BY Jeremiah Ndhlovu
“Order is the key to all problems” (Alexandre Dumas)
The Risk Advisory articles published thus far have taken a deliberately long route to articulate the principles of risk management and compliance so as to entrench an indelible foundation into some of the key principles which might be less understood by different stakeholders. What can be discerned from these articles is that compliance and risk management principles ought to be adequately understood if organisations are to yield any tangible outcomes from the respective practices.
I would not have done justice if my risk management and compliance narratives do not enunciate the distinction between the principles of risk management and compliance as well as the similarities. It is worth noting that both principles are critical, more so in the Mining and Metals sector, considering the complexity of operations and the high level of regulation. At face value, the principles of risk management and compliance appear similar to the extent that they might be viewed as alternative words for the same thing. To the contrary, understanding the differences between risk management and compliance approaches, as well as taking cognisance of these difference in the application of both principles, might be what it virtually takes to merely avoiding risks and creating tangible value.
Implementation of the Compliance Framework can be illustrated diagrammatically as shown below.
- Compliance Framework/Compliance Universe – The totality of legal and regulatory requirements for the organisation is mainly premised on licensing requirements. The prescriptive requirements are clearly spelt out for all stakeholders falling into the same regulatory cluster.
- Inherent Compliance Risk Status on Strategy Formulation – The compliance universe influences the compliance deficiencies in the operating environment, which are to be considered in the formulation of the organisation’s strategy, as non-compliance may result in regulatory censor and possible revocation of licences and permits.
- Residual Compliance Risk Status After Strategy Formulation – Part of the strategy formulation involves identifying appropriate risk responses and implementing the same to reduce the inherent compliance risk to low/acceptable residual risk.
- Compliance Framework Implementation Outcomes – Implementation of the well formulated strategy results in discernible, usually binary outcomes (complying or not complying).
On the other hand, the structure for risk management is as illustrated in the diagram below.
- Dynamic Operating Environment – The unstructured dynamic operating environment influences the strategic direction to be taken by an organisation.
- Draft Strategy Formulation and Resultant Inherent Risk – The organisation’s strategists formulate the direction to be taken by the organisation and the organisation’s inherent risk profile is latently derived.
- Strategic Risk Assessment – A strategic risk assessment is conducted and appropriate responses identified.
- Final Strategy Formulation and Resultant Residual Risk – The risk responses from the strategic risk assessment are incorporated into the draft Strategy. Implementation of the final strategy will yield the organisation’s residual risk.
- Risk Management Implementation Outcomes – The results arising from implementing the risk management framework is not usually binary or so structured due to the flexibility of the strategic risk assessment process and freedom in the selection of risk responses.
One fundamental difference between compliance and risk management is that risk management takes into account the operating environment and the already proposed strategy to assess the efficacy of the strategy whereas compliance considers the stipulated laws and regulations to come up with a complying strategy.
From the analysis above it is apparent that compliance is premised on a well-defined framework from the onset whereas risk management originates from a state of uncertainty and compliance is prescriptive whereas risk management allows for flexibility and agility. Due to reference to well-defined frameworks, compliance employs a silo-approach, i.e. focus is restricted to the area with the stipulated compliance requirements only, whereas risk management assumes an enterprise-wide assessment to ascertain whether the proposed strategy can impact any key area of the business.
Notwithstanding the differences outlined above, practitioners should not lose sight of the alignment of compliance and risk management. Compliance latently assists an organisation from a number of risks, whereas a well designed and implemented risk management framework latently protects the organisation from risks that might lead to non-compliance.
It is, therefore, worthy to note that compliance and risk management are not mutually exclusive. Rather, organisations need both to attain commendable stability and credibility. The level of robustness of a risk management framework points to a correlated robustness of the compliance framework.
About the Author
Jeremiah Ndhlovu is a Certified Expert in Risk Management (CERM). He has acquired extensive risk management insights in the mining sector through outsource projects including enterprise risk management, combined assurance, process and controls standardisation, internal auditing and external auditing. contact him on : firstname.lastname@example.org