What is compliance risk?

Compliance risk is an organization's potential exposure to legal penalties, financial

forfeiture and material loss, resulting from its failure to act in accordance with
industry laws and regulations, internal policies or prescribed best practices.
Compliance risk is also known as integrity risk.

Organizations of all types and sizes are exposed to compliance risk, whether they are
public or private entities, for-profit or nonprofit, state or federal. An organization's
failure to comply with applicable laws and regulations can affect its revenue, which
can lead to loss of reputation, business opportunities and valuation.

Types of compliance risk

An organization may be implicated in the following types of compliance risks:

 Corrupt and illegal practices. Legal compliance ensures that the

organization, its agents and employees are abiding by the laws and
regulations of the industry. Common compliance risks involve illegal
practices and include fraud, theft, bribery, money laundering and
embezzlement.

 Privacy breaches. A common compliance risk is the violation of privacy

laws. Hacking, viruses and malware are some of the cyber risks that affect
organizations. Additionally, if a company handles sensitive information, it
is required to take the appropriate measures to protect that data and prevent
privacy breaches.

 Environmental concerns. These compliance risks deal with pollution and

environmental damage an organization's operations can cause. Examples
include the destruction of natural habitats, use of harmful chemicals,
hazardous waste disposal and pollution of groundwater. Many companies
are integrating sustainability into their business strategies and are providing
their employees with training and resources to help them achieve
environmental compliance.
  Process risks. A process risk is a failure to follow an established procedure
for completing a task or a deviation from the standard process. For example,
a company must have a documented procedure for accessing its network
remotely. If an employee abuses the proper procedure for remote access, it
is considered a process risk.

 Workplace health and safety. Companies are legally required to follow

specific health and safety protocols. In the U.S., many of these laws are
enforced by federal agencies, such as the Occupational Safety and Health
Administration (OSHA) and U.S. Food and Drug Administration (FDA). In
Europe, the equivalent regulatory bodies are known as the European
Agency for Safety and Health at Work (EU-OSHA) and European
Medicines Agency (EMA).
What is compliance risk management?
Compliance risk management is the process of identifying, assessing and mitigating
potential losses that may arise from an organization's noncompliance with laws,
regulations, standards, and both internal and external policies and procedures.
Management practices are intended to help organizations maintain compliance with
various regulations and laws. Organizations may have compliance risk management
policies and procedures, which are the framework and mechanisms they implement to
control compliance risk. Compliance risk management is a continuous process that
involves tracking changes in the regulatory environment to ensure an organization's
compliance is up to date. Compliance policies, procedures and training materials must
be revisited on a regular basis in light of new policies, directives and regulations.

Organizations need to be aware of their compliance risk on a number of levels, not

just from the perspective of the chief compliance officer (CCO). While the CCO and
other compliance staff are responsible for reviewing all aspects of the organization's
compliance risk -- including its legal, regulatory, financial and technical risks -- the
compliance risk extends to all levels of the organization, including information
technology (IT). This is why the organization's IT department must be involved in
compliance risk management.
Compliance risk management forms a portion of the collective governance, risk and
compliance (GRC) discipline. GRC is a set of management practices and
technologies designed to ensure that an organization is operating in a manner
consistent with its values, mission and risk tolerance. GRC policies are mainly seen in
the financial industry, but other industries, such as healthcare, are also required by law
to adopt risk management and compliance practices.

GRC is designed to help organizations identify and evaluate risks to their business and
reputation. The three fields are similar to incident management, operational risk
assessment and internal auditing.