So, what is risk-based compliance? It seems to be a must-have term on any compliance website, and certainly for compliance software vendors. But what does it mean? For many, compliance is not risk related. While they understand the law is in place to protect consumers, investors, and countries against a certain risk, there is no arguing. You simply implement it, and adhere.
In daily practice, some will allow themselves to drive a little too fast because the risk of getting caught is not big. And, if it happens the impact is mostly limited. But I am sure this is not what compliance officers will mean with risk-based compliance. That would mean they would agree that it's OK not to comply as long as you don't get caught. Nobody would say that, not in public at least. And most certainly it wouldn't be the official compliance doctrine of any non-criminal organization.
So what is risk-based compliance? What it means is that it's OK to design your compliance controls based on the risk. The same risk may be different in different areas of the business. Bribery is more likely when you're in purchasing, sales, or contracting. Theft is more likely when you have access to money, assets, or goods. The measures you take will therefore differ in different areas of the business.
In other words, a compliance risk assessment should have the business context as its starting point, the risk of non-compliance as the risk, and appropriate (indeed risk-based) controls. The term risk-based compliance measures is probably more correct than risk-based compliance, leaving risk-based compliance for us people knowingly driving too fast. That said, I am pretty sure risk-based compliance will stick as the "official" term.