Updated: Jul 22
Risk management has for many years focused mostly on identifying possible losses and working out those probabilities. As beneficial as that might be it does not capture the full nature of uncertainty. ISO 31000 (and others) have tried to expand the definition but only go half way. They focus on the effects or better the symptoms and not the cause or the disease itself.
Unfortunately, the lack of holistic approach and the negative connotations associated with the word risk, "Risk Management" is getting in the way of effectively contending with uncertainty. It's time for a change and why we no longer should only use risk.
Historically compliance is considered as a means to keep risk at bay. When organizations are in compliance (i.e. operating consistently between the lines) they will in turn reduce the possibility of loss. This places compliance programs along side of the value chain with risk reduction as the goal. We have used this model in the past and in some cases it still make sense to do so.
However, what we have found is that this approach tends to focus compliance mostly on conformance to rules attested by surveys and monitored by occasional audits. The goals seems to be only on "staying between the lines" and not staying ahead of risk.
The lack of focus on the latter results in risk programs paying too much attention on risk identification and registers (staying between the lines) and not enough on contending with risk itself. In a sense, both risk & compliance suffer from too many check boxes and not enough action.
A Need for Change
Operationally, compliance at its core is the practice of meeting obligations in the presence of uncertainty. Risk management is a means to that end and more specifically, this should be the focus of operational risk management. This places the majority of risk programs: safety, sustainability, environmental, health, security, privacy, asset management, and so on, along side of the value chain with compliance as the outcome. However, compliance here does not mean check boxes. Instead, it means meeting all your obligations (conformance, performance, and outcome-based) in the presence of uncertainty.
This change however is not enough in our estimation. To reflect the shift to improve the certainty of meeting obligations we have elected to call these certainty rather than risk programs. This aligns better with the ISO 31000 definition and the purpose of these programs which is - make certain (ensure) that objectives across the business are achieved.
That is why we propose using the labels Certainty & Compliance rather than Risk & Compliance.
There will still be a role for enterprise risk management but this should result in the creation of operational objectives that fall within certainty and compliance functions.
The purpose of Certainty Programs is to keep organizations between the lines while increasing the probability of targeted outcomes and decreasing the probability of undesirable outcomes. These objectives should become part of certainty-based balanced scorecards instead of risk-based. This is more than semantics, it is a change in mindset, strategy, and focus.