Redistributing risk management: why risk management isn’t only for compliance teams
A strong compliance team is an essential first step towards effective risk management – but it is only one part of the puzzle. If your organization relies exclusively on compliance professionals to safeguard against emerging threats, you could be leaving yourself at risk, with potentially costly results. Here’s why risk management should be core business for everyone in your business.
A recent PwC survey found that, even in the wake of the pandemic, only 1 in 4 organizations align risk and compliance targets with the strategic objectives of the business. This suggests that for many organizations, risk and compliance remain siloed functions, rather than outward-looking activities designed to anticipate, detect and control key operational, financial and reputational risks.
Isolating compliance from broader risk considerations can also be very costly. In the US, the Office of the Comptroller of the Currency (OCC) has levied millions of dollars in fines from some of our largest financial institutions, culminating in this year’s $250m fine for Wells Fargo, with the banks’ failure to implement broad risk management programs a key factor.
Meanwhile, Fitch Ratings has put companies on notice that governance weaknesses are increasingly likely to lead to ratings downgrades, as investors’ scrutiny of Environmental, Social, and Governance (ESG) issues intensifies.
Why compliance alone is not enoughWhile compliance and risk management have much in common, they remain separate activities that can complement but not replace one another.
The focus of compliance is to ensure your business is fulfilling all of its obligations, especially those imposed by laws and regulations. In contrast, the focus of risk management is broader, aiming to identify, assess and control all potential threats to capital and earnings – including those not captured by legislation.
That’s important, because new risks are constantly appearing. Significant ‘threat multipliers’ like climate change, the COVID pandemic and novel cyber-threats have begun to manifest in unpredictable ways, compelling businesses to regularly reassess their risk exposure and continuously update their risk management processes.
The breadth and complexity of these emerging issues heightens the need to distribute risk management responsibilities across the business, rather than relying solely on a separate team of risk professionals. By creating a distributed risk model, you can harness the expertise of specialists across the organization – from supply chain managers to IT professionals – and actively engage everyone in the business of managing risk.
In fact, risk management firm Aon cautions that creating a large, specialized risk team can actually lead to worse outcomes, if that team is isolated from the rest of the business: “The existence of a larger, centralized risk team may create the impression that the central team is ‘responsible’ for risk management, rather than risk being the responsibility of all.”
Aon says that’s why recognized international standards for risk management, such as COSO and ISO31000, stress the importance of embedding risk disciplines and behaviors into day-to-day operations, not isolating them in a compliance team.