Compliance risk management, which is a subset of compliance management, involves identifying, assessing, and monitoring the risks to your enterprise’s compliance with regulations and industry standards, putting internal controls in place to ensure that you are compliant, and monitoring those controls to be sure that they’re effective on an ongoing basis.
A compliance risk management program notes the material losses and exposures to your organization that non-compliance could cause, including legal penalties, fines, business loss, and reputational loss.
Compliance Risk Management: Three Tiers
Regulatory compliance is of the greatest concern at many enterprises. Non-compliance with regulatory obligations can bring significant monetary penalties, painfully high investigation costs, and in the most egregious cases, even jail time for executives involved in any wrongdoing.
The most stringent regulations tend to affect the financial services sector.
Financial institutions, for instance, face a complex regulatory environment. They must comply with regulations set by the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC), and a number of other regulatory agencies. Financial firms also labor under numerous laws such as the Bank Secrecy Act (BSA), the Investment Companies Act, and the Sarbanes-Oxley Act (SOX).
The healthcare sector has its own heavy regulatory burden, including laws such as the Health Insurance Portability and Accountability Act (HIPAA), which governs the handling of sensitive patient information.
Industry standards such as those set forth by the International Organization for Standardization (ISO) are the next tier of compliance risk. These standards are sets of best practices rather than laws, but compliance isn’t necessarily voluntary. Industry groups might declare that member firms should certify to certain standards (ISO-approved or otherwise).
Failure to certify compliance with those standards might result in loss of business or even the ability to operate. Retailers that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS), for example, can suffer fines and lose their ability to process payment card transactions.
Internal policies are the third tier of compliance risk. Regulations and standards often require firms to draft written documents that govern corporate activities (say, a policy against bribery). If workforce members, however, don’t follow those written policies, the organization isn’t meeting its compliance obligations.
Establishing a Compliance Risk Management Program
As part of an effective compliance risk management program, many companies designate an employee, usually someone in senior management, to create a compliance program.
Called compliance officers or managers, these employees perform compliance risk assessments to review applicable laws and standards. That assessment also considers the potential financial and reputational losses arising from noncompliance. Next, they analyze the likelihood and impact of each risk, determine the organization’s risk tolerance, and develop risk mitigation strategies.
Compliance officers also manage any internal audit documentation that might be necessary. Most regulations and standards do require some sort of external assessment or audit to provide assurance that the organization is in compliance. The compliance officer gathers that documentation to prove not only that the company has established needed controls, but also that those controls (including written policies) work and employees follow them.
Compliance Automation and Frameworks
To help with the task of managing compliance and compliance risk, compliance officers and risk managers often use governance, risk, and compliance (GRC) software. Solutions such as ZenGRC can help with every step of the compliance process or risk management process, including using a compliance framework such as ISO or COSO.
Worry-free compliance is the Zen way. Contact us today for your free consultation.