Compliance and risk management is the process of following or complying with all applicable laws, regulations, rules, and standards that apply to the company. Compliance is ensured through the design, development, and implementation of policies, processes, and procedures. The management develops such policies, processes, and procedures under the supervision of the Board of Directors.

The aim is to ensure that all applicable laws, rules, regulations, and standards are complied with in letter and spirit by all the employees. Regulatory compliance is a zero-tolerance area because the principles relate to fair dealing with clients and maintaining corporate transparency to retain the customers’ trust and the economy’s growth. 

Compliance risk is the risk of non-compliance with applicable laws, regulations, rules, and standards that may lead to the penalties imposed by the regulators.

The company must manage compliance risk as part of overall risk management activities. Sufficient resources and internal controls must be designed and implemented to ensure that employees comply with regulatory and policy requirements.

Understanding Compliance and Risk Management

The understanding of compliance implies that a company organizes its processes, and in case of applicable regulatory requirements violations, the regulator may find the company or revoke its license. However, in recent years, the understanding of compliance has been complemented by adherence to the moral and ethical principles enshrined in the company code of conduct. The regulator does not impose a fine for violations of applicable regulatory requirements.

Still, losses may be so substantial that they inevitably lead to reputational and financial losses. Each such violation is a potential risk that can lead to negative consequences for the activity of a company. These risks will depend on a specific company, so that the potential consequences will differ. However, the risks can be managed.

The German regulator imposed a fine on the H&M retailer of 35 million euros for collecting and storing information about several hundred employees’ health, private life, and religious beliefs. The investigation lasted almost a year. The investigators concluded that this practice had existed in the company since 2014 and was used for making personnel decisions.

In addition to the fine, the company was forced to pay compensation to the employees whose data were collected and stored on the internal server. This case demonstrates consequences to business to which a breach of external compliance in terms of personal data protection and internal compliance concerning those principles the company committed itself to adhere to in its activity can lead.

A risk consists of two parts:

1. Consequences means the extent of losses in case of a negative event
2. Probability which shows how probable the occurrence of a negative event is in a certain prospect. For example, an attack on a company’s warehouse by a zombie army can have significant consequences. Still, the probability of such an event in the short term is so low that this risk is irrelevant. At the same time, the disruption of logistics chains of supply of raw materials also has significant consequences but already a medium probability, which makes this risk more relevant.

Non-compliance risks may arise in a significant number of areas of law, but most often, high risks occur in such areas as:

• Anti-corruption legislation,
• Anti-monopoly legislation and competition protection,
• Labour legislation,
• Money laundering,
• Tax legislation,
• Protection of personal data,
• Export control, and
• Environmental legislation.

That is why risk management for a company should start with these areas. The risk assessment is a tool to increase the effectiveness of introducing compliance. Without a risk assessment and analysis, a company may set wrong priorities, implement ineffective measures, and ignore high compliance risks. Ideally, compliance risk analysis should be performed at the beginning of the introduction of compliance, but in practice, it does not work. With the implementation of a risk-based approach, especially in case of a negative event, the company will be able to appeal to the fact that it has made sufficient efforts to avoid the compliance risk. 

Final Thoughts

The detection, analysis, and control of financial, legal, strategic, and security threats to an organization’s strategic objectives is known as risk management. These threats or hazards can arise from a variety of sources, including financial insecurity, legal liability, strategic management failures, accidents, or natural disasters.

Compliance risks continue to be a major concern for any large organization. This is especially true for highly regulated industries like healthcare or banking, as well as publicly traded companies that are subject to extensive investor protection and securities laws.