This document provides an overview of compliance and risk management concepts. It discusses compliance as the minimum legal standard and the importance of also implementing good risk management practices. The document outlines the six main phases of the compliance process: understand legal obligations, create an obligations register, assess compliance risks, manage obligations, monitor and evaluate compliance, and communicate and report. It also discusses establishing the context for risk management, identifying risks, analyzing and evaluating risks, treating risks, and monitoring and reviewing the risk management process. The case study examples demonstrate how these concepts apply to specific compliance scenarios.
6. Commonwealth Bank of Australia pays $100,000
fine for breach of continuous disclosure law
• On 16 December 2008 as the Commonwealth Bank of
Australia (CBA) was attempting to close a AU$2 billion
capital raising it received updated information about its
impairment expenses. The issue was abandoned and
CBA blamed its adviser for telling potential investors of
the impairment expense before the rest of the market.
• The Australian Securities and Investments Commission
(ASIC) issued an infringement notice to CBA alleging it
had failed to notify the Australian Securities Exchange
(ASX) after becoming aware of information about its
expected loan impairment expense (LIE) to gross loans
and acceptances ratio for the financial year ending 30
June 2009.
Source: Australian Regulatory Compliance Review, Nov
09 (article first reported on Complinet)
7. Forms and
Templates
Systems
Criteria and
Process Flows
Requirements and
Obligations Registers
Operating
Procedures
Policy
Reporting
Com
m
unication
Assurance
Forms and
Templates
Systems
Criteria and
Process Flows
Requirements and
Obligations Registers
Operating
Procedures
Policy
Forms and
Templates
Systems
Criteria and
Process Flows
Requirements and
Obligations Registers
Operating
Procedures
Policy
Reporting
Com
m
unication
Assurance
Compliance
Management
Operating Procedure
Compliance
Management
Operating Procedure
Compliance
Software
Compliance
Management
Policy
Compliance
Management
Operating Procedure
Requirements Register
Obligations Register
Entity Component:
Compliance structure
8. 1. Understand the Legal and Regulatory
Environment
• Understand the business environment
• Understand and manage relationships with legislators,
regulators and government
• Determine categories of compliance and maintain the
compliance risk universe
2. Create and Maintain the Obligations
Register
• Identify compliance requirements/obligations
• Prioritise requirements
• Identify and manage changes to requirements and
obligations
Analyse Compliance Risks
• Likelihood, consequence and controls
Evaluate Compliance Risks
• Determine treatment based on analysis
5.MonitorandEvaluation
•Performancemeasuresandmetrics
•AssuranceActivities
•ComplaintsHandling
•ContinuousImprovement
6.Communications&Reporting
•Communication
•Training&Education
•InternalandExternalReporting
4. Manage Obligations
• Annual compliance plans
• Breach reporting and management
• Records management
• Project management
• Third parties
3. Compliance Risk Assessment
Identify Compliance Risks
Six main phases of the compliance process
10. “Culture, process and structures that
are directed towards realising potential
opportunities whilst managing adverse
effects”**
AS/NZS 4360: 2004
What is risk management?
(Source: Draft ISO31000 Risk Management – Principles and Guidelines on
Implementation, 2008)
“...Co-ordinated activities to direct
and control an organisation with
regard to risk” – ISO 31000
ISO 31000
11. Risk defined
“The chance of something
happening that will have an impact
on achieving objectives”
-AS/NZS 4360:2004
“Effect of uncertainty on objectives” -
ISO 31000
(Source: Draft ISO31000 Risk Management – Principles
and Guidelines on Implementation, 2008)
12. Risk management creates value
Risk management contributes to the
demonstrable achievement of
objectives.
(Source: Draft ISO31000 Risk Management – Principles and
Guidelines on Implementation, 2008, p.2)
13. Risk management should be embedded
Risk management should be embedded in
all the organisation's practices and
processes in a way that it is relevant,
effective and efficient. The risk
management process should become part
of, and not separate from, those
organisational processes.
(Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO,
2009)
14. Risk frameworks
(The risk management) framework is
not intended to prescribe a
management system, but rather to
assist the organisation to integrate risk
management into its overall
management system.
(Source: Draft ISO31000:2009 Risk Management – Principles and Guidelines, ISO,
2009)
15. 7 Risk management questions
1. What are we trying to achieve?
2. What events or circumstances could prevent us
from achieving our goals?
