The New Definition of Compliance Risk

Michael Herrera

Assessing Business Continuity Management (BCM) compliance risk is more than just making sure a program and its dimensions (Program Administration, Crisis Management, Business Recovery, Disaster Recovery and Supply Chain Risk Management) meets the requirements of industry best practices, standards and guidelines. 

Recent studies have concluded that the traditional approach to compliance that is focused solely on complying with laws, regulations and standards is inadequate.  The studies revealed that conforming to internal governance, ethics and risk standards and policies as well as the expectations of stakeholders is more effective in protecting against risk associated with reputation.  

The New Definition of Compliance Risk 

The risk of impairment to the organization’s business model, reputation and financial condition (resulting) from failure to meet laws and regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees and society as a whole. 

– The Economist Intelligence Unit and PricewaterhouseCoopers 

Meeting this new definition of compliance risk requires the following changes in your organization:

•       Take a Strategic View 

Take a strategic view of BCM compliance risk and how it pertains to the expectations of your stakeholders first; embrace internal governance, ethics and risk management guidelines as well as external regulations; and focus on preventing harm to the organization rather than rebuilding it after the harm is done.   By placing stakeholders first, your view now focuses on the impacts to expectations that could be felt by those who rely on you most and can have the biggest impact on your reputation if a lack of compliance is exposed in a disruption. 

•       Perform Frequent Measurements

To meet this new definition, it is critical that the BCM Office track compliance metrics more frequently at a greater level of detail.  By doing this, you are better able to identify gaps in knowledge or failures to follow proper procedures, helping you to continually discover ways to improve efficiency, effectiveness and ability to meet stakeholder expectations.  The use of a BCM GRC tool like BCMMETRICS ( will facilitate the measurement of your BCM compliance risk.

•       Engage Your Senior Management 

Senior management demonstrates that the organization has a disciplined approach to mitigating BCM compliance risk and ensuring BCM capabilities are fully operational across the enterprise. Further, Boards and management demonstrate that the organization has an approach to meeting changing BCM requirements and expectations, and for ensuring that those changes are addressed in an ongoing manner with a focus on the expectations of its stakeholders.

•       Refocus the Business Units 

Educate business units to understand that BCM compliance is more than just meeting industry guidelines and standards but a strategic focus on meeting expectations of their stakeholders.  Their recovery strategies, plans and ability to meet recovery demands are not just a compliance checkmark but meeting the expectations of stakeholders and preventing harm to the organization.

In conclusion, changing your organization’s view on BCM compliance risk will take time. However, we must educate our organization that BCM compliance risk is not just identifying areas of risk (industry standards, internal governance, etc.) but also understanding how areas of risk strategically impact our stakeholders’ expectations.    

Michael Herrera is the CEO and Founder of BCMMETRICSTM, a cloud based self-assessment tool designed to evaluate the level of BCM compliance in today’s continuity planning programs.  Visit our website at ( for more information or to schedule a demo.