What Is Compliance Risk?
Compliance risk is the threat posed to a company’s earnings or capital as a result of violation or nonconformance with laws, regulations, or prescribed practices. Companies that fail to comply with the necessary standards may be subjected to fines, payment of damages, and voided contracts. This, in turn, can lead to diminished reputation and limited business opportunities as the company finds its franchises reduced in value and its potential for expansion curtailed. In extreme cases, the company may find it is no longer capable of enforcing its contracts.
Until fairly recently, compliance was seen as a separate business practice, along with governance and risk management. However, over the past decade, these three disciplines have developed a considerable number of overlapping activities, such as internal audits, incident management, operational risk assessment, or compliance with regulatory programs such as the Sarbanes-Oxley Act (SOX). Today, many companies take an integrated approach to these three areas, referring to them collectively as Governance, Risk Management and Compliance (GRC).
- Governance refers to the responsibility of the company’s executives for maintaining organizational transparency and taking steps to reduce compliance risk by ensuring that established policies and procedures are followed. Proper governance strategy also includes corrective action for those cases where rules have been overlooked, ignored, or simply misunderstood.
- Risk management is the process by which a company sets its risk tolerance. Risk management identifies potential problems and determines the company’s tolerance for dealing with these issues, should they arise. It is up to risk management to decide if the cost of compliance would exceed the risk posed by noncompliance.
- Compliance is the process that actually records and monitors the daily business activities to make sure that the company is complying with the law, industry mandates, and internal policies.
The GRC paradigm is a hierarchy of sorts. Compliance by itself is irrelevant and impossible to achieve without the management and mitigation of risk management. By the same token, both compliance and risk management are useless without the framework and mechanism established by governance.
Interest in the GRC system (and in compliance risk in general) was originally driven by SOX, but the scope has since expanded. For many companies, compliance risk is no longer simply about obeying the law and staying out of trouble. It has become a vital tool for improving operational decision making and strategic planning.