Compliance Risk: The New Definition

Assessing Business Continuity Management (BCM) compliance risk is more than just making sure a program and its dimensions (Program Administration, Crisis Management, Business Recovery, Disaster Recovery and Supply Chain Risk Management) meets the requirements of industry best practices, standards and guidelines.

Recent studies have concluded that the traditional approach to compliance that is focused solely on complying with laws, regulations and standards is inadequate.  The studies revealed that conforming to internal governance, ethics and risk standards and policies as well as the expectations of stakeholders is more effective in protecting against risk associated with reputation.

What is Compliance Risk?

Compliance risk is considered the risk of impairment to the organization’s business model, reputation and financial condition resulting from failure to meet laws and regulations, internal standards and policies, and the expectations of key stakeholders such as customers, employees and society as a whole. 

Meeting this modern definition of compliance risk requires the following changes in your organization:

Take a Strategic View 

Take a strategic view of BCM compliance risk and how it pertains to the expectations of your stakeholders first; embrace internal governance, ethics and risk management guidelines as well as external regulations; and focus on preventing harm to the organization rather than rebuilding it after the harm is done.   By placing stakeholders first, your view now focuses on the impacts to expectations that could be felt by those who rely on you most and can have the biggest impact on your reputation if a lack of compliance is exposed in a disruption.

Perform Frequent Measurements

To meet this new definition, it is critical that the BCM Office track compliance metrics more frequently at a greater level of detail.  By doing this, you are better able to identify gaps in knowledge or failures to follow proper procedures, helping you to continually discover ways to improve efficiency, effectiveness and ability to meet stakeholder expectations.  The use of a BCM GRC tool like BCMMETRICS (www.bcmmetrics.com) will facilitate the measurement of your BCM compliance risk.

Engage Your Senior Management 

Senior management demonstrates that the organization has a disciplined approach to mitigating BCM compliance risk and ensuring BCM capabilities are fully operational across the enterprise. Further, boards and management demonstrate that the organization has an approach to meeting changing BCM requirements and expectations, and for ensuring that those changes are addressed in an ongoing manner with a focus on the expectations of its stakeholders.

Refocus the Business Units 

Educate business units to understand that BCM compliance is more than just meeting industry guidelines and standards but a strategic focus on meeting expectations of their stakeholders.  Their recovery strategies, plans and ability to meet recovery demands are not just a compliance checkmark but meeting the expectations of stakeholders and preventing harm to the organization.

How do you begin managing compliance risk?

As the number of global regulations and stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before.

It’s important for businesses in any industry to assess the legal and reputational risk exposure of your business activities. This is important not only in terms of adhering to applicable laws and regulations, but also to maintain and establish internal standards of conduct.

Start with an inventory of federal and/or state laws, regulations, rules, standards and other guidelines to be used in determining the applicability of each to relevant business units and/or activities. You must then begin the process of performing a risk analysis, followed by compliance reviews that will help you ensure you are managing your risk.

Categorizing Compliance Risks

To understand their risk exposure, many organizations may need to improve their risk assessment process to fully incorporate compliance risk exposure

Legal Impact: Regulations and laws that can be used against the organization with failure to comply which could result in fines, imprisonment, product seizures, penalties or debarment.  

Financial Impact: Outcomes that can negatively affect the business’ bottom line, loss of investor confidence, share prices or potential future earnings.

Reputational Impact: Results that affect customer perception of a brand via bad PR decreased employee confidence or customer trust. This can also include negative social media discussion or decreased employee morale.

Business Impact: Factors that affect a business’s ability to operate. This can include a plant shutdown, a trade embargo, or a strike or outage of some kind.

Summing up managing compliance risk

In conclusion, changing your organization’s view on BCM compliance risk will take time. However, we must educate our organization that BCM compliance risk is not just identifying areas of risk (industry standards, internal governance, etc.) but also understanding how areas of risk strategically impact our stakeholders’ expectations. We must then actively monitor and review risk so that we can anticipate new regulations, make needed adjustments, and eliminate redundancies.

About
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.