Advice for Risk Managers: Treat Compliance Like a Risk, Not a Checklist

Many companies share some problematic habits when it comes to compliance. The worst of them is treating compliance like a checklist. In other words, thinking, “If we meet these specific compliance requirements, our company should run efficiently and securely.” While this is a simplified outlook, the point remains the same. Being compliant guarantees neither efficiency nor security, but failure to meet requirements can have long-lasting negative effects.

At LogicManager, we view compliance as the minimum operating standard, and focus more on aligning our priorities with a risk-based approach. This affects how our own governance structure functions, as well as how we advise our customers.

The shift in how compliance is viewed is gaining momentum. New COSO and ISO updates, like ISO 19600 and COSO’s upcoming ERM update, specifically emphasize a risk-based approach to compliance. Moreover, organizational understanding of the relationship between risk and compliance is changing.

For example, Fitch Ratings, one of only three nationally recognized ratings agencies, has created and assigned a new role: Chief Compliance Officer. This is part of the agency’s plan to “bulk up” its compliance efforts and “broaden” its approach to risk, according to the Risk & Compliance Journal. Who is the new CCO reporting to? John Olert, Chief Risk Officer of Fitch’s parent company. This mirrors the new understanding of compliance, as a subset of risk:

Olert contends the need for a Chief Compliance Officer became evident when he was responsible for handling both risk and compliance. Even though the former contains the latter, compliance’s scope and complexity warrants its own departmental governance (which can also often be said for IT and operational risk). The key is to manage compliance with a risk-based approach. Fitch Ratings is doing just this, widening its risk focus to include more than just market and credit risks.

Fitch identified a few other points of importance for its compliance program, all of which resonate with the LogicManager approach. For example, another point of emphasis is the development of communication between employees and departments. We strongly agree with this assessment. No matter how insightful data and other information are, they cannot be useful unless delivered to the proper party. Organizations with a “stovepipe” mentality often fail to share information cross-functionally, resulting in redundancy. A control used to mitigate risk may also be used to meet a regulatory requirement, and the utilization of ERM systems can help track and manage those complex relationships.

For more information about presenting Enterprise Risk Management solutions to the board, take a look at our free eBookPresenting ERM to the Board.

Views: 178


You need to be a member of GlobalRisk community to add comments!

Join GlobalRisk community

Our Sponsors

Would you like to reach over 90,000 + Risk Professionals? 



Current Partners Include:





Join GRC Inner Circle - Get Top Risk Resources, Member Support PLUS become our patron

Business Exchange

If your organization delivers products and services that bring value to our members, you are welcome to join our partnership program.

Companies are welcome to setup a business profile page in our Multimedia Business Directory. You will get full control of the page and can include cutting edge possibilities – videos, adverts, presentations, white papers, job offers, Press Releases, product information, company blog, news feeds and more.


Our Knowledge Partners

Request our MEDIA KIT

Our Twitter feed

© 2020   Created by Boris Agranovich.   Powered by

Badges  |  Report an Issue  |  Terms of Service