3. What will be the consequences of such events be?
4. How likely are these events?
5. What will we do to prevent negative outcomes?
6. How can we maximise potential opportunities?
7. Can the organisation recover if an risk eventuates?
16. Risk management framework
Mandated from the top
Design of framework
Implementing risk
management
Monitoring and review
Continuous
improvement
Plan
Do
Check
Act
18. Risk rating scales: likelihood
L
I
K
E
L
I
H
O
O
D
Score Detailed description
5 Frequent The event is very likely to occur within 3 months
4 Likely The event will probably occur within 1 year
3 Occasionally The event could occur between 1-3 years
2 Unlikely The event could occur between 3-10 years
1 Rare The event may possibly occur, but unlikely at a
frequency less than 10 yearly
19. Risk rating scales: consequence
Score Description
The categories below are possible categories only
Financial Service
Delivery
Reputation People &
Knowledge
Health
and
Safety
Legal and
Regulatory
5 Catastrophic
/ Extreme
4 Major
3 Moderate
2 Minor
1 Insignificant
21. Risk appetite and risk rating
Large Appetite for Risk
Standard
Plan for All Extreme Risks
Risk Averse
Increasing Likelihood Increasing Likelihood
Increasing Likelihood Increasing Likelihood
IncreasingImpactIncreasingImpact
Board
CEO
Manager
Staff
IncreasingImpactIncreasingImpact
22. Risk Type of Action Risk/ Audit Committee
oversight
Extreme Immediate action required Direct
High Senior management attention
needed
Monitors
Moderate Management responsibility must
be specified
Ensures sign offs and
is advised of changes
up or down
Low Manage by routine procedures Ensures sign offs
CEO/
BOARD
GMs
Risk response and escalation
23. Control effectiveness scales
1 Effective Indicates minimal uncontrolled risk, due to excellent risk
management/controls in place, tested and monitored
2 Good Indicates good risk management and control system, but an
opportunity for refinement exists to reduce risk further.
3 Fair/ Partially
Effective
Indicates a need for improvement in controls, increased adherence
to controls or that controls are being developed, but are not fully in
place and tested.
4 Poor Indicates effective risk controls have not yet been developed and a
significant lack of risk control exists – additional risk management or
treatment is a matter of priority
26. what can happen?
how can it happen?
what is the source/cause?
Identify risks
establish context
identify risks
analyse risks
evaluate risk
treat risks
monitorandreview
Communicateand
consult
Eg: Failure of major piece of plant
equipment leading to death or
serious injury of employees.
27. Analyse and evaluate risks
Taking into account current controls
and their effectiveness
Risk = C x L
establish context
identify risks
analyse risks
evaluate risk
treat risks
monitorandreview
Communicateand
consult
RISK C L CONTROL
EFFECTIVENESS
A 5 5 Partially Effective
B 3 5 Effective
C 3 4 Ineffective
D 2 2 Not assessed
RISK
SCORE
(L*C)
25
15
12
4
28. Risk treatment options
establish context
identify risks
analyse risks
evaluate risk
treat risks
monitorandreview
Communicateand
consult
Accept
Reduce
Avoid
Transfer
risk not acceptable with current
controls – additional controls to
reduce either L or C or both
risk acceptable with current
controls (or cannot be reduced
further and accepting risk)
with current
controls – cannot be reduced
do not want to accept risk
options include insurance
contract outsource *never really
transfer all risk!
29. Monitor & Review
BOARD Quarterly
(Legislation
requires at
least an
annual
review)
• Report format and frequency reflect Board preferences
• Heat maps/ matrices – visuals and graphs popular
• Summary of critical and strategic risks
• Risk per risk category
• Trend reports
COMMITTEES Committee to
advise
• Report type reflects committee responsibilities:
• Finance: Detailed financial risks prior to budgeting/ planning
• OH&S: OH&S and infrastructure risks
EXCECUTIVE Monthly –
Quarterly
• As per Board
• May require monthly risk summary
MANAGEMENT Monthly -
Quarterly
• Summary of all risks allocated to specific risk owner/s
• Include control and treatment information, due dates for
action, treatment status
STAFF Ad hoc • Informal feedback from supervisors
• Communicate successes of risk initiatives
EXTERNAL As required
by
stakeholders
• Statement in annual report
• Ad hoc communications to business partners, press, public
• Mandated risk reporting to minister/s, departments etc.
30. Communicate and consult
• Inform and seek feedback from stakeholders
• Reports
• Statements in annual report
• Information available on website
• Internal communications (newsletters)
• Meetings (agenda items)
• Training and induction programs
• Policies and procedures
33. Bringing all together
• Compliance is the minimum legal standard
• Need good risk management – think
beyond compliance obligations
• Governance, risk and compliance – they
are interconnected – must have all three
Notas do Editor
Risk management is HOW a business or Government achieve its objectives. The focus should be on how it will add VALUE to what is being undertaken and how best to achieve that. Too often the focus shifts from what is trying to be achieved and whether there is any value in undertaking the activity to focusing on all the things that could go wrong and finding ways to prevent it. This stifles innovation and creativity.