“We have a enterprise risk management team. Where does their role end and ours begin?” That’s a common question as compliance teams mature their programs into risk-based approaches.
The truth is, compliance risk management and enterprise risk management don’t live in separate spaces—and they certainly don’t live in vacuums. Risk is spread throughout an organization and touches many job functions. The only way to adequately manage and mitigate all those risks is for risk owners to work together.
It’s not an oil and water thing, but something that can be done together and highlight the strength of the compliance department.
– Joe LeBas, Convercent
Think of enterprise risk management as the central hub—the place where all risks are brought together and analyzed with an eye toward company objectives and strategic business plans. Other teams—IT, operations, compliance—are focus groups specializing in an area the ERM team won’t necessarily dig deeply into but that has a major risk impact.
ERM sets the organization’s risk appetite, other business areas evaluate and address risks in their area—with an eye toward the established appetite—and report up accordingly.
The Big Picture
“I find our enterprise risk management process to be a real asset to the compliance program and it is a critical part of what we do.” — Seth Rice, Assistant General Counsel-Compliance and Director of Global Ethics and Compliance at Kennametal, during a webinar on the evolving role of the chief compliance officer.
All risks, no matter where their ownership falls, should ultimately be tied to business objectives and weighted in relation to other organizational risks. What might be a major compliance or operations risk might not effect the company overall very much. Those risks still need to be address, mitigated and monitored, but when and how that’s done—and the type of resources teams receive for this work—will depend on how the risk fits into the broader company-wide scope. Prioritizing risks is a federal expectation (at least when it comes to compliance programs), but it’s also in the company’s best interest for staving off potentially damaging issues and keeping the organization true to course with the business plan.
While looking at this big-picture view, clear risk owners should be identified and the scope of their jurisdiction defined. This will help ensure every risk area is adequately monitored. Does the IT team handle tech and security compliance? Is operational compliance its own entity or does it sit with the broader compliance department? Teams who clearly understand their focus are able to dig in deeper and have a better understanding of their role in the overall risk machine. An enterprise risk assessment should highlight where companies need more refined focus and dedicated teams. Don’t let risk ownership become a set of blinders, though. Teams shouldn’t be so focused on their own area that they lose site of other organizational risks or how their work fits into the bigger picture.
While teams dig deeper into details, business objectives should be their guiding star. For compliance teams, this can mean paying special attention to laws and regulations that apply specifically to your industry; closely monitoring trends and activity if the company does business in compliance hotspot locations; heavily participating in due diligence of third parties, vendors or potential mergers or acquisitions; and understanding the risk landscape in areas the business plans on expanding to. These factors have a major impact on the company’s risk profile while aligning with strategic business objectives.
“As a compliance professional, your focus is that you understand and are managing the compliance obligations, the legal and regulatory obligations, of your company and making sure that those risks and obligations are brought to the forefront and shared as part of the ERM process. I see [compliance and ERM] as complimentary, with compliance focusing on regulatory and legal and bringing that to the bigger ERM picture.”
– Kwamina Williford, Partner at Holland & Knight, during Achieving a Risk-Based Approach to Compliance Management.
Enterprise risk managers are likely not experts in law, regulations, judgments and other things that compliance professionals continuously follow and focus on. This is where the ERM team’s job ends and the compliance team’s work begins.
Allowing compliance teams to focus on their specific risks is crucial for many companies, particularly those in construction, healthcare, finance and other heavily regulated industries. These industries face a high level of scrutiny and require careful, detailed attention to maintain compliance and mitigate risk—a level of constant attention not in ERM’s scope.
“Some companies, like mine, need a full time department with a number of people who are really focused on building tools and monitoring our regulatory world, because if we get into trouble we don’t get to do business with public agencies anymore. It’s a big thing for us,” said Chris Caron, Compliance Director at Kiewit. “Other companies are going to have much less impact from those regulatory worlds.”
‘We didn’t want to dedicate the resources’ isn’t a viable excuse if the SEC or DOJ come knocking.
No matter how heavily regulated your industry is, all organizations face compliance risks. As companies expand, those risks grow. It’s particularly important for international companies to have a robust compliance team to ensure the company stays compliant with the varying laws, regulations and standards of all the countries it has employees in—including third party workers. I recently heard a compliance director for an international retailer comment that “we didn’t want to dedicate the resources” isn’t a viable excuse if the SEC or DOJ come knocking. This grouping of smaller risks may not register heavily on the larger company risk profile, but they can have a very big impact.
