Login Register Subscribe
Current Issue

ERM lays foundation for regulatory compliance

Reprints

An enterprise risk management process in line with ISO 31000 and other standards can help risk managers and their organizations navigate an ever-more-complicated regulatory compliance environment, according to industry experts.

Public and private organizations must deal with directives spelling out their responsibilities in many areas, ranging from data security to employment practices and safety. And failure to comply with a regulatory directive can lead to fines or a hit to an organization's public standing.

That's why having a risk manager with knowledge of risks across an organization as well as the ability to anticipate unforeseen risks is crucial to any compliance strategy.

“In my opinion, the roles a risk manager maintains related to compliance requirements are as a strategist and resource,” Robin Flint, senior risk managing consultant for the Association of California Water Agencies/Joint Powers Insurance Authority in Roseville, California, said in an email. “As a strategist, a risk manager has the skill in making plans to achieve a compliance goal and form strategies that align with the organization's vision and regulatory requirement. As a resource, a risk manager helps to identify compliance deficiencies or regulatory opportunities that provide value to the organization.”

ISO 31000 and companion risk management standards give the risk manager an important set of tools to do this work. Released by the International Organization for Standardization in 2009, ISO 31000 offers principles, a framework and a process for managing risk.

“Compliance is subset of ERM,” said Dorothy Gjerdrum, managing director for ERM with Arthur J. Gallagher & Co. in St. Paul, Minnesota. “Compliance and any kind of regulation require diligence and documentation and communication with other parts of the organization, and ERM helps support all of that.

“ERM helps focus on the strategy and goals, and one of those goals is always to be in compliance, to meet regulatory obligations,” she said.

“Given the highly complex risk and regulatory environment, there is increasing overlap between the risk management and regulatory compliance functions,” said Mike Elliott, senior director of knowledge resources with Malvern, Pennsylvania-based The Institutes, the operating name of the Insurance Institute of America and the American Institute for Chartered Property Casualty Underwriters.

“An example is the increased regulations related to data security and privacy, which create additional risks for an organization. The risk manager needs to be involved with identifying, assessing and treating these new risks as they arise.”

“Organizations have to layer their defense and look for gaps,” said Tim Wiseman, chief risk officer for East Carolina University in Greenville, North Carolina.

East Carolina, the third-largest school in the University of North Carolina system, faces numerous compliance issues, including some related to its health sciences campus, he said. These include management of health privacy and health information, as well as complying with Health Insurance Portability and Accountability Act. Data security is also an issue, he said.

“ERM is working very well in tying our compliance offices together,” Mr. Wiseman said.

“Concerns about the significant increase in governmental regulation affecting organizations and how to manage compliance and proper interpretation of requirements continue to top the list of risks for organizations,” Mr. Wiseman said, noting that compliance failures can lead to hefty fines and reputation damage, among other things.

He said that “the ISO 31000 risk management standard and companion references offer organizations a formal and reliable approach to identifying and assessing compliance risk areas regularly and methodically, in context, as a part of a healthy and mature enterprisewide risk management process.”

“A primary objective within an ERM program is to establish appropriate ownership of risks across the organization,” said Joe Underwood, a principal and ERM and risk technology service leader at Albert Risk Management Consultants in Needham, Massachusetts.

“This is particularly important for compliance risks,” he said. “You don't want people unclear on who has responsibility for ensuring compliance, because a given compliance issue may touch on different department.”

Part of how an ERM process can help an organization deal with compliance issues is in understanding what types of risks the organization is willing to take and what it won't, said Carol Fox, director of strategic and enterprise risk practice at the Risk & Insurance Management Society Inc. in New York. Some organizations want to have zero tolerance, and there are costs involved in doing so. “If they're willing to undertake those consequences, that's fine, but they might be over-controlling in a certain area,” she said.

“ERM assists an organization with compliance issues by facilitating the discussion of compliance as an uncertainty that can affect the organization's objectives,” said Shannon Gunderman, administrative services director for Yuma County in Yuma, Arizona.

Mr. Gunderman said people will typically acknowledge that compliance is crucial to their organization's success. But “if no one is formally discussing where the organization stands in connection with compliance and actively addressing the deficiencies, such recognition is useless,” he said.

“ERM brings compliance out of the inactive state of simple acknowledgement and breathes life into it through open and focused dialogue among an organization's leadership, management and line employees,” he added.

Mr. Gunderman, like Ms. Flint and Mr. Wiseman, is a PRIMA ISO 31000 faculty trainer for the Alexandria, Virginia-based Public Risk Management Association.