A product of the increasing volume of regulation in financial and related services since the global financial crisis of 2008 has been the lengthening list(s) of ‘compliance obligations’, mandatory as well as voluntary that firms have to manage. Managing these (obligations) in an efficient and effective way has become progressively more resource intensive. Larger organizations are better placed than smaller organizations to absorb the associated costs and enabling technologies have helped to a point, but it is a game of diminishing returns. These largely ‘mechanical’ responses also have limitations and are prone to their own operational risks including human error, system availability etc.
There are also less visible costs of this prevailing orthodoxy of compliance systematisation, potentially more significant in the longer term, that do not augur well for the sustainability of many compliance solutions:
- They do not address the human behaviours that underpin compliance and may even perpetuate poor behaviours, including a ‘box ticking’ mindset;
- They tend to distance from scrutiny the subtle cause and effect relationships at play, necessary to answer the question ‘What’s going on here?’;
- They are prone to ‘set and forget’
The sheer volume of compliance obligations and time devoted to such is something boards and management have wrestled with for years, unabated the trend is crowding out robust discussion on risk to a point where we more often than not see compliance becoming conflated with risk management at the most senior levels to the detriment of the latter.
Distinguishing risk management from compliance is critical for any organisation that wishes to create long-term value for its stakeholders. Business owners and managers who understand the distinction and are able to harness them as complementary disciplines are more likely to outperform peers who don’t. Compliance with rules and regulations helps protect organisations from a variety of distinct risks, while risk management helps not only protect organisations from a wide range of downside risks including those that could lead to non-compliance, but also identify rewarding opportunities.
How can some equilibrium and rationality be restored? Simply stated “risk management needs to be put back into compliance”.
Working from first principles:
- Compliance is an outcome (a dependent variable), dependent upon other factors including: e.g. motivation, ability and action prompt/s. It is ‘backward-looking’ and established after the fact.
- Risk management on the other hand is a ‘forward-looking’ process aimed at establishing the likelihood and consequence of adverse events, including those that could lead to non-compliance (independent variables).
This cause and effect relationship and the potential drivers that could cause an organisation not to meet a compliance obligation are seldom canvassed when implementing compliance solutions. This is a gap in the heart of these solutions and one VeritasHQ restores in its performance-based approach to compliance. The causal relationships between risk and compliance form the backbone of our compliance analytics and dashboard reporting to management and boards. They are a necessary antidote to the otherwise worrying trends described above and can help ensure due enquiry and constructive challenge on risk and compliance occur together on an ongoing basis at the most senior levels.