Risk in Compliance
April 21, 2011 by Luc Brandts
Filed under: Governance, Risk and Compliance, Risk Management
We sometimes get the question why we introduce risks into regulatory views. Many require a clear list of regulatory requirements, with the associated policies and procedures. Plain and simple. We do this too, but we add the risk in between. Why is that, and why should you care?>
In organizations that have very mature and integrated risk and compliance processes these risks are the business risks, which help to relate regulations to business risks and monitor non-compliance in the context of enterprise risks. The vast majority of companies still separates the compliance and risk function. So, 2 questions arise:
- Where is the need to include risks into the compliance program?
- What is the risk, when there is no risk taxonomy (yet) for the compliance program?
To answer the second question first. Quite simply, this is the 'risk of non-compliance'. This implies that no deep thinking needs to go into the compliance risk taxonomy at this stage. The regulatory view is enriched with the risk of non-compliance. So what is the benefit, to answer the first question. Well, it allows risk-based compliance. It allows to perform risk-based scoping without any additional configuration work. So, without any additional effort, you get the benefit of being able to make the step towards risk-based compliance. You have the possibility to have a business discussion, discussing financial, legal and reputational impact, without any extra investments. Who could be against that? Some will say that there is no immediate benefit, as it will take several years to really prepare the organization for true risk-based compliance. I would say this approach will speed this up; business is brought into the discussion more easily. So, bring the risk into your compliance program; no investment, only return.
Tags: BWise, Risk Management, Compliance