There seems to be a good deal of confusion about the role of the compliance function vs. the role of the risk management function. In many organizations risk management has been subsumed into the audit organization and there are a growing number of "risk management" consultancies that are offshoots of external auditing firms. Has audit become risk management and if not, what's the difference?
In October, 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its framework for managing Enterprise Risk. A slide in the downloadable PowerPoint summary on the COSO site states:
"Internal Auditors…play an important role in monitoring ERM, but do NOT (emphasis provided by COSO) have a primary responsibility for its implementation or maintenance."
Despite this authoritative statement, we seem to have lost the distinction between risk management and the audit/assurance/regulatory/compliance function. Senior risk management positions listed in the classifieds are defined as "managing the process to meet all regulatory and legislative requirements". The only arena in which the management of risk in complying with a legal or regulatory requirement would be appropriate is organized crime. Where else would the assessment of whether or not to break the law or be in compliance with established regulatory requirements be considered an exercise in managing risks? Certainly, there may be room for interpretation of a statute or regulation, but if that interpretation puts a company in jeopardy, one might want to find a new set of lawyers and accountants.
See full Article.
Posts
