EFFECTIVE INTEGRATION OF RISK AND COMPLIANCE PROGRAMS
Chris Guest
Risk Management Leader on the NEOM SINDALAH ISLAND Giga Project l Compliance and Tax Leader l Risk Advisor l FIFA World Cup 2022 PMO Risk and Compliance Consultant
Integrating the key principles of risk and compliance management is key to ensuring a seamless governance, risk and compliance framework.
The organizational structure and reporting lines of the risk and compliance functions invariably differ from company to company. In some instances both risk and compliance programs are both well established in the company but “never the two shall meet”!
Nevertheless, whatever structural arrangements are in place, the principles and programs can usually be very well integrated by effective intra-organizational collaboration.
Controls derive their identity solely from the risks which they help to mitigate; if a control is not mitigating an identified risk get rid of it – it serves no functional purpose!
A comprehensive and well –structured risk register should include current controls related to both the causes and consequences of identified risk scenarios. Equally importantly the effectiveness of controls in place should be evaluated by the risk assessment team in establishing the risk rating i.e. the residual risk remaining after taking into account the impact of the control under consideration.
The effectiveness of a control can be established by evaluating the following:
- Design – Does the control design serve the purpose for which it is intended:
- Is the control fit for corporate purpose?
- Are we aligned with industry bets practice?
- Compliance – How well has compliance with the control been demonstrated:
- Is it the subject of audit findings?
- Do our internal reviews indicate less than full compliance?
The outcome of points 1 and 2 provides a “health – check” on the overall effectiveness of the control and may be evaluated on a high/medium/ low basis. This is the critical link between risk and controls since anything less than a highly effective control should, at a minimum, drive the question of whether an action treatment is required.
Actions arising will depend on a number of factors:
- Does the residual risk rating call for a “mitigate” risk treatment?
- Cost – benefit analysis. Is the risk already mitigated to a level as low as reasonably possible or is further reduction in consequence and/or likelihood possible?
The final decision and commitment on actions will always be the call of the assigned risk owner.
Actions, once agreed, should be fully recorded on the register together with plans and associated timelines for completions. Questions for consideration on agreed actions which might arise include:
- Is it one-time action required or is the action recurrent?
- Will the action require a policy or procedural revision?
- Is an additional or enhanced control/ (s) required?
Whatever the actions committed, they should be recorded in sufficient detail either on the register itself or on a separate action database with clear linkage back to the originating risk treatment. Rigorous and regular monitoring of the action, with any deviations from committed targets to be accounted for, will be required in order to ensure the effectiveness of execution of the risk treatment plan.
Columnist & Featured Contributor at BIZCATALYST 360
4 年Very interesting topic Chris Guest. With our age of uncertainty and volatility dealing with emergent risk, including small risks that may produce big effects in the future- is a big task by itself. I like the way you integrate the finding of risk and compliance.
Risk Management Leader on the NEOM SINDALAH ISLAND Giga Project l Compliance and Tax Leader l Risk Advisor l FIFA World Cup 2022 PMO Risk and Compliance Consultant
8 年Thanks Tim. Full in agreement that the battle is in embedding the principles in org.culture. Structured self - assessment compliance programs have proven to deliver a lot of assurance value with the added benefit of early-identifying issues ahead of formal audit processes. Risk appetite or the amount of risk which an org. is willing to retain is always specific to circumstances. The concept of ALARP (as low as reasonably possible) is useful in designing the specific approach - e.g. red risks will be immediately subject to further mitigation actions; yellow and green will be addressed only if not already at ALARP - ultimately risk owners should weigh the costs of further reducing risk level against the benefits to be derived within the parameters established. The compliance program will have higher focus on controls associated with red risks; my personal opinion is that even controls linked to green risks should be tested to some degree to ensure that they are robust enough over time to keep the risk green!
Joint Venture Auditor, CA, MBA (Oil & Gas), CA Risk Specialist
8 年Enjoyed the article Chris. Totally agree with your premis as to the strategic importance of effectively integrating Risk + Compliance principles into an organisation. Being principle based of course, it could be argued that corporate benefit will only be maximised when such principles are embedded in the Corporate culture, i.e. become 'behavioural' based and a core part of 'business as usual'. Like yourself I believe the formula for success is as simple as Risk + Compliance + Continual Assessment. The importance of the latter cannot be under-stated. It is no point complying with a control if the control does not work or actualise the expected outcome.Implement then Test. One area (unfortunately) that I have not seen anyone do well and would really appreciate your thoughts and experiences Chris is defining an acceptable 'appetite for risk' and the interaction of tolerance levels on risk and compliance processes?