The “risk” a company is willing to take with its entity management and compliance is a very personal thing. There will be some in the business who are natural gamblers, happy to fly close to the bone and try to get away with the bare minimum required on the compliance front. Then there are those who are naturally risk-averse, and who will want to dot every “i” and cross every “t” before they’ll sign off on a risk management plan.
But most entity managers find themselves in the middle somewhere, not really sure what tone their entity management plan should strike. How should the governance structure be set up? Where should legal operations spend the most time? How much risk is legally compliant?
The truth is there is no hard and fast rule here; no single body can stand up and say you should aim for X percent risk, or Y type of risk profile is preferred for Z-size company. As we said, the risk a company is willing to take on compliance is entirely down to that company’s business strategy, its risk appetite and how it wants to grow.
The jurisdictions in which it is present will also play a role — if an enterprise has a large presence in jurisdictions that are strong on regulation and have a history of handing down big penalties for non-compliance, then the risk appetite will likely be smaller than that of a company based only in a single jurisdiction that is more relaxed and nurturing.
What is compliance risk?
When assessing the risk profile of compliance, it’s important to understand what to look at. Your legal compliance risk is based on the exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
In other words, compliance risk is the potential for an entity to miss a filing, to not be set up in accordance with local rules and regulations, to fail to adhere to codes of conduct and codes of ethics and so on. It can be seen as part of the governance, risk management and compliance, or GRC, function of a business — three areas that often overlap.
If a legal compliance risk turns out to have been founded, an entity can face fines, damages, voided contracts, loss of reputation, loss of profit or share price, and even jail time for directors in some jurisdictions. It goes without saying, then, that it’s important to assess how much risk is legally compliant in terms of both the business at hand and the jurisdictions in which its entities are operating.
It should be said that compliance does not equal risk management, though they are aligned. Naturally, the increase in compliance regulations, as well as the growth in corporate and social responsibility demands, bring with them new challenges that need closer risk monitoring, but the task of risk monitoring and management does not necessarily mean a company becomes compliant.
While compliance regulations help to standardize business practices and ensure organizations act in a fair and ethical manner, risk managers tend to focus on risks in relation to strategy — will this particular piece of the plan lead to long-term monetary or operational challenges, and how can those challenges be mitigated before they become issues?
Consider it this way: Compliance is more tactical, prescribed, driven by risk aversion; risk management is strategic, predictive and aims to create value for the business by developing a winning value proposition. Compliance risk management should look at:
- How to recruit the right talent, ensuring you have the right roles in place to manage and enforce compliance
- How to stay on top of regulations to ensure you remain compliant in an ever-changing market
- How to create a culture of compliance within the business
- How to ensure you have the right analytics and processes in place to monitor compliance
Determining your business’s risk appetite and risk tolerance
Given risk is the probability of loss given an event, you could say that with enough data about a business’s operations — in the case of compliance risk, its legal operations are a good starting point — then the firm can build predictive models based on experience. However, much of managing compliance risk can be quite a manual process unless using, creating and storing data with entity management software is part of the culture.
Data can also help you to determine your business’s risk appetite, and risk tolerance. While the first is often defined as the amount of risk an organization is willing to accept in the pursuit of its long-term objectives, risk tolerance is the amount of risk an organization can take before being significantly impacted. Data concerning the company’s history of compliance, its propensity to meet requirements and its background of misconduct can help inform the decision over how much risk is legally compliant.
Defining risk appetite can help determine how much risk is legally compliant in the board’s eyes. The Institute of Risk Management suggests setting a risk appetite is not a simple thing; it involves plenty of research and engagement with stakeholders from around the business. What risk is acceptable to take in pursuit of the company’s wider objectives? Remember, the business must take accountability for the risks it takes, so ensure the decision of how much risk is legally compliant and the resulting risk profile is backed by the top management.
When looking at how much risk is legally compliant for your business, ensure you consider what Deloitte calls the key risk drivers:
- Legal impact — the regulatory or legal action brought against the organization or its employees. This can be fines, penalties, imprisonment, product seizures and so on.
- Financial impact — taking a hit to the bottom line, share price, potential future earnings or loss of investor confidence.
- Business impact — think about the operational issues, such as embargoes or plant shutdowns, that could significantly disrupt your ability to operate.
- Reputational impact — things like bad press or social media discussions can follow a compliance failure, as can a loss of trust in the brand by both customers and employees
Using technology to get real-time, robust data
But to get the compliance data, you need to both foster a culture in which employees feel safe reporting misconduct — that is, compliance issues, such as offering bribes to officials — and build an operational platform that harnesses technology for robust, real-time data. While the culture must come from the top down, with the board inspiring the grassroots of the company to act in an ethical and compliant way, the data side of things best comes from a central repository.
By using entity management software that’s based in the cloud, both risk managers and compliance teams can be looking at the same information at the same time from wherever they are in the world. This is especially useful for global entity management, where compliance and risk teams in far-flung locations can’t necessarily march into HQ and demand to see the data.
Diligent’s entity management software is cloud-based and secure, aimed at creating a single source of truth for all entity-related information. It allows for the implementation of processes and procedures to ensure precision, accuracy and timeliness, all while creating and storing the data needed to assess risk in relation to legal compliance.
Get in touch and request a demo to see how entity management software can help inform your discussions of how much risk is legally compliant for your company, and help you to make data-driven decisions instead of gambling the company’s — and directors’ — reputations.