Compliance Risk Defined
- Compliance risk is the risk of loss that may originate from employee nonconformity to regulatory statutes and industry practices. To illustrate, assume a bank's junior financial sales associate needs to conform to Security and Exchange Commission (SEC) requirements when recommending stocks or bonds to a client. If the sales associate fails to do so, the bank may receive regulatory fines. Compliance risk also may emanate from technological malfunction. The SEC may still fine the bank if the agency notes that its regulatory reporting systems are not adequate.
- Compliance risk is implicit in a corporation's financial or operational activities. In financial transactions, a company may incur losses due to noncompliance with laws in credit and market deals. For example, a junior bond trader who fails to sign an International Swaps and Derivatives Association (ISDA) agreement in an international financial futures contract may expose the bank to potential losses if a party to the contract defaults. Compliance risk in operational activities may relate to information systems breakdowns, employee error or carelessness and fraud.
Risk and Control Assessment
- A firm may periodically evaluate and rate potential losses that may arise from noncompliance with regulations and corporate policies. Senior departmental managers instruct segment employees to prepare a risk and control self-assessment (RCSA) report in which they document risks and internal controls. A control is a set of procedures that a company's top leadership puts into place to prevent operational and nonconformity losses. Segment staffs also rate risks as "high," "medium" and "low" based on loss expectation.
- A company's top management generally focuses on "high" risks and provides corrective measures. These risks are also referred to as "material weaknesses" because they generally relate to a major process within a firm or a major department. For instance, employees in the premium processing department of an insurance company do not adhere to a state insurance commission's regulations. The company may incur significant losses, such as hefty statutory fines, if regulators discover instances of nonconformity. Departmental heads typically focus on "medium" risks and take mitigating actions, whereas segment employees remedy control problems rated as "low" risks.
- Risk hedging consists of measures that a company takes to remedy losses related to regulatory nonconformity. A corporation's top leadership typically finds corrective measures for "high" risks because they may cause heavy losses and operational problems if left unresolved. For "medium" and "low" risks, departmental heads and segment employees partner with risk department staff, internal auditors and public accountants (external auditors) to find permanent remedies.