Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
Compliance risk is also sometimes known as integrity risk. Many compliance regulations are enacted to ensure that organizations operate fairly and ethically. For that reason, compliance risk is also known as integrity risk.
Compliance risk management is part of the collective governance, risk management and compliance (GRC) discipline. The three fields frequently overlap in the areas of incident management, internal auditing, operational risk assessment, and compliance with regulations such as the Sarbanes-Oxley Act. Penalties for compliance violations include payments for damages, fines and voided contracts, which can lead to the organization’s loss of reputation and business opportunities, as well as the devaluation of its franchises.
Compliance risk assessment is the process of managing corporate compliance to meet regulations within a workable timeframe and budget. Not every regulated company manages this particularly well, and some even consider noncompliance fines as a normal cost of doing business. Their philosophy is that the fines are far cheaper than deploying and maintaining a compliance process.
This thinking is not limited to smaller and less sophisticated companies. Even very large companies may be aware of noncompliant activities, but if those activities are making a great deal of money than the organization may decide to look the other way. Wells Fargo is the poster child for this type of thinking.
However, as Wells Fargo found out approach is high risk. Regulators such as US attorneys are becoming more aggressive both by shortening compliance investigation timelines, and slapping on higher fines. In addition, noncompliance can be embarrassingly public, which leads to civil lawsuits, investor exodus and the eroding of reputation.
Managing compliance risk means having a workable plan, procedures, and technology to oversee compliance efforts. Taking the above four categories, let’s look at managing risk by company sophistication and compliance levels.
- Little to no compliance risk management:If necessary, build the business case around the high risk of noncompliance. Form a compliance team to identify compliance needs and requirements, assess the existing compliance program, build a phased budget for objectives, and assign resources to reach the objectives.
- Aging compliance process and technology: Assess compliance and objectives, and invest in new technology. You may want to invest in one product for the entire corporation or point products for a few well-defined hot spots. Choices range from unified GRC frameworks to compliance point products such as financial reporting for SOX, compliant cloud storage for HIPAA, outgoing email checking, or auditing software.
- Active compliance program but millions of documents to review: Some compliance investigations require organizations to analyze and review millions of documents within a few weeks. Start now to research eDiscovery machine learning and automated compliance workflows. These platforms are not cheap but they save large amounts of money on the review process, and companies can leverage them for all legal and compliance discovery.
- Valuable IP is at risk without proactive compliance: It’s much more effective to interrupt potential noncompliance before it turns into a violation. Digital communications monitoring analyzes suspicious patterns in digital messaging, such as employee texting and email patterns, social media, or chat.
As global regulations proliferate, and as stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before. Compliance risk is the threat posed to an organization’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. To understand their risk exposure, many organizations may need to improve their risk assessment process to fully incorporate compliance risk exposure. The case for conducting robust compliance risk assessments is deeply rooted in the U.S. Federal Sentencing Guidelines for Organizations, which establishes the potential for credit or reduced fines and penalties should an organization be found guilty of a compliance failure. In today’s environment of global regulatory convergence, ever-increasing complexity, and the expansion of businesses into new or adjacent industries, the need for a broader view of compliance risk has never been greater.
Many ethics and compliance officers will likely agree that new ethics, compliance, and reputational risks appear each day. At the same time, the recent global recession forced many organizational functions to closely examine their budgets and resources. Together, these factors have created a tension between growing regulatory obligations and the pressure to do more with less. To help resolve this situation and continue to add value to their organizations, ethics and compliance professionals need to be sure they understand the full spectrum of compliance risks lurking in each part of the organization. They then need to assess which risks have the greatest potential for legal, financial, operational, or reputational damage and allocate limited resources to mitigate those risks.