Redistributing risk management: why risk management isn’t only for compliance teams
A strong compliance team is an essential first step towards effective risk management – but it is only one part of the puzzle. If your organization relies exclusively on compliance professionals to safeguard against emerging threats, you could be leaving yourself at risk, with potentially costly results. Here’s why risk management should be core business for everyone in your business.
By AnsaradaThu Dec 16 2021CEO-CFO, Audits and compliance, Security and risk management, Environmental Social and Governance
The events of the last few years have clearly shown that every business must be poised to identify and manage novel risks. So why do so many organizations still treat compliance and risk management as secondary to their core operations?
A recent PwC survey found that, even in the wake of the pandemic, only 1 in 4 organizations align risk and compliance targets with the strategic objectives of the business. This suggests that for many organizations, risk and compliance remain siloed functions, rather than outward-looking activities designed to anticipate, detect and control key operational, financial and reputational risks.
Isolating compliance from broader risk considerations can also be very costly. In the US, the Office of the Comptroller of the Currency (OCC) has levied millions of dollars in fines from some of our largest financial institutions, culminating in this year’s $250m fine for Wells Fargo, with the banks’ failure to implement broad risk management programs a key factor.
Meanwhile, Fitch Ratings has put companies on notice that governance weaknesses are increasingly likely to lead to ratings downgrades, as investors’ scrutiny of Environmental, Social, and Governance (ESG) issues intensifies.
The focus of compliance is to ensure your business is fulfilling all of its obligations, especially those imposed by laws and regulations. In contrast, the focus of risk management is broader, aiming to identify, assess and control all potential threats to capital and earnings – including those not captured by legislation.
That’s important, because new risks are constantly appearing. Significant ‘threat multipliers’ like climate change, the COVID pandemic and novel cyber-threats have begun to manifest in unpredictable ways, compelling businesses to regularly reassess their risk exposure and continuously update their risk management processes.
The breadth and complexity of these emerging issues heightens the need to distribute risk management responsibilities across the business, rather than relying solely on a separate team of risk professionals. By creating a distributed risk model, you can harness the expertise of specialists across the organization – from supply chain managers to IT professionals – and actively engage everyone in the business of managing risk.
In fact, risk management firm Aon cautions that creating a large, specialized risk team can actually lead to worse outcomes, if that team is isolated from the rest of the business: “The existence of a larger, centralized risk team may create the impression that the central team is ‘responsible’ for risk management, rather than risk being the responsibility of all.”
Aon says that’s why recognized international standards for risk management, such as COSO and ISO31000, stress the importance of embedding risk disciplines and behaviors into day-to-day operations, not isolating them in a compliance team.
Effective governance and the right ‘tone at the top’ are essential in driving transparency, openness and a commitment to continuous improvement.
Establish the organization’s unique risk appetite and risk tolerance. Define possible risk scenarios, analyze their potential impact, and determine how best to respond to the risks they represent.
A recent PwC survey found that, even in the wake of the pandemic, only 1 in 4 organizations align risk and compliance targets with the strategic objectives of the business. This suggests that for many organizations, risk and compliance remain siloed functions, rather than outward-looking activities designed to anticipate, detect and control key operational, financial and reputational risks.
Isolating compliance from broader risk considerations can also be very costly. In the US, the Office of the Comptroller of the Currency (OCC) has levied millions of dollars in fines from some of our largest financial institutions, culminating in this year’s $250m fine for Wells Fargo, with the banks’ failure to implement broad risk management programs a key factor.
Meanwhile, Fitch Ratings has put companies on notice that governance weaknesses are increasingly likely to lead to ratings downgrades, as investors’ scrutiny of Environmental, Social, and Governance (ESG) issues intensifies.
Why compliance alone is not enough
While compliance and risk management have much in common, they remain separate activities that can complement but not replace one another.The focus of compliance is to ensure your business is fulfilling all of its obligations, especially those imposed by laws and regulations. In contrast, the focus of risk management is broader, aiming to identify, assess and control all potential threats to capital and earnings – including those not captured by legislation.
That’s important, because new risks are constantly appearing. Significant ‘threat multipliers’ like climate change, the COVID pandemic and novel cyber-threats have begun to manifest in unpredictable ways, compelling businesses to regularly reassess their risk exposure and continuously update their risk management processes.
The breadth and complexity of these emerging issues heightens the need to distribute risk management responsibilities across the business, rather than relying solely on a separate team of risk professionals. By creating a distributed risk model, you can harness the expertise of specialists across the organization – from supply chain managers to IT professionals – and actively engage everyone in the business of managing risk.
In fact, risk management firm Aon cautions that creating a large, specialized risk team can actually lead to worse outcomes, if that team is isolated from the rest of the business: “The existence of a larger, centralized risk team may create the impression that the central team is ‘responsible’ for risk management, rather than risk being the responsibility of all.”
Aon says that’s why recognized international standards for risk management, such as COSO and ISO31000, stress the importance of embedding risk disciplines and behaviors into day-to-day operations, not isolating them in a compliance team.
