Are you managing risk or just doing compliance?
Some people might think that's a strange question...compliance is managing risk, right? Well, not necessarily.
Compliance is about developing, executing and monitoring a range of policies and procedures that are intended to mitigate a risk or risks. The danger is always that you spend so much time on administering these things that you forget to think proactively about the risks that necessitated it all in the first place. In this short video from American Banker this exact issue is discussed.
It's a recurring theme because catastrophic failures are so often followed by substantial legislative and regulatory efforts to stop the catastrophe from happening again. Sarbanes Oxley legislation consumed huge resources, often seconded from existing areas to ensure that organizations had the necessary compliance arrangements in place.
In the wake of the biggest financial meltdown in history, more than a few are asking whether all that compliance effort took too much attention away from risk management, resulting in yet another 'unforeseen' catastrophe. And yes, guess what? - there's now another tidal wave of legislation to comply with! (for example the US Volcker Rule & Dodd–Frank Wall Street Reform and Consumer Protection Act).
As always, there is no easy answer except to be aware of the danger.
The power of risk management is that done well, it keeps you focused on what's important and therefore where to direct your efforts. If you are only thinking about compliance then you are only thinking about the last catastrophe - not the next one - and there will always be a next one!
Keep looking at your resource allocation - it is risk-based? i.e. is the time you are spending on compliance and control really proportionate to the potential impacts at your organization? What time are you spending on new and emerging risk assessment about which compliance programs tell you very little...
Put simply, are you managing the risk of not managing risk?