Close the gap between risk, compliance and ethics with ERM



At first glance, new recommendations released late last year by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) might only apply to companies in the United States. But as with many things in our globalized world, the new guidance on aligning risk and compliance departments should resonate beyond the USA’s borders.

The guidance’s goal is to help boards, executives, and managers identify, manage, and mitigate compliance risks. Because of the complex global landscape companies often need to operate in, this concept should resonate with many organizations keen to better coordinate their compliance and risk functions.

At its root is a familiar and critical demand that companies need to meet, says Neer Rama, Force Solutions Product Manager at ERM-solutions implementer, thryve:

“Risk can’t stay as a reactionary and siloed capacity inside a company. The requirements of doing business today are too demanding for that. Even in the early days of enterprise risk management, people were talking about integrated and strategic risk. A takeaway for me from the COSO guidelines is that this demand is now so nuanced that it’s calling for siloes among risk management responsibilities such as compliance and legal to be broken down, with the help of ERM systems.”

The crux of COSO’s point is that not all risks are equal, and not everyone is equipped to spot certain risks – yet may easily cause them. For example, sales teams could violate compliance because they lack the legal knowledge to spot the treading line. Similarly, legal resources are often locked around certain types of risk but not other areas, which results in parts of the business not getting value from legal opinion that it should have access to.

Yet if compliance and legal teams can play an overarching role, liaising with other parts of the business proactively, those risks reduce considerably. COSO’s guidance wants organizations to establish a culture of integrity and communication around legal processes and risks. Enterprise risk management makes this possible, explains Riaan Bekker, Force Solutions Manager at thryve:

“You can use an ERM system and framework to gather key views from different parts of the company, preferably in a formalised manner. You don’t want your risk professionals to keep compiling casual opinions to come to a serious risk metric. But that’s what they had to do because there was no other way. Now with ERM systems, they can gather the different data points and professional views through specific sets of questions and parameters.”

Compliance can close the loop. Traditionally, compliance departments sat isolated, focusing on specific requirements but at an arm’s length from the organization’s strategic activities. Yet compliance officers are skilled in risk practices such as gap analysis, and they can significantly improve an enterprise’s risk management.

This point is where ERM platforms such as Riskonnect enter the picture. Integrated to gather data from across the company and customized to reflect the business’ frameworks and processes, an ERM platform streamlines data gathering, risk reporting, and identifying overlaps that executives and managers could exploit for efficiency.

It can exploit those overlaps as well, such as what the COSO guidance calls for: closer collaboration between risk, compliance and legal teams, all sharing a single view of the company’s position and ambitions. This approach eliminates unnecessary duplication of effort and reduces the legal blindspots that develop in a multi-faceted enterprise. It can also help companies mitigate risks when engaging with the US Sarbanes-Oxley Act (SOX) and the looming plans to create UK SOX on the other side of the Atlantic.

Compliance demands are growing, and the patience among regulators for legal missteps is shrinking. But even if those weren’t the case, it makes incredible sense to combine the efforts of risk, compliance and legal teams in tactful and agile ways. At a broader scope, every enterprise should invest in how risk informs strategy, using modern digital technology platforms to achieve what was once a pipe dream: a company where the left hand of risk and compliance, the right hand of legal, and the body’s line of business and operations can support each other elegantly and thoroughly.