We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Advice for Risk Managers: Treat Compliance Like a Risk, Not a Checklist

Vote 0 Votes
Compliance Framework.jpg

Many companies share some problematic habits when it comes to compliance. The worst of them is treating compliance like a checklist. In other words, thinking, "If we meet these specific compliance requirements, our company should run efficiently and securely." While this is a simplified outlook, the point remains the same. Being compliant guarantees neither efficiency nor security, but failure to meet requirements can have long-lasting negative effects.

At LogicManager, we view compliance as the minimum operating standard, and focus more on aligning our priorities with a risk-based approach. This affects how our own governance structure functions, as well as how we advise our customers.

The shift in how compliance is viewed is gaining momentum. New COSO and ISO updates, like ISO 19600 and COSO's upcoming ERM update, specifically emphasize a risk-based approach to compliance. Moreover, organizational understanding of the relationship between risk and compliance is changing.

For example, Fitch Ratings, one of only three nationally recognized ratings agencies, has created and assigned a new role: Chief Compliance Officer. This is part of the agency's plan to "bulk up" its compliance efforts and "broaden" its approach to risk, according to the Risk & Compliance Journal. Who is the new CCO reporting to? John Olert, Chief Risk Officer of Fitch's parent company. This mirrors the new understanding of compliance, as a subset of risk:

compliance is a risk

Olert contends the need for a Chief Compliance Officer became evident when he was responsible for handling both risk and compliance. Even though the former contains the latter, compliance's scope and complexity warrants its own departmental governance (which can also often be said for IT and operational risk). The key is to manage compliance with a risk-based approach. Fitch Ratings is doing just this, widening its risk focus to include more than just market and credit risks.

Fitch identified a few other points of importance for its compliance program, all of which resonate with the LogicManager approach. For example, another point of emphasis is the development of communication between employees and departments. We strongly agree with this assessment. No matter how insightful data and other information are, they cannot be useful unless delivered to the proper party. Organizations with a "stovepipe" mentality often fail to share information cross-functionally, resulting in redundancy. A control used to mitigate risk may also be used to meet a regulatory requirement, and the utilization of ERM systems can help track and manage those complex relationships.

For more information about presenting Enterprise Risk Management solutions to the board, take a look at our free eBookPresenting ERM to the Board.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives