I often see the fields of risk and compliance confused and intermingled, but they are two different disciplines. I’ve observed assumptions that risk management is just a compliance obligation itself, or that it is only about managing compliance obligations. To unravel these assumptions, let’s break down:
- Risk and compliance definitions
- How risk and compliance get confused
- Using the crutch
- Disentangling the two concepts
- But what about the regulators?
Risk and compliance definitions
Let’s start with a few key definitions to help us unravel the difference.
Taking risk from ISO 31000:2018 Risk Management Guidelines and compliance and compliance obligations from ISO 37301:2021 Compliance management systems gives us three relevant definitions:
- Risk is the effect of uncertainty on objectives
- Compliance means meeting all an organization’s compliance obligations
- Compliance obligations are the requirements that an organization mandatorily must comply with as well as those that an organization voluntarily chooses to comply with
You might see some obvious distinctions already, but let’s go deeper.
How risk and compliance get confused
We expect organizations to have a business objective such as ‘comply with our obligations’, but this sits alongside many other business objectives. This might include objectives related to increasing shareholder value, market sector growth, product innovation, employee satisfaction, and many others.
Compliance risk – the potential failure to meet compliance obligations – is just one of many types of risks that organizations face in pursuit of those objectives.
I believe what has caused risk management some branding problems and contributes to the confusion is that demonstrating risk management in certain types of organizations (particularly financial services institutions) is a compliance obligation itself. This may have led to risk frameworks and other artifacts, but more particularly mindsets that may get in the way and exacerbate the perception that risk management is a compliance tasks rather than adds value.
Using the crutch
In my time in the field of risk I’ve heard of (and sometimes observed directly) risk professionals who, when faced with a lack of engagement with their risk management processes, opt for responses like “Well, you have to do these risk management activities to be compliant” to encourage people to participate in the process.
I think those that follow this approach are doing themselves – and the wider risk community – a disservice. It doesn’t get you buy-in for risk management; it gets you buy-in for a compliance activity.
Here is a potentially confronting question for those who have some form of regulatory obligation to do risk management: If regulators no longer expected you to demonstrate risk management (in whatever form), would the risk team be stripped of its resources or cease to exist?
If the answer is likely to be yes, then it’s time to reconsider the way things are done.
Disentangling the two concepts
Going back to ISO 31000, it defines risk management as: “coordinated activities to direct and control an organization with regard to risk”.
When you combine this with the definition of risk (“effect of uncertainty on objectives”) you can transform it into the activities we undertake to manage uncertainty and increase the likelihood of achieving our objectives.
How certain are you and your stakeholders that your organization will achieve its defined objectives? And more importantly, how do your risk management processes help your organization reduce uncertainty and increase the likelihood that objectives and targeted performance will be achieved?
You can be perfectly compliant with your obligations while not achieving any of your objectives or effectively managing risks.
But what about the regulators?
But what about regulators who do expect you do to demonstrate risk management? Ultimately regulators want to see that you are effectively managing risks (particularly those that can impact consumers) – not that you are just ‘doing risk management’.
With that in mind, you should design risk management processes first and foremost to help the organization achieve its objectives. Then if needed, tailor it to the needs of the regulator.
Compliance might have been your organization’s driver for implementing a formal risk management program – but don’t let it be a crutch to risk management activities that deliver value in their own right.
Next steps for your organization
At the core of Enterprise Risk Management is understanding that all risk is the same under the ISO 31000 definition: the effect of uncertainty on objectives. We should view, analyze, and manage all risks in a consistent way while recognizing any nuances for specific risk types. Download our free Enterprise Risk Management eBook to get a comprehensive view of how you manage risk effectively in a way that allows your organization to meet its business objectives.