When I first started my career, I was an internal auditor and the year was 2005. It was what I would call the “age of internal controls”. The Sarbanes-Oxley Act of 2002 (SOX) was just a few years old and the German multinationals subject to it had yet to comply with section 404 in their first internal control report. The COSO Enterprise Risk Management (ERM) Framework had just recently been released, the COSO Internal Control Integrated Framework (1992) was the dominating framework used for SOX Internal Controls over Financial Reporting (ICoFR) implementations.
Compliance with applicable laws and regulations was one of the three objective categories in the Internal Control System (ICS); actually the third one after effectiveness and efficiency of operations and reliability of financial reporting.
Hence, Compliance Management (CM) was a part of the ICS. Compliance Management as a separate profession did not exist; neither was Compliance seen as requiring a separate Compliance Management System (CMS). If there was such a thing as a CMS, it was taken care of by the internal audit function, e.g. education of senior managers in the most important corporate policies and procedures or controlling the level of associates’ knowledge of same standards and policies in the audit engagements.
The COSO ERM framework then put the ICS into the bigger context as an integral part of a wider system of how an organization deals with risks (uncertainty) to achieving its objectives. (In my personal opinion, the ERM should have completely superseded and replaced the ICS as it fully integrated, and put it into the right context and added the 4th objective dimension of strategy.)
It could have and should have stayed at that. Regardless of the fact if COSO a good framework or not. Compliance Management is Risk Management. Compliance Management deals with Compliance Risks. It’s about dealing with risks in one objective quadrant of COSO ERM.
One can actually see that in the German Institute of Chartered Public Accountants’ audit standard for compliance management systems (IDW PS 980). This basically defines a CMS in much the same terms and structure as COSO ERM by just replacing the word “risk” in risk management with “compliance”.
The recent years have seen a sharp rise in the attention on ethics and compliance programs worldwide, driven by big compliance failures (e.g. the Siemens bribery scandal or the Volkswagen “dieselgate”). Compliance Management is emerging more and more as a separate discipline and profession, professional associations and research institutes have been formed and standards for CMS are being formulated. For a good part this is of course also driven by consultants who see a business opportunity in selling to their customers again old concepts like ERM by searching and replacing the word “risk” with “compliance” (and who am I to blame them for it?).
In addition, traditionally, many compliance managers come from a background in legal. Less from internal controls, risk management or internal audit. These bring more rules-based focus to the discussion, similar to the historical controls-based approach of the ICS versus the systemic or later principles-based approach of Risk Management. And, of course, bringing your own paradigm from your own professional background and your own terminology helps to stake claims and keep out others.
But in essence there is nothing novel -Compliance risks are just that: risks. Compliance management is just a part of risk management. Yes, compliance risks may be a little different from other risks in that the tolerance for some compliance breaches is less or even zero (at least it has to be proclaimed to be absolutely zero, while in actual fact these events may still occur.). But compliance management would do very well to integrate the learnings of a decades-long historical development from internal controls via control systems and risk management to risk-informed decision making.