5 Best Practices to Optimize the Relationship between Enterprise Architecture and Compliance

GRC with Automation

There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.  To transform the business and ensure compliance Spar Nord needed a solution that could provide an overview of the functions and interconnections of the organization.

Compliance Risk Is Distinct

Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.  

Five Best Practices

Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five risk management best practices to ensure smooth sailing.

1.Articulate the Risk Appetite

The board, C-suite, enterprise risk management lead, and chief compliance officer need to agree on a risk appetite. Risk appetite simply means the tolerance the company has for risk. Some companies have the ‘move fast and break things’ mentality, where risk is celebrated. This is very different from a stable, long-established enterprise with conservative risk tolerance.

Defining the company’s risk appetite is critical for ensuring that enterprise risk and compliance are working with the same expectations for the imposition of controls on the business. Strict compliance-related controls can slow down the business. For instance, the requirement to perform in-depth due diligence on high-risk third parties may create a delay in signing important contracts. It is critical for the board and C-suite to articulate the company’s risk appetite and for enterprise risk and compliance to work together to ensure the appropriate stringency of controls.

2. Compliance Completes Its Own Separate Risk Assessment

Globally, regulators expect companies to have a compliance-specific risk assessment from which the compliance program is built. The compliance-related risk assessment should be separate from enterprise risk to conform to regulatory expectations.

At a high level, compliance-related risks should be captured on the enterprise-wide risk register. However, compliance should keep a more detailed risk register that feeds into the enterprise-wide one, which includes more detail about the risk and mitigation plan.

3. Agree on the Topics to Be Monitored

Ideally, the compliance department will have a charter laying out the laws and issues handled by the function. If a charter exists, use it to define the risks that compliance will monitor. If there is no program charter, ensure enterprise risk and compliance come together to determine exactly which risks will be managed by the compliance department, especially in the risk assessment process.

Some risks will necessarily be spread among functions. For instance, managing modern slavery and human trafficking risk often involves the compliance, corporate social responsibility and procurement departments. Risks that bleed from one department into another must be assigned a primary owner. As the saying goes, the fastest way to starve a pet is to give everyone the responsibility to feed it. 

4. Compliance Reports to the Board Directly

Compliance needs an independent relationship with the board. Allowing enterprise risk to report to the board on compliance risk is a recipe for disaster. It’s like playing a game of telephone. When one person tries to repeat what was said to them, the message often goes woefully awry. This is especially true when enterprise risk reports on compliance-related risk. No matter how skilled the enterprise risk manager, the depth of knowledge required to explain the compliance-related risk and risk-based approach that should be taken will be missing.

While compliance should always have access to and be able to report to the board, it is critical that compliance report directly in three instances:

  • When the company’s compliance-related risk profile changes: If the company expands into a new region or creates a new product line, new compliance-related risks will emerge, and the C-suite/board should be briefed on them.
  • When major compliance-related laws come into place: The compliance lead should report on new laws and report on the plan to deal with them.
  • When there is a significant investigation or allegation of misconduct.

5. Coordinate with Audit

It’s impossible to know how controls are working without a way to check them. Enterprise risk and compliance should work with internal audit to ensure that perceived risks are explored and that control failures are investigated. Compliance should champion and devise risk mitigation strategies, and internal audit should check to see that they have been implemented effectively. Enterprise risk can stay appraised of the progress while allowing compliance to be primarily responsible for such activity.

Compliance officers’ deep understanding of compliance-related risk and their mandate to prevent, detect, and respond to misconduct is a critically important part of the risk management puzzle. Just as a good general contractor would contact a plumber to look at the pipes before the water comes gushing out, a good enterprise risk manager should rely on compliance to independently manage compliance-related risk.