Operational risk management: the difference between risk management and compliance.

There seems to be a good deal of confusion about the role of the compliance function versus the role of the risk management function. In many organizations risk management has been subsumed into the audit organization, and there are a growing number of "risk management" consultancies that are offshoots of external auditing firms. Has audit become risk management? And if not, what's the difference?

In October 2004, COSO issued its framework for managing Enterprise Risk. A slide in the downloadable PowerPoint summary on the COSO site states:

"Internal Auditors ... play an important role in monitoring ERM, but do NOT have a primary responsibility for its implementation or maintenance." (Emphasis provided by COSO.)

Despite this authoritative statement, we seem to have lost the distinction between risk management and the audit/assurance/regulatory/compliance function. Senior risk management positions listed in the classifieds are defined as "managing the process to meet all regulatory and legislative requirements." The only arena in which the management of risk in complying with a legal or regulatory requirement would be appropriate is organized crime. Where else would the assessment of whether or not to break the law be considered an exercise in managing risks? Certainly, there may be room for interpretation of a statute or regulation, but if that interpretation puts a company in jeopardy, one might want to find a new set of lawyers and accountants.

That said, the confusion between the two roles continues. Let's look at what these functions are really about and how, although different, they are inextricably linked.

The operational disciplines which support a business process (IT, HR, Facilities, Finance, Legal, Tax, etc.) all have professional standards, are benchmarked by best practices and are subject to laws and regulations that govern their activities in part or in whole. Comparing the level of adherence to these regulations, laws and best practices is an essential compliance activity and one that the audit organization is best skilled to undertake. A strategy for examining the conformity to required regulations is essential and is often supplemented with control self assessments. This is fundamental to good business practice; it is not risk management.

For example, at its core, Sarbanes-Oxley requires transparency in financial processes and establishes standards for executive loans, the timing of trades of company stock, auditor independence, etc. These are all requirements for the functioning of the finance discipline within the company. As the guardians of established financial practices, financial professionals are the primary people responsible for maintaining these standards. The audit function is there to ensure that they are doing their jobs. Is there risk involved if the finance department does not do its job or if they are aware of non-compliance on the part of other individuals and do nothing about it? Absolutely, but the risk is confined to noncompliance, not the management of situations that are either generated through the activities of third parties or through the active decision of management to pursue a business strategy.