There has been, for many years, an ongoing debate as to the relationship between Compliance Management and Risk Management. Some have believed they are separate disciplines, others that risk management is a subset of compliance and yet others, that compliance is a subset of risk management.
The new ISO 19600 standard (December 2014) provides a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. The 29600 standard on “Compliance Management Systems” reflects largely the existing AS 3806-2006 standard, which it will replace.
It is clear that the standard is closely aligned with the ISO 31000 risk management standard. This is most prominent when comparing the seven processes in each standard.
Fig 1. Management processes in each standard
In addition, Compliance Risk is defined as “the effect of uncertainty on compliance objectives” while the ISO 31000 standard defines Risk as “the effect of uncertainty on objectives”.
The 19600 standard, amongst many other things, “recommends” that organisations: “adopt a risk-based approach to compliance” and “develop a risk appetite for compliance risks”.
The standard fully supports integration of compliance risk management with enterprise risk management as far as possible. This is good news for business as greater value can be extracted from risk and compliance cultures that feed off each, and support” each other. It means that compliance risk management becomes part of enterprise risk management using, by and large, the same processes. The key overlaps are:
This means that compliance risk management should form an integral part of the overall enterprise risk management (ERM) framework and risk professionals should consider compliance risk as part of their overall portfolio of risks.
Being compliance, there are some nuances that have to be separately considered. These include:
If you would like to know more about how Protecht can help you with your compliance risk management, especially in relation to the new ISO 19600 standard and the integration with your overall risk management framework, please contact Luna Restrepo via email email@example.com.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).