There has been, for many years, an ongoing debate as to the relationship between Compliance Management and Risk Management. Some have believed they are separate disciplines, others that risk management is a subset of compliance and yet others, that compliance is a subset of risk management.
The new ISO 19600 standard (December 2014) provides a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. The 29600 standard on “Compliance Management Systems” reflects largely the existing AS 3806-2006 standard, which it will replace.
It is clear that the standard is closely aligned with the ISO 31000 risk management standard. This is most prominent when comparing the seven processes in each standard.
Fig 1. Management processes in each standard
In addition, Compliance Risk is defined as “the effect of uncertainty on compliance objectives” while the ISO 31000 standard defines Risk as “the effect of uncertainty on objectives”.
The 19600 standard, amongst many other things, “recommends” that organisations: “adopt a risk-based approach to compliance” and “develop a risk appetite for compliance risks”.
The standard fully supports integration of compliance risk management with enterprise risk management as far as possible. This is good news for business as greater value can be extracted from risk and compliance cultures that feed off each, and support” each other. It means that compliance risk management becomes part of enterprise risk management using, by and large, the same processes. The key overlaps are:
This means that compliance risk management should form an integral part of the overall enterprise risk management (ERM) framework and risk professionals should consider compliance risk as part of their overall portfolio of risks.
Being compliance, there are some nuances that have to be separately considered. These include:
"Compliance and risk should operate together sharing a common framework with some nuances to account for their differences."
If you would like to know more about how Protecht can help you with your compliance risk management, especially in relation to the new ISO 19600 standard and the integration with your overall risk management framework, please get in touch or learn more about our compliance management system software.
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.