At first glance, corporate compliance and risk management might seem like the same thing: sets of policies, procedures, and controls that help your enterprise avoid unwanted events.
That’s not quite right. Corporate compliance and risk management do have lots of similarities, but they’re decidedly not the same thing.
Indeed, as more and more organizations embrace the idea of enterprise risk management, (and for good reason, which we’ll address shortly) corporate compliance professionals should take a moment to understand the difference between compliance and risk management. Otherwise, you could hope to implement both at your organization, but end up neither program running as efficiently as it could.
So today, let’s explore those differences and how compliance and risk management can be structured so they support each other rather than operate in silos.
What do we mean by compliance?
Corporate compliance is the program an organization implements to assure that its employees and third parties obey all relevant laws, regulations, and other obligations the business might have.
At least, that’s the formal definition. More plainly, we could say corporate compliance is about helping your organization to avoid trouble with the law. You implement a Code of Conduct, policies, procedures, and other internal controls to steer your workforce to certain standards of behavior. The objective is to assure that the company’s conduct remains in compliance with the law.
A company can structure its compliance program in whatever way makes sense, given that company’s particular circumstances. For example, some businesses might decide to spend lots of time and money on training; others might spend their resources on strict policies and internal controls to enforce those policies. Neither of those approaches is better or worse than the other, so long as what the company chooses to do actually works.
The important point here is that just about all large companies need some sort of compliance program. Compliance with the law is mandatory, and you need to achieve that compliance somehow. So if you put a logical structure to your compliance efforts — like, say, the structure recommended by the Justice Department in its guidance on effective compliance programs — you’ll have an easier path to achieving your objective of complying with the law.
What do we mean by risk management?
Risk management is the program an organization implements to help it identify and avoid unwanted risks. That’s it.
As you can see, risk management is broader than corporate compliance. It can encompass an enormous range of risks, and many of them will have nothing to do with violating laws or regulations.
For example, all businesses want to avoid the risk of hackers penetrating their IT systems and stealing valuable intellectual property, or the risk of a crucial distribution center going off-line due to a climate disaster — but those are business imperatives rather than legal ones. Failing at either one might leave many people unhappy, and they may even sue you in court; but law enforcement won’t charge you with a crime. Good risk management isn’t mandatory under the law.
Moreover, risk management programs can take just about any form you’d like. Unlike corporate compliance programs, you don’t need to hew closely to guidance issued by regulators such as the Justice Department. Best practices for risk management do exist, but corporations have much more discretion to adopt whatever risk management practices they want.
How are compliance and risk management similar?
Despite those differences, compliance and risk management do have a lot in common. For example:
- Both functions rely on the same basic tools: risk assessments, policies and procedures, internal controls, testing, documentation, and reporting.
- Both functions exist in the Second Line of Defense, helping senior management to guide operating business units in the First Line of Defense to achieve the company’s objectives.
- Both functions want the same “ideal state” of operating, where they rely foremost on automated, preventive controls to keep the organization from experiencing unwanted events such as a bribery scandal, a privacy breach, or a liquidity crisis.
In fact, some voices in the compliance and risk management fields argue that compliance is a subset of risk management: it exists to manage compliance risks specifically, which is just one part of a much larger whole. According to this line of thinking, companies develop their corporate compliance function first because it’s a necessity; then they develop a risk management function later, as a next step in evolution, to navigate today’s complex business environment.
Given that substantial overlap between the two, then comes the next logical question.
Can compliance and risk management be integrated?
This idea is more complicated than it seems. The best answer is that some elements of compliance and risk management can be combined, but others probably should remain separate. Moreover, in some highly regulated industries such as banking, compliance and risk management can’t be integrated; regulators want the two to be kept separate.
Where could compliance and risk management functions combine their efforts? Consider the following:
- Risk assessments. Rather than each function conducting its own risk assessment, the two functions could conduct a single enterprise risk assessment that includes compliance risks along with other risks. (If your business has an internal audit function, consider whether that group could help, since enterprise risk assessments are a core duty of internal audit.)
- Third party oversight. Compliance and risk management both want to assure that third parties aren’t causing trouble for your organization, and typically you do that with questionnaires and other due diligence techniques. You could consolidate all your third-party risk concerns (anti-corruption, cybersecurity, human trafficking, supply chain, fair labor, and more) into one comprehensive due diligence exercise,
- Internal controls. Some internal controls might be able to serve multiple purposes, reducing both compliance risk and other enterprise risks. Compliance and risk management teams could collaborate on reviews and remediation of internal controls, to be sure you aren’t over-burdening employees and third parties with duplicative controls.
Where does technology fit into all this?
Savvy use of technology is crucial to success for both compliance and risk management. Far too many compliance and risk professionals still use standard desktop software such as spreadsheets, Word documents, and email to do their jobs — and increasingly, those tools aren’t up to the task.
The wiser course of action is to invest in GRC technology that can keep pace with the challenges of modern compliance and risk management. Chores such as due diligence, policies and procedures, testing of controls, and documentation can all be managed much more effectively with a single, automated, comprehensive tech platform.
Then compliance and risk officers can give the C-suite and boards what they really want: an informed, accurate report on the company’s risks.
The question for compliance and risk officers is how to plan their GRC technology strategy wisely, to achieve that end. You want a platform that can serve both functions as efficiently as possible.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.