Same Same or Different?
A recent article in the South China Morning Post caught my interest. A company apparently failed to comply with certain disclosure requirements. This made me think about the perennial question what is the relation between Compliance and ERM (“Enterprise Risk Management”)?
Wikipedia defines compliance as conforming with stated requirements. These requirements can be external, such as codes and legislation, or internal, such as guidelines and rules.
I take the view that good ERM ensures, amongst other things, that all the necessary internal rules are in place. Furthermore, the rules must be robust and management looks at “risk” from a strategic perspective. The focus is on “necessary”, i.e. it matters to have the appropriate quantity of rules. A flood of rules is not a good idea, and having too few rules isn’t a smart choice, either.
Compliance is one aspect of risk management, since it focuses on avoiding breaches and trespassing of rules. So how does ERM come into play?
A thorough ERM-process will ensure that the major risks of a company are appropriately defined and mitigated. If non-compliance with certain rules is defined as a significant risk of a company, then a sound ERM framework will check the corresponding set of rules at great length and detail. Often, the risk management team will use discrete scenario analysis to estimate the impact. For example, non-compliance with a certain external rule/code might result in a fine. ERM will quantify a range of possible fines and ensure that mitigation measures are in place. Risk Management will also need to stress test the mitigation measures to ensure that they work as desired.
Let’s abstract the said case a little and run it through an ERM process. During the risk identification process, the compliance function would have come up with a risk category called something like “failure to comply with external rules”. If the compliance function didn’t come up with this risk category then the Risk team should guide the colleagues accordingly. In a second step, this “failure to comply” needs to be quantified. How to quantify such a scenario? Since no probabilistic models might be available for “fines”, it may suffice to define a few discrete scenarios and put a monetary estimate to each one. Subsequently, the compliance team comes up with mitigating factors, such as defined escalation and notification procedures. Then the ERM-function will stress test these mitigation efforts to ensure that they actually work in practise.
An experienced outside party, like Megrow, will contribute very significantly in making the ERM-process cost efficient and effective. Keen to know more? Contact me under email@example.com or via any of the social media links at the bottom of the page