What is compliance risk?Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risk is also known as integrity risk. Show
Organizations of all types and sizes are exposed to compliance risk, whether they are public or private entities, for-profit or nonprofit, state or federal. An organization's failure to comply with applicable laws and regulations can affect its revenue, which can lead to loss of reputation, business opportunities and valuation. Types of compliance riskAn organization may be implicated in the following types of compliance risks:
What is compliance risk management?Compliance risk management is the process of identifying, assessing and mitigating potential losses that may arise from an organization's noncompliance with laws, regulations, standards, and both internal and external policies and procedures. Management practices are intended to help organizations maintain compliance with various regulations and laws. Organizations may have compliance risk management policies and procedures, which are the framework and mechanisms they implement to control compliance risk. Compliance risk management is a continuous process that involves tracking changes in the regulatory environment to ensure an organization's compliance is up to date. Compliance policies, procedures and training materials must be revisited on a regular basis in light of new policies, directives and regulations. Organizations need to be aware of their compliance risk on a number of levels, not just from the perspective of the chief compliance officer (CCO). While the CCO and other compliance staff are responsible for reviewing all aspects of the organization's compliance risk -- including its legal, regulatory, financial and technical risks -- the compliance risk extends to all levels of the organization, including information technology (IT). This is why the organization's IT department must be involved in compliance risk management. Compliance risk management forms a portion of the collective governance, risk and compliance (GRC) discipline. GRC is a set of management practices and technologies designed to ensure that an organization is operating in a manner consistent with its values, mission and risk tolerance. GRC policies are mainly seen in the financial industry, but other industries, such as healthcare, are also required by law to adopt risk management and compliance practices. GRC is designed to help organizations identify and evaluate risks to their business and reputation. The three fields are similar to incident management, operational risk assessment and internal auditing. The GRC framework helps organizations manage their compliance risk.Compliance risk examplesIn the U.S., corporate compliance is usually tied to applicable laws and regulations. For example, the Foreign Corrupt Practices Act (FCPA) applies to publicly traded companies, whereas the Sarbanes-Oxley (SOX) Act pertains to companies that have publicly traded stock. Both FCPA and SOX are enforced by the U.S. Securities and Exchange Commission (SEC) and other authorities. FCPA prohibits the offering, promising or granting of anything of value to a foreign official to influence business. SOX requires publicly traded companies to keep accurate books and records. Additional functions, including financial reporting and business operations, are also subject to SOX compliance. In healthcare, there are numerous compliance risks and requirements. Laws and regulations with significant compliance risks include those in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires the safeguarding of protected health information (PHI) at a minimum. HIPAA also requires the protection of other data that would be considered PHI under other laws, such as genetic information, health insurance information, and any other information related to the provision and payment of healthcare. The cloud has created new risks for organizations that need to achieve and maintain compliance. Many organizations are concerned with whether cloud services are secure enough to hold data that is highly sensitive and needs to be protected. In the cloud, compliance can also become an issue when data is exposed to employees who are not supposed to have access to it, as well as when data is moved into the cloud without an appropriate permissions structure. The most reputable cloud providers encrypt all data to avoid potential security threats. Compliance risk assessmentA key concept of compliance risk management is the risk assessment process, which includes identifying and evaluating the potential risks that threaten an organization's ability to ensure it is compliant with laws and regulations. Risk assessment can include reviewing information sources, such as reports from the business's management and from regulatory bodies, as well as identifying data and information that is already available to the organization. Following a compliance risk assessment, an organization can determine its level of compliance to reveal what changes need to be made for improvement. An organization uses this information to create and implement a compliance risk management strategy that helps ensure it is in compliance with laws. For example, the assessment might reveal that the organization requires more secure procedures regarding remote work. The organization can plan to address this weakness by implementing more thorough remote work policies. Learn more about GRC and the available software options on the market. This was last updated in April 2021 Continue Reading About compliance risk
Dig Deeper on Risk management and governance
How can business risk be defined quizlet?Business risk is the chance of a business pulling a loss instead of a profit.
Is a source of assistance that offers a variety of programs and support services to help entrepreneurs get started and resources to help once the business is open?Small Business Administration; offers a variety of programs and support services to help entrepreneurs get started, and resources to help once the business is open.
Is there a government mandated outline that you must use for a business plan?There is a government mandated outline that you must use for a business plan. A business plan should avoid talking about the founders and focus on hard facts about the market and execution plans.
How a business handles money is known as a risk?True. False. False. The type of business risk that refers to how a business handles money is called _____. compliance risk.
|