandatory, but it’s not the end goal; it’s the minimum operating standard. For strong companies, compliance is a mere byproduct of performing well and managing uncertainty. Compliance solutions can also cause difficulties in the face of domestic political risk, which includes significant fluctuations in the regulatory environment.
The biggest differences between regulatory compliance and risk management are:
- Regulatory compliance has a known, black-and-white outcome (meet a set number of specific requirements).
- Regulators give companies a predefined amount of time to adjust their operations, meaning there is no uncertainty as to when (and what) actions must be taken.
The ROI of a software solution can be represented by:
However, when using compliance-specific software, this formula for return falls apart in the face of uncertainty. Software specializing in regulations like Dodd Frank or SOX is only useful when you know the regulation will not change.
Now, with regulations being rescinded, altered, and drafted in an unpredictable environment, it simply doesn’t make sense to invest in compliance-specific solutions. In order to manage domestic political risk, organizations need to be able to do the following:
- Thrive in an atmosphere of uncertainty by identifying root-cause risks and creating certainty;
- Stay abreast of regulatory changes, adapting as policies change;
- Prioritize those risks so high-impact issues can be dealt with more quickly.
A risk taxonomy helps corporations reorganize their processes, policies, and requirements while automatically preserving the links back to underlying risks, controls, monitoring activities. Change management is built-into integrated risk management software with robust taxonomy technology. Spreadsheets, Office products, and compliance solutions simply can’t do this. They’re not designed to manage change over time, which is within the inherent definition of effective risk management.
Why Is ERM the Answer to Regulatory Changes and Political Risk?
The cost of non-compliance is far greater than monetary fines or lawsuits; violations can substantially impact a company’s reputation for years. When it comes to protecting your company’s reputation, as stated by Ben Franklin, “an ounce of prevention is worth a pound of cure.” The cost of a proactive solution is minuscule compared to the cost of sustained reputation damage.
As is becoming more and more evident as time goes on, the straightforwardness of compliance – a concrete “what” and a concrete “when” – vanishes when regulations are altered. Even in an ideal world, where line items remain constant and unchanged, regulatory risk is but one source (among hundreds) of uncertainty.
Enterprise risk management makes it possible to thrive even when the environment surrounding your business is a cloud of uncertainty. It accomplishes this by helping you answer a simple question: what’s best for the business? Different processes, products, and assets have different value-adds, and ERM is the tool that provides senior management the means of identifying connections between activities to objectively prioritize and address emerging changes.
When the “when/what” is removed (or was never present, as is the case with all risk except regulatory risk), what’s the priority? Compliance solutions can’t help with this; they can only ensure you’re able to provide a report to a particular regulator. That report doesn’t even mean your business is managing uncertainty, it just means you won’t be slapped with a particular penalty.
Determining what will deliver a healthy ROI and ensure compliance is the key to operating amidst significant political risk. As an example, consider a bank or other financial institution: meeting FFIEC requirements for third-party management should be a mere byproduct of robust contracts and vendor due diligence.
These activities allow for uninterrupted, safe operations, and must occur even in the absence of FFIEC requirements. Enterprise risk management, by helping organizations discover both vulnerabilities and opportunities, provides an ROI far greater than the direct cost of potential penalties.