Compliance is considered as a type of risk management. In the case of compliance, most of the risk that is managed is created or based in regulations and laws, rather than customer behavior or market forces. However, many of the core features of compliance risk share similar elements with many other forces that cause risks to organizations. Some of the major risk sources include, technology, economic forces in markets, rapid growth of the organization and products, product complexity and staff turnover.
Risk management is becoming a very popular tool for organizations. In fact, many bank auditors consider ‘risk’ as a necessary audit tool. Based on risk management, bank examinations are increasing. This trend of risk management and risk assessment is considered as natural fit for compliance.
The Treadway Commission’s Committee of Sponsoring Organizations (COSO) classifies risk into several categories:
Internal and External Factors
Risks related to changes.
Although these are regarded as generic and broad categories, but in the process of determining risk, identifying its extent and recognizing ways to manage risk, classifying it into general categories can be quite useful.
External factors are one of the major sources of risk, which the organization cannot control, but can predict and observe. A smart risk manager will always be ready and will have a responding strategy for it.
Internal Factors are another risk source over which the organization has some control. The compliance manager should use the knowledge he or she has about the organization to determine the internal risk factors and should then take the necessary precautions to minimize the risk. Although, the organization does have some degree of control over the internal risk elements, methods to reduce the internal risk elements will always be expense of business opportunities.
Risks related to change include a combination of various factors that are not under the organizations control. Changes associated with risk that result in the development of new products and trigger a new analysis concerning compliance risk are under some degree of control of the organization. Change may also occur due to the economy, legislation or the organizations market. In this form of change, the organization has no control and can only respond to the changes.
COSO has categorized a list of changes. These factors are very valuable to study in order to determine how compliance is affect. The factors included in the list by COSO are:
Compliance managers should be familiar with these risks, since they will be used to outline the compliance program. Elements such as the quantity of the risk should determine your organizational priorities. Similar to the OCC approach, COSO’s question is based on whether these controls are reliable. The goal is not to be perfect, the goal is to have the ability to identify, minimize and prevent problems. An organization that is at risk is an organization with controls that are not reliable.
A compliance management program that is based on risk management can be quite an effective communication tool. Managers who are not inclined towards the term “compliance” may not be ready to respond to the term “risk”. With such a situation an organization needs to design an approach that allows management to understand the element while focusing on compliance priorities.