United States: The Link Between Risk Management And Compliance

Risk management professionals constantly preach that risk management is not compliance.  Risk managers help set strategy.  After their colleagues ask "what can we do to make money and how?," risk managers then ask "what risks will we be taking, how can we manage them and is it worth it?"  This is very different from traditional compliance, the discipline of ensuring an organization is acting according to a set of predetermined rules.

At the same time, compliance is clearly an essential element of doing business.  In an age of "bubbles" and regulations that are continuously augmented in an attempt to make people "do the right thing," companies are in jeopardy if they do not have an effective internal compliance function.

Despite the desire of risk management professionals to distance themselves from the "C" word, they remain inextricably linked.  It is critical for all organizations, big and small, for- and non-profit, across industries, to understand the distinct disciplines and the relationship between the two.

Regulated Risk Thinking.  Risk management has come a long way.  Prior to the 1980's, it was associated predominantly with the use of market insurance to protect companies from various accident-related losses.  Then, with a new focus on the international regulation of risk, the financial industry began to develop internal risk management functions.  However, it is only during the last several years that the discipline has become more directly regulated.  In the wake of various scandals and bankruptcies resulting from poor risk management, the Sarbanes–Oxley Act of 2002 and the stock exchanges stipulated governance rules in order to require risk thinking in the boardroom and C-suite.  Finally, the 2010 Dodd–Frank Wall Street Reform and Consumer Protection Act, which addresses, among other things, risk management oversight concerns from a macro perspective (the financial system) and a micro perspective (within companies), was a response to the failed application and enforcement of risk management processes and procedures.

This transformation from a good business practice to a legal requirement has blurred the lines between risk management and compliance.  When the failure to take a thoughtful approach to managing risk is illegal, don't we have a compliance issue?  Yes and No.  When the board and C-suite entertain moving in a new strategic direction, it is the function of risk management to assemble relevant information regarding the risks of that new direction and provide that information to the company's leadership in a way that aids them in making their final determination.  At the same time, applicable laws and regulations (depending on the industry in which the organization belongs, whether public or private, etc.) may require that risk information be collected, processed and provided in a certain way or that the process be disclosed to a government agency or the public.  Those requirements may help shape the risk management process, but the organization's business and culture drive it.

The Risk of Non-Compliance.  In essence, non‑compliance is a type of risk.  Like other significant risks, it can result in a multitude of bad outcomes for an organization (e.g., loss of brand reputation, fines and penalties, business disruption).  However, entities often confuse having robust compliance functions with having a developed risk management program.  As one of many risks, compliance risk is part of the larger slate of operational, strategic, financial and market risks.

To further complicate matters, compliance efforts often fail because leaders do not anticipate future risk.  For instance, a company may expand into a foreign market without properly assessing the risks associated with that expansion, including the difficulty of operating within a culture in which bribery is pervasive.  Because proper risk thinking drives strategy, including the allocation of resources, the company also would likely fail to add an appropriate anti-bribery component to its compliance function. 

The recent compliance issues that have plagued JP Morgan are another good example.  A large portion of the mega-bank's rap sheet relate to activities outside traditional commercial banking.  And now, JP Morgan plans to spend an additional $4 billion on and commit an extra 5,000 employees to the compliance function.  Perhaps those functions would have been augmented appropriately after the bank entered into non-traditional banking businesses (like student-loan origination and the physical commodities sales and trading business) if they had identified the compliance risks of entering into those spaces and established the proper compliance infrastructure to mitigate those risks.

Another source of confusion lies in the norms established by various governmental agencies, including the DOJ's Federal Sentencing Guidelines, that require companies to have "effective compliance and ethics programs."  These are a coordinated and comprehensive set of policies, procedures, roles and responsibilities structured to prevent and detect misconduct and promote an organizational culture that encourages ethical conduct and commitment to compliance with the law.  Although the ultimate goal of effective risk management (which is to identify and prioritize risks and then to deploy resources accordingly) is distinct from that of an effective compliance and ethics program, they often are confused because both require (1) discussion with leadership about interrelated topics, (2) inventory of business activities and their supporting mechanisms within the organization, and (3) monitoring of overlapping metrics.  While an organization's risk management initiatives may overlap significantly with the implementation of its compliance plans, the former is a strategic focus while the later serves a more operational purpose.

Separate, But Together.  There are two key takeaways that should play over and over again in the minds of organizational leadership:

(1)    Risk management and compliance are separate disciplines and should be implemented accordingly.  RIMS defines enterprise risk management as "a strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio."  In order for business propositions to succeed, strategic planning must be imbued with methodical risk thinking.  Joseph E. Murphy writes in A Compliance & Ethics Program on a Dollar a Day that compliance is really about "a management commitment to do the right thing, and effective management steps to make that happen[;] about making sure that all those who work for the company know what to do, and believe that the company is serious about acting legally and ethically."  In other words, compliance is an enterprise-wide commitment to acting within pre-determined norms that enable the organization to act legally and ethically. Whether the same or different individuals are owners of the risk and compliance functions at an organization, these different purposes must be kept in mind when folding both concepts into an organization's infrastructure.

(2)    Risk management and compliance are interrelated and must also be considered together.  While risk management and compliance are often appropriately handled by two separate groups within an organization, the pitfall is that this separation can lead to a fragmented approach whereby compliance risk is isolated from other enterprise risks.  Risk professionals must understand the risk of non-compliance equally as well as other organizational risks in order to properly shape enterprise strategy.  Similarly, compliance professionals must understand risk appetite (the amount of risk the organization is willing to accept to meet its business goals) in order to make the appropriate decisions vis-a-vis the compliance function.