Written for the Diligent Insights blog found here.
If you’re renovating your house, a general contractor is critical. He or she oversees the project and knows what needs to be done to execute the vision. But if the pipes aren’t fitted correctly, the general contractor may not see it until water seeps into the newly laid white oak floors. A general contractor is just that — general. They need the assistance of plumbers and electricians — specialists — to get a real view of the risks to the build.
The same is true in the relationship between enterprise risk (also known as integrated risk) and compliance. There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.
Compliance Risk Is Distinct
Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.
Five Best Practices
Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five best practices to ensure smooth sailing.
1. Articulate the Risk Appetite
The board, C-suite, enterprise risk management lead and chief compliance officer need to agree on a risk appetite. Risk appetite simply means the tolerance the company has for risk. Some companies have the “move fast and break things” mentality, where risk is celebrated. This is very different from a stable, long-established enterprise with conservative risk tolerance.
Defining the company’s risk appetite is critical for ensuring that enterprise risk and compliance are working with the same expectations for the imposition of controls on the business. Strict compliance-related controls can slow down the business. For instance, the requirement to perform in-depth due diligence on high-risk third parties may create a delay in signing important contracts. It is critical for the board and C-suite to articulate the company’s risk appetite and for enterprise risk and compliance to work together to ensure the appropriate stringency of controls.
2. Compliance Completes Its Own Separate Risk Assessment
Globally, regulators expect companies to have a compliance-specific risk assessment from which the compliance program is built. For instance, when determining whether a company should get credit for the compliance program in criminal sentencing, the U.S. Department of Justice instructs prosecutors to consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.”1 The U.K.’s Ministry of Justice requires a bribery-related risk assessment in order to defend against the strict liability offense of failing to prevent bribery.2 The compliance-related risk assessment should be separate from enterprise risk to conform to regulatory expectations.
At a high level, compliance-related risks should be captured on the enterprise-wide risk register. However, compliance should keep a more detailed risk register that feeds into the enterprise-wide one, but which includes more detail about the risk and mitigation plan.
3. Agree on the Topics to Be Monitored
Ideally, the compliance department will have a charter laying out the laws and issues handled by the function. If a charter exists, use it to define the risks that compliance will monitor. If there is no program charter, ensure enterprise risk and compliance come together to determine exactly which risks will be managed by the compliance department, especially in the risk assessment process.
Some risks will necessarily be spread among functions. For instance, managing modern slavery and human trafficking risk often involves the compliance, corporate social responsibility and procurement departments. Risks that bleed from one department into another must be assigned a primary owner. As the saying goes, the fastest way to starve a pet is to give everyone the responsibility to feed it.
4. Compliance Reports to the Board Directly
Guidance from the Department of Justice is clear: Compliance needs an independent relationship with the board. Prosecutors are instructed to ask whether compliance has direct access to the board of directors or the board’s audit committee.1 Allowing enterprise risk to report to the board on compliance risk is a recipe for disaster. It’s like playing a game of telephone. When one person tries to repeat what was said to them, the message often goes woefully awry. This is especially true when enterprise risk reports on compliance-related risk. No matter how skilled the enterprise risk manager, the depth of knowledge required to explain the compliance-related risk and risk-based approach that should be taken will be missing.
While compliance should always have access to and be able to report to the board, it is critical that compliance report directly in three instances:
When the company’s compliance-related risk profile changes: If the company expands into a new region or creates a new product line, new compliance-related risks will emerge, and the C-suite/board should be briefed on them.
When major compliance-related laws come into place: The compliance lead should report on new laws and report on the plan to deal with them.
When there is a significant investigation or allegation of misconduct.
5. Coordinate with Audit
It’s impossible to know how controls are working without a way to check them. Enterprise risk and compliance should work with internal audit to ensure that perceived risks are e
xplored and that control failures are investigated. Compliance should champion and devise risk mitigation strategies, and internal audit should check to see that they have been implemented effectively. Enterprise risk can stay appraised of the progress while allowing compliance to be primarily responsible for such activity.
Compliance officers’ deep understanding of compliance-related risk and their mandate to prevent, detect, and respond to misconduct is a critically important part of the risk management puzzle. Just as a good general contractor would contact a plumber to look at the pipes before the water comes gushing out, a good enterprise risk manager should rely on compliance to independently manage compliance-related risk.
1 U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs, https://www.justice.gov/criminal-fraud/page/file/937501/download
2 U.K. Ministry of Justice, Bribery Act 2010 Guidance, https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf