Integrating Compliance and Risk Management Strategies for Organizational Resilience
Compliance is increasingly positioned as a strategic partner within organizations, particularly in its pivotal relationship with business risk management. This relationship helps uphold organisational integrity, sustainability and effective governance as global regulatory compliance frameworks continue to evolve and raise expectations.
Integrating a robust risk management strategy with a well-designed compliance program results in effective processes and controls that support companies in achieving their objectives. This article offers compliance and risk management professionals first-hand insight on why this integration is important and how it can be achieved.
The case for integrated compliance and risk strategies
As the growing preference for Enterprise Risk Management (ERM) leads companies towards a more holistic approach to risk mitigation, compliance-related risk naturally fall within scope. COSO and ISO 30001 contain guidance on what a holistic approach would look like. When compliance and risk management act in silos, the success and sustainability of the business can be compromised.
- Having different methods for evaluating and identifying risks would lead to potentially insufficient or inadequate information reaching decision-makers.
- A company’s risk appetite is a required element in an ERM framework and the process of defining it is usually driven by risk managers. However, compliance have a key role in advising on the impact and probability of key regulatory and operational risks.
- Translating risk mitigation strategies into the right behaviours on the ground will call for the deployment of an effective compliance program and internal control system. While ERM involves prioritizing objectives, risks and managerial responses, internal control focuses on the specific processes facilitating that risk management. Both are vital to identifying, evaluating and mitigating potential threats.
- Failure to align risk management and compliance may also lead to inadequate books and records, which are a legal requirement in some jurisdictions.
Risk assessments are key
Enforcement authorities around the world routinely reference the need for risk to be considered as part of an organisation’s compliance program to maintain organisational integrity, sustainability, and effective governance. Risk assessment methodology can be systematic (evaluating the risk objectively based on quantitative data) or judgemental (relying on subject matter expertise, experience and qualitative assessments).
It is important to integrate both within a comprehensive risk management framework, ensuring a balanced and holistic assessment of compliance risks to inform effective risk mitigation strategies.
Case studies mentioned in this chapter
- Goldman Sachs
- Deutsche Bank
- SAP SE
- Airbus SE
- ABB Ltd
- Rio Tinto plc
- Collin Street Bakery
The full chapter featured in the Dutch magazine Compliance, Ethics and Sustainability can be found here.