eBusiness Weekly
Elgin Chetsanga
In many industries such as insurance and banking, the concept of Compliance and Risk Management are often mentioned alongside each other or even used interchangeably. While there is an overlap between these two terms, it is important to understand the difference between compliance and risk management to avoid duplications and inefficiencies.
Knowing their differences also helps to work towards removing silos in any organisation and hence optimise both department’s outcomes. It is often reported that, appreciating the differences and similarities of these functions, leads to increases in the value they bring to the organisation.
Let’s start off with definitions of each concept. COSO defines risk as the possibility that an event will occur that adversely affects the achievement of an objective. Another authoritative definition of risk is from ISO 31000.
ISO 31000 keeps the risk definition simple by stating that risk is the “effect of uncertainty on objectives”.
These two well respected definitions concur that uncertainty is the chief driver of risk.
Logically, it should then follow that risk management is about managing this uncertainty. Risk management is the process of identifying, evaluating and prioritising of risks.
Risk management is incomplete without a coordinated application of resources to minimise, monitor and control the probability and impact of unfortunate events. Risk management is also useful to maximise the realisation of opportunities.
Compliance on the other hand can simply be defined as adhering with stated requirements. A broader view of compliance defines it as the process of identifying, assessing, advising on monitoring applicable laws, regulations, codes of conduct and standards to ensure that an entity does not fall foul to the rules.
Besides the definitions, another key difference between compliance and risk management is around the tactical versus strategic nature of these two areas.
In general, rules and regulations that any entity needs to comply with tend to be similar for each industry.
While an organisation can choose how it wants to comply with the rules of its industry, there is usually little latitude to vary this. Hence, compliance will often become tactical in response to the rather inflexible requirements of adhere.
However, in recent times, compliance has been increasingly becoming a key strategic cog. Compliance is contributing to strategy through proactively identifying potential legal and regulatory risks associated with business strategies. Compliance professionals are also feeding insights that help refine decision-making. This proactive approach helps uncover prospects for strategic advantage.
Risk management on the other hand has traditionally required a more strategic approach.
The peculiarities of each organisation, such as its management, resources, products, market share etc often mean that each organisation has different targets when it comes to risk management.
How risks manifest for one organisation may vary to the next one and this means that the responses will also differ.
Risk management then tends to not be a one-size-fits-all approach like can sometimes be seen in compliance.
Every organisation must select how it will structure its risk management systems, policies and processes to achieve the outcomes which are optimum for them.
Another difference between compliance and risk management manifests itself in the prescriptive versus predictive themes of the two functions.
Compliance has over the years been viewed as being a prescriptive exercise. This view is informed by the very fact that there is usually little room to vary the approaches to compliance and the outcomes are usually the same.
Regulators set out laws and expect compliance, nothing less.
However, it’s important to note that the view of compliance as prescriptive exercise is shifting as regulators move away from reliance on detailed prescriptive rules to outcomes-based rules such as seen in the treating customer fairly principles.
Risk management seats on the other end of the spectrum. Going back to the definition you will realise that a big part of risk management process is dealing with uncertainty.
This risk management exercise involves current and emerging risks. This means trying to see into the future to ask yourself the question what can go wrong. In today’s evolving environment a good risk manager must always think beyond the now and “see two corners ahead”.
The use of models, AI, Big Data and predictive analytics have also come to the aid of the modern risk manager. This makes risk management more of a predictive exercise than a prescriptive one.
The clearest difference between compliance and risk management seems to be in their end goals. From the definitions, we notice that there are some distinctions in the processes and the outcomes.
A common view that is held by many is that for compliance the end goal is to assure all rules are adhered to while the goal of risk management is to interrogate potential risks a business could face and mitigate these using the available resources.
We have, however, noted that this traditional view is being challenged as compliance functions are now shaking off the checkbox tag and playing a pivotal role in strategic discussions.
Morden approaches to viewing risk and compliance such as the combined assurance model from King 4 and the governance, risk management and compliance (GRC) approach now offer a different view.
For example, governance, risk management, and compliance (GRC) is a relatively new corporate management system that combines these three critical functions into the processes of every department within a business.
GRC approach partially a response to the “silo mentality” where each department within an entity can become reluctant to collaborate on workstreams with common outcomes.
This has the obvious effect of reducing efficiencies, damaging staff morale and hindering the development of a positive company culture.
In conclusion risk management and compliance have some interesting overlaps, similarities, and interdependences which any organisation should utilise to preserve value and even create value.
The outcome for both functions is to minimise the downside and both functions are also now increasingly concerned with not only being problem spotters but also problem solvers with the aim of helping business grow.
The major takeaway is that risk management and compliance are different and businesses need to be careful to not lump the two together as one initiative, with one approach but also need to understand their similarities and how alignment will lead to more value for the organisation.
Elgin Chetsanga
Elgin Chetsanga is a head of risk and compliance at local financial institution. He writes in his personal capacity. Elgin can be reached on [email protected]