Compliance risk assessments also fall into the prevue of the compliance team—you have the time, resources and expertise to be as detailed and specific as you need to be for this assessment. The existence of an enterprise risk assessment does not negate the need for a compliance risk assessment. This version is much more focused and tailored and should be rolled up into the larger ERA for a better understanding the company’s true risk profile. Just as all risks must be weighted and ranked at the ERM level, it is a compliance team’s job to prioritize compliance risks and put action plans in place to mitigate, manage and monitor those specific risks.
Identifying trends, analyzing initiative results and complying reports (all within a framework of addressing risk) are key functions of a successful compliance program and something compliance professionals spend a good amount of time doing. Mapping these trends and data to the company’s broader goals can be valuable, insightful and motivating.
While focusing on compliance risks and tasks, it’s important to remember that the compliance department is inherently not siloed. Not only do you deal with risk in tandem with the ERM folks, but training, policies, case management, disclosures and other key compliance functions often reach into the everyday functions of other departments. Teams often find themselves dealing with:
- HR – Such as harassment or discrimination policies and reports
- Audit – To ensure compliance with data retention laws and FCPA record keeping standards
- Operations – For vendor due diligence, FCPA compliance, etc.
- Legal – To keep abreast of new laws and enforcement trends
- IT – Even if IT teams own security compliance, policies and training still often fall onto the compliance team
In this way, the risks that “belong” to other teams also belong in part to compliance. While ERM looks at risk’s impact on the business and helps prioritize management efforts, the compliance department helps all risk ownership teams practically manage those risks on a day to day basis.
This is why it’s so important that risk ownership not become a point of friction. Everyone has skin in the game and they should be working together to handle the issues rather than fight about whose issue it is. ERM professionals should see the compliance team as their best friend and right hand man when it comes to mitigating corporate risks.
Just as compliance professionals can’t shut other risk owners out and work in a bubble, you shouldn’t discount front line employees. Listening to the reports and observations of regional managers, hotline reports and questions asked by employees may surface a risk you—and the ERM team—didn’t know about. It can also shine the spotlight on an initiative that isn’t working as intended to mitigate an identified risk.
Risk management cannot be a top down mandate—it’s simply not effective that way and leaves organizations open to missing key risks. Don’t be so focused on “your” identified risks that you miss something, particularly if you’re hearing it from the employees who face these real world risks everyday. And if you think it’s important, don’t keep it to youself. Bring it up with other risk owners to decide, together as team, where it fits into the profile and how best to address it.
Different companies, with different risk appetites and company cultures, handle front line risk management in a variety of ways. Some companies appoint regional compliance managers who report up the chain of command, others foster an environment that encourages all employees to be their own compliance manager by monitoring and self-reporting issues or concerns. This can be seen as another subdivision of risk ownership, but it should be viewed as helpful, rather than another potential power struggle. You are empowering people to help manage risk, that’s a good thing!
Whether you assign ownership to managers or everyone, getting an understanding and engrained consciousness of risk and its impact on the business to spread throughout your organization is key to successful mitigation. Risk doesn’t exist in a bubble; it’s the potential for someone to do something wrong—either intentionally or accidentally. When all employees at your organization understand the specific risks they face in their daily job, and understand how that risk can negatively effect both them and the company, they’ll be more guarded and hopefully make better decisions.
This is one of the reasons tone at the top is so important. A company-wide commitment to risk management and ethical business practices is important and risk owners are a powerful force for this message when they work together and collaborate.
The Bottom Line
While some departments have historically kept a tight fist on what they own and control—and ignore everything that doesn’t fall directly into their scope—companies are beginning to realize that successful risk mitigation means working together and embracing area expertise. Risk is too big a field to take on alone and no one team will be an expert in enterprise risk, compliance risk, IT risk, operation risk, etc. Instead, each department should be empowered to complete their own risk assessments and put mitigating steps in place. They should also be open enough to mention if they notice a key risk going unmitigated or a new one emerge—even if it’s not in their area of focus. Each team’s efforts and results need to be regularly communicated with other risk owners and up the chain to ensure a cohesive, business-aligned approach. Embrace your differences and priorities, but ultimately work for the greater good of the company. And forget about the power struggle already!