BY Jeremiah Ndhlovu
“Order is the key to all problems” (Alexandre Dumas)
So far, The Risk Advisory articles published have taken a deliberately long route to articulate the principles of risk management and compliance. I have done this in order to entrench a firm foundation into some of the key principles that might be less understood by different stakeholders.
What can be learnt from these articles is that compliance and risk management principles ought to be understood adequately if organisations are to yield any tangible results from the respective practices.
I would not have done justice to risk management and compliance if I do not enunciate the distinction between the principles of risk management and compliance as well as the similarities. However, it is worth noting that both principles are critical, especially in the mining and metals sector, considering the complexity of operations and the high level of regulation.
At face value, the principles of risk management and compliance may appear similar to the extent that they might be confused as interchangeable words for the same thing. On the contrary, understanding the differences between risk management and compliance approaches and taking cognisance of these differences in the application of both principles could be what it takes to avoiding risks and creating tangible value.
Implementation of the compliance framework can be illustrated as follows:
- Compliance Framework/Compliance Universe – The totality of legal and regulatory requirements for the organisation is mainly premised on licensing requirements. The prescriptive requirements are clearly spelt out for all stakeholders falling into the same regulatory cluster.
- Inherent Compliance Risk Status on Strategy Formulation – The compliance universe influences the compliance deficiencies in the operating environment and are to be considered in the formulation of the organisation’s strategy; non-compliance may result in regulatory censor and possible revocation of licences and permits.
- Residual Compliance Risk Status After Strategy Formulation – Part of the strategy formulation involves identifying appropriate risk responses and implementing the same to reduce the inherent compliance risk to low/acceptable residual risk.
- Compliance Framework Implementation Outcomes – Implementation of the well formulated strategy results in discernible, usually binary, outcomes (complying or not complying).
On the other hand, the structure for risk management is follows:
- Dynamic Operating Environment – The unstructured dynamic operating environment influences the strategic direction to be taken by an organisation.
- Draft Strategy Formulation and Resultant Inherent Risk – The organisation’s strategists formulate the direction to be taken by the organisation, and the organisation’s inherent risk profile is latently derived.
- Strategic Risk Assessment – The appropriate responses are identified after a strategic risk assessment is conducted.
- Final Strategy Formulation and Resultant Residual Risk – The risk responses from the strategic risk assessment are incorporated into the draft strategy. Implementation of the final strategy will yield the organisation’s residual risk.
- Risk Management Implementation Outcomes – The results arising from implementing the risk management framework are not usually binary or so structured due to the flexibility of the strategic risk assessment process and freedom in the selection of risk responses.
One fundamental difference between compliance and risk management is that risk management takes into account the operating environment and the already proposed strategy to assess the efficacy of the strategy, whereas compliance considers the stipulated laws and regulations to come up with a complying strategy.
From the analysis above, it is apparent that compliance is premised on a well-defined framework from the onset and that risk management originates from a state of uncertainty. Also, compliance is prescriptive, but risk management allows for flexibility and agility.
Due to reference to well-defined frameworks, compliance employs a silo-approach, i.e., focus is restricted to the area with the stipulated compliance requirements only. Risk management, however, assumes an enterprise-wide assessment to ascertain whether the proposed strategy can affect any key area of the business.
Notwithstanding the differences outlined above, practitioners should not lose sight of the alignment of compliance and risk management. Compliance latently protects an organisation from a number of risks, but a well designed and implemented risk management framework latently protects the organisation from risks that might lead to non-compliance.
It is, therefore, worthy to note that compliance and risk management are not mutually exclusive. Rather, organisations need both to attain commendable stability and credibility. The level of robustness of a risk management framework points to a correlated robustness of the compliance framework.
About the Author
Jeremiah Ndhlovu is a Certified Expert in Risk Management (CERM). He has acquired extensive risk management insights in the mining industry through outsource projects, including enterprise risk management, combined assurance, process and controls standardisation, internal auditing, and external auditing. Contact him on : jerryndhlovu@gmail.com
