What is compliance risk?
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risk is also known as integrity risk.
Organizations of all types and sizes are exposed to compliance risk, whether they are public or private entities, for-profit or nonprofit, state or federal. An organization's failure to comply with applicable laws and regulations can affect its revenue, which can lead to loss of reputation, business opportunities and valuation.
Types of compliance risk
An organization may be implicated in the following types of compliance risks:
- Corrupt and illegal practices. Legal compliance ensures that the organization, its agents and employees are abiding by the laws and regulations of the industry. Common compliance risks involve illegal practices and include fraud, theft, bribery, money laundering and embezzlement.
- Privacy breaches. A common compliance risk is the violation of privacy laws. Hacking, viruses and malware are some of the cyber risks that affect organizations. Additionally, if a company handles sensitive information, it is required to take the appropriate measures to protect that data and prevent privacy breaches.
- Environmental concerns. These compliance risks deal with pollution and environmental damage an organization's operations can cause. Examples include the destruction of natural habitats, use of harmful chemicals, hazardous waste disposal and pollution of groundwater. Many companies are integrating sustainability into their business strategies and are providing their employees with training and resources to help them achieve environmental compliance.
- Process risks. A process risk is a failure to follow an established procedure for completing a task or a deviation from the standard process. For example, a company must have a documented procedure for accessing its network remotely. If an employee abuses the proper procedure for remote access, it is considered a process risk.
- Workplace health and safety. Companies are legally required to follow specific health and safety protocols. In the U.S., many of these laws are enforced by federal agencies, such as the Occupational Safety and Health Administration (OSHA) and U.S. Food and Drug Administration (FDA). In Europe, the equivalent regulatory bodies are known as the European Agency for Safety and Health at Work (EU-OSHA) and European Medicines Agency (EMA).
What is compliance risk management?
Compliance risk management is the process of identifying, assessing and mitigating potential losses that may arise from an organization's noncompliance with laws, regulations, standards, and both internal and external policies and procedures. Management practices are intended to help organizations maintain compliance with various regulations and laws. Organizations may have compliance risk management policies and procedures, which are the framework and mechanisms they implement to control compliance risk. Compliance risk management is a continuous process that involves tracking changes in the regulatory environment to ensure an organization's compliance is up to date. Compliance policies, procedures and training materials must be revisited on a regular basis in light of new policies, directives and regulations.
Organizations need to be aware of their compliance risk on a number of levels, not just from the perspective of the chief compliance officer (CCO). While the CCO and other compliance staff are responsible for reviewing all aspects of the organization's compliance risk -- including its legal, regulatory, financial and technical risks -- the compliance risk extends to all levels of the organization, including information technology (IT). This is why the organization's IT department must be involved in compliance risk management.
Compliance risk management forms a portion of the collective governance, risk and compliance (GRC) discipline. GRC is a set of management practices and technologies designed to ensure that an organization is operating in a manner consistent with its values, mission and risk tolerance. GRC policies are mainly seen in the financial industry, but other industries, such as healthcare, are also required by law to adopt risk management and compliance practices.
GRC is designed to help organizations identify and evaluate risks to their business and reputation. The three fields are similar to incident management, operational risk assessment and internal auditing.
Compliance risk examples
In the U.S., corporate compliance is usually tied to applicable laws and regulations. For example, the Foreign Corrupt Practices Act (FCPA) applies to publicly traded companies, whereas the Sarbanes-Oxley (SOX) Act pertains to companies that have publicly traded stock. Both FCPA and SOX are enforced by the U.S. Securities and Exchange Commission (SEC) and other authorities. FCPA prohibits the offering, promising or granting of anything of value to a foreign official to influence business. SOX requires publicly traded companies to keep accurate books and records. Additional functions, including financial reporting and business operations, are also subject to SOX compliance.
In healthcare, there are numerous compliance risks and requirements. Laws and regulations with significant compliance risks include those in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires the safeguarding of protected health information (PHI) at a minimum. HIPAA also requires the protection of other data that would be considered PHI under other laws, such as genetic information, health insurance information, and any other information related to the provision and payment of healthcare.
The cloud has created new risks for organizations that need to achieve and maintain compliance. Many organizations are concerned with whether cloud services are secure enough to hold data that is highly sensitive and needs to be protected. In the cloud, compliance can also become an issue when data is exposed to employees who are not supposed to have access to it, as well as when data is moved into the cloud without an appropriate permissions structure. The most reputable cloud providers encrypt all data to avoid potential security threats.
Compliance risk assessment
A key concept of compliance risk management is the risk assessment process, which includes identifying and evaluating the potential risks that threaten an organization's ability to ensure it is compliant with laws and regulations. Risk assessment can include reviewing information sources, such as reports from the business's management and from regulatory bodies, as well as identifying data and information that is already available to the organization.
Following a compliance risk assessment, an organization can determine its level of compliance to reveal what changes need to be made for improvement. An organization uses this information to create and implement a compliance risk management strategy that helps ensure it is in compliance with laws. For example, the assessment might reveal that the organization requires more secure procedures regarding remote work. The organization can plan to address this weakness by implementing more thorough remote work policies.
Learn more about GRC and the available software options on the market.