Compliance and Risk Management: Interrelated, but Not the Same
Global regulations are increasing, and it’s forcing boards of directors to take an active role in all matters of the company’s business, especially in the areas of compliance with the law and industry regulations. Large swings in the economic climate during the past couple of decades have also raised expectations of stakeholders who want to invest in companies with a strong reputation for regulatory compliance.
Increased compliance regulations and stakeholder pressure have motivated board directors to work diligently toward a reciprocal relationship with their managers and risk management teams.
What Is Compliance Risk?
Compliance risk is also known as integrity risk. Business and financial regulations are continually evolving, especially since the economic decline that started in 2008. Compliance regulations standardize business practices so that corporations act in a fair and ethical manner.
Companies that fail to comply with industry-related codes of conduct, internal policies, best practices, and laws and regulations pose damaging threats to risk compliance such as financial loss, material loss, fines and voided contracts. Besides the risk of economic loss, companies stand to lose future business opportunities and their good standing and reputation.
The most notable security legislation since the Securities and Exchange Commission was formed in 1934 is the Sarbanes-Oxley Act of 2002.
The Impact of the Sarbanes-Oxley Act
The Sarbanes-Oxley Act grew from the public fraud scandals of Enron and WorldCom, where internal accounting practices hid corporate threats from the boards of directors. The Sarbanes-Oxley Act, commonly known as the SOX Act, requires public companies to get an independent audit of their internal control policies. The goal of the SOX Act is to make companies transparent and prevent accounting fraud.
Corporations, particularly small companies, bemoaned the SOX Act because of the high cost of completing an internal audit. On the flip side, markets appreciate having information that helps them assess companies more effectively, which makes successful companies more attractive to invest in.
The Financial Executives Research Foundation surveyed large company CFOs and found that 83% of the executives surveyed thought that SOX increased investor confidence in their company, and 33% believed that SOX reduced accounting fraud.
In effect, Congress took what should have been mainstream best accounting practices and made them law.
Compliance vs. Risk Management
Most boards of directors are keenly aware that they need to oversee compliance regulations to protect the company from risks. With the board of directors covering the bases of compliance oversight, you may be wondering if there is any work left for risk managers to do.
It’s true that risk managers need to be aware of compliance risks, but the bulk of their role needs to focus on risks as they pertain to strategic planning. This is where strong and clear communication between the board of directors and the risk managers is vital.
One of the primary duties of the board is strategic planning, which is a continual process. As the board explores new avenues for the company to increase its market share, new risks are bound to accompany those new opportunities.
The risk management team needs to work in tandem with the board of directors as they discuss strategic plans. Risk managers have the task of asking and evaluating the hard questions about who, what, where, how and why new planning strategies pose new risks to the company. Their findings form a new basis for discussion for management and the board of directors from the perspective of whether certain new directions are worth pursuing.
Compliance Risk Management Impacts Strategic Planning
When managers, risk managers and board directors make a final decision that new directions are worth pursuing, risk managers have the task of making solid plans to manage associated risks.
The risk managers have another role as well. When new ventures are on the board of directors’ horizon, board members may overlook the connection to existing laws and regulations. The company may require the risk management team to collect and process information about new risks as they pertain to current compliance. The risk management team may also have to disseminate whether any part of the information they collected must be disclosed to government agencies or the public sector to adhere to compliance regulations.
Boards of directors need to be aware that compliance regulations set the parameters for risk management teams. The board’s input plays a fundamental role in strategic planning with regard to current and future risks.
Strategic Ways to Evaluate Compliance and Risk Management
A Wall Street Journal article called “Compliance Risks: What You Don’t Contain Can Hurt You” suggests that companies outline a framework and methodology to assess current and new risks.
The framework depicts the organization’s risk exposures and categorizes them into risk domains. Board directors, executives and managers can then use objective and subjective methods for assessing risks. The board directors and managers should pay particular attention to the following areas:
- Legal impact
- Financial impact
- Business impact
- Reputational impact
Risk managers and the board of directors also need to evaluate the impact of inherent risk and residual risk. Inherent risk is the risk that exists regardless of any attempts to control it or mitigate it. Residual risk is known risk that results from a company’s efforts toward growing its share in the marketplace, where companies identified risks and developed strategic plans to manage them.
Board Responsibility Toward Compliance and Risk Management
Boards of directors accept liability for strategic planning and the duties that management carries out. Directors need to give regulatory matters priority when evaluating board reports. They need to understand the difference between compliance and risk management and be aware of how their role impacts each area.
As part of this process, board directors need to learn how to read risk management reports and ask questions so that the data has purpose and meaning. Each director should evaluate reports carefully and ask probing questions of managers and risk managers as they evaluate financial and other reports when making strategic plans.
Clear and constant communication between board directors and risk managers is essential to preventing the impact of all forms of risk.