Knowledge

Linking Compliance and Legal Risk Management

Does compliance has anything to do with risk management?Do these two "à la mode" concepts interact in real-life legal practice? Here are some thoughts on the subject.

From a strategic viewpoint, compliance is about deciding in which areas your company has a vital interest in complying with applicable laws and regulations. This will of course be different for various business sectors, because areas of vital importance are not necessarily the same for companies in banking, pharma, food or air traffic. In itself, this is already a risk management exercise: "What would be the potential consequences of not complying" is a typical risk management question.

By the way, the idea of focusing compliance efforts on selected areas may seem dangerous, as if it suggested that in the non-vital areas, complying with laws and regulations does not matter. That's of course not the point. The point is that when you operate in a particular market, there are some areas where complying with existing rules is not just important, but of <em>strategic, vital importance</em>. These are the areas where failure to comply could have devastating consequences for the company. Of course, defining compliance priorities should not be understood as a "licence to kill" in all other areas.  It just means that in a world where resources are limited, companies must choose priorities, and that works also for compliance.

So, assuming you have defined your compliance priority areas, what's the next step? Here comes risk management again. You need to engage in a risk management analysis, to figure out where are your main risks of non-compliance in this area. Of course, it is important to limit this exercise to the selected priority areas (engaging into a risk analysis of non-compliance with any and all applicable laws and regulations whatsoever would of course pure madness).

The purpose of the risk analysis is to identify the weak spots: the situations that are not too unlikely to happen and that would have a dramatic impact if fthey do. Once you have identified those weak spots, those "risks", you then have to find and carry out ways to mitigate them by reducing their likelihood or their impact if they materialise, or both. 

There is of course much more to investigate about compliance and risk management, but that's it for this post: the only purpose was to highlight how compliance and risk management go hand in hand.

Antoine Henry de Frahan | 2 December 2007 |