Linking Risk Management to Compliance
In this session I want to talk about linking your risk management program to your compliance program. I know it’s an area that a lot of organisations struggle with.
First of all, let’s talk about your compliance program and what it involves and how you can actually make it more effective. The first thing we need to understand as an organisation is “what do we need to be compliant against?” That’s the basis. But then of course, what we need to understand is “what do we need to do actually be compliant? What are the activities that we need to undertake to be compliant with that requirement?”
We also then ask the question “how to we demonstrate or how to we prove that we are compliant against what we are asked or what we have been asked to do?” Finally, how to we measure that?
Now, when it comes to compliance, not everything is equal. You will have some compliant requirements whereby the consequences of non-compliance are not that challenging to an organisation or are not that impactful. But, you will have others whereby if you don’t comply; it could actually bring down an organisation.
I use the example of a childcare centre where if you lose your licence because of a compliance breach well then you can’t operate anymore. So they key to linking your risk management program to your compliance program is, first of all, to understand those compliance requirements that have the greatest level of consequence if there is a non-compliance. Once you have done that, identify the controls that you’ve currently got in place to make sure you are compliant. We then link that to our risk management program by saying “there is a risk that this event is going to occur, which leads to that non-compliance whereby we have that very high consequence.” So what we can do then is make sure that those controls that are aimed at reducing the likelihood of that event that would lead to the compliance breach are strong. They need to then be the focus of our internal audit program.
The following things need to be identified:
- What is it we need to comply with?
- How to we comply against that?
- What happens if we don’t comply?
- How do we measure it?
Once we’ve done that, we can link it to our risk management program understanding that we focus very much on those compliance requirements where non-compliance will lead to the highest level of consequence.
That’s all for this session. As always, let’s be careful out there.