As Compliance professionals we can think of numerous controls and control enhancements to minimize compliance risks. But is risk minimization really the right objective?
No. Because controls also imply costs (time, effort, personnel, technology & systems…). Ever since the discussion of internal control systems has become more systematic (latest with the Internal Control Integrated Framework from COSO published in 1992), it has been noted that there is an economic trade-off relation between the cost of risk and the cost of controls to mitigate risk.
Initially, risk can be greatly reduced by introducing even a few controls as opposed to no controls at all. The total cost (risk + control) decreases, the marginal benefit of the additional control is positive. But not indefinitely. As we add additional controls, the effect in risk reduction achived will decreass until there comes a point where the additional control will actually cost more than the achieved reduction in risk. And as we would go on to minimize the risk with additional controls, the overall cost will increase even more as additional controls will add higher cost than the reduction in risk.
It is this optimum point, where the combined cost of risk and risk-mitigating controls is lowest, that should be aimed for in general from an economic perspective. In practice it will of course be difficult to determine exactly where the optimum is if risks are not quantified. Cost of controls could be more easily determined.
On the other hand, even in a semi-quantitative or a qualitative discussion, it can be more easily understood if we are still in the left side of the graph, where the net effect of increased control is still positive.
Still whenever we are discussing if our controls are sufficient or if we need to do more, we as Ethics & Compliance professionals should keep in mind that risk minimization is uneconomical and there is an optimum of total costs of risks and controls.
Note: Heat maps – as intuitive as they may appear – don’t show the related cost of controls at all and thus can be misleading.