Compliance and Audit: Where do we go from here?
Many organizations begin their journey towards an integrated approach to risk management in the realm of compliance. The immediate threat of a compliance violation due to an emerging regulatory requirement has always been a compelling event. The resulting efforts to identify effected business operations, subsequently design and implement controls and ultimately demonstrate compliance form the foundation upon which many GRC programs were built. While compliance activities are just one part of managing overall business risk, the discipline required to define controls and measure effectiveness is a key ingredient for successful, long-term risk management practices.
The next step logically is to begin putting compliance into the context of operational risk. The ability for an organization to leverage compliance in this manner is much more valuable than a standalone compliance function. Integrated compliance and audit functions are more effective as a 3rd line of defense – especially as control design and implementations to manage business risks can draw on the experience from compliance programs.
For Chief Audit Executives and Corporate Compliance functions, integrating compliance into risk management strategies is an excellent opportunity to up level your visibility and show that compliance is not just a check-the-box exercise. Compliance and audit, when executed in the context of risk management and business strategy, adds real value towards an organization’s goals. Additionally, you can get the executives to appreciate what the compliance and audit teams are doing by getting most bang out of your audit budget and limited resources and focus on the right risk areas.
How can I report on compliance issues in the context of broader operational risk management efforts?
How am I prioritizing compliance and audit activities and allocating limited resources towards the right risks?
If you can answer these questions positively, you are on the right track to evolving compliance towards a major contributor to risk management.
From a Chief Risk Officer perspective, risk processes can be built right on top of the existing compliance and audit program. For example, leveraging the controls assessment processes already in place saves time and energy while establishing a core part of residual risk measurement. Managing risk is dependent on how good you are at implementing controls and visibility into our compliance state helps you really understand risk exposure. Integrated compliance and audit processes feeding insights to the risk program provides a key ingredient in understanding the business’ true gaps.
At Archer, we see the symbiotic connection of Audit, Compliance and Risk functions in action. 91% of Enterprise and Operational Risk Management customers own Compliance use cases. 84% of our customers who own our Audit solution also own risk management use cases. These are natural combinations towards Integrated Risk Management. If you have worked hard on establishing your audit and compliance program – and most companies have - and have not broadened into Enterprise or Operational Risk Management, you are behind the curve.
Enterprise and operational risk management is the natural progression for compliance. Compliance is only one type of risk, and therefore focusing on just compliance is not the final state. Audit functions are traditionally considered the 3rd line of defense in traditional Ops Risk strategies. Audit provides the independent review and assurance that controls are effective. Adding risk management processes on top of Compliance and Audit programs can ‘uplevel’ the value that compliance activities are providing the organization and help the organization more effectively achieve business goals by properly identifying and managing risk.
Maintaining an effective compliance program can be one of the most difficult, time-consuming and expensive activities organizations face today and into the future. Read our white paper on eight modern principles and techniques that can allow organizations to demonstrate compliance more efficiently, effectively and at a lower cost.