The Relationship Between Compliance Management and Risk Management

By July 13, 2017 No Comments

Managing regulatory compliance and managing the risk potential of certain products are not mutually exclusive responsibilities. In fact, the two disciplines are somewhat symbiotic: Risk management can be considered a subset of compliance, and equally so, compliance can be considered a subset of risk management.

It’s the age-old “the chicken vs. the egg” comparison. But, regardless of which you might believe to be the instigator in this relationship, it’s becoming more widely considered that the two should go hand in hand, and a new standard is encouraging this partnership.

The new International Organization for Standardization (ISO) 19600 standard, introduced in 2014, outlines an ideology about how risk and compliance should operate together. Several previous compliance standards focused on a specific regulatory requirement or topic area, whereas ISO 19600 plans to streamline these so that organizations can operate inside a single framework, rather than multiple differing ones that each focus on different standards.

According to the new standard, it is “based on the principles of good governance, proportionality, transparency, and sustainability.” Similarly to various related ISO standards, it accentuates the utilization of a “Plan, Do, Check, Act” cycle, a management method that helps businesses control and continually improve processes and products. The trajectory of the cycle is to establish objectives and processes needed to deliver results, implement a strategic plan, study the results, and determine whether the plan did or did not improve the prior baseline standard.

ISO 19600 recommends that organizations undertake a risk-based approach to compliance, as well as develop a risk “appetite” for compliance risks. It also supports the integration of compliance risk management with enterprise risk management, allow for better value to be extorted from compliance and risk cultures that support and feed off of one another. Compliance risk management becomes part of enterprise risk management by using the same processes.

Some overlaps of the two include: compliance risks are usually the same as operational risks, and operational risk management processes can be equally used for compliance risk management. Some examples of the latter include the ideas that compliance risks should be thought of in total risk assessment; stress scenarios leading to major compliance breaches should be added to the total stress testing program; the key controls over main compliance risks should be subject to regular control testing and validation for all key controls; and more.

Essentially, compliance risk management should become a key player in the overall enterprise risk management framework, and risk-related professionals should consider compliance risk as a piece of their total folder of risks.

If you are looking for ways to outsource the management of risk compliance, OnRule—a cloud-based SaaS platform that lets you easily manage, track, and analyze regulatory compliance—can assure and ensure trusted compliance by streamlining compliance management processes. Email or call the compliance experts at OnRule ( or 408-856-6165) to discuss a free demo or a 30-day trial.