Compliance vs. Risk

How are they related, what are the differences, and how can they be used together to manage cost and effectiveness?

We often see compliance management substituted for risk management in both safety and security, which is out of sync with the business at large. When executive business decisions are based on risk, it follows that safety and security decisions need to follow the same approach. To achieve the best results for the company, compliance and risk must be managed as a complimentary process.

Compliance can be a regulatory minefield. For safety and security managers, the challenge of balancing demands that accompany policy and procedural mandates with risk can be daunting. Compliance audits address adherence to prescribed limits. Risk embraces a more “holistic” perspective on threats, vulnerabilities and assets. Clarifying definitions helps:

  • Compliance is defined as “the act or process of doing what you have been asked or ordered to do” or “conformity in fulfilling official requirements”. In simple terms, compliance is a checklist approach.
  • Risk is defined as “the possibility that something bad or unpleasant will happen (such as an injury or a loss)”. Like compliance, a true risk assessment takes note of what measures are present to protect or mitigate threats. Unlike compliance, risk is less of a binary process than it is an algorithmic process that weighs and calculates whether a measure is justified.

Risk informs policy development and implementation payback, while compliance is application of procedure and standards. Both provide value, but in different ways.

Where compliance is driven by external regulatory standards such as NERC-CIP, MTSA, or OSHA, the initial response is easy – ensure everything is in place to meet the compliance requirements. The compliance checklist is validated and gaps in business procedure or security controls that are discovered are resolved accordingly. Compliance management specifies and ensures application of items that establish a solid baseline level of protection.

When the corporation’s compliance standards are internally defined, businesses have flexibility to ensure the management program drives the greatest value. Complimenting compliance with risk gives organizations a clear picture of the value of protection measures and business policies. This is accomplished through methodical analysis that highlights areas of company operation where weaknesses can be minimized and accidental loss (in terms of profit, of safety or security) mitigated or eliminated.

Cost

We live in a world of In a world of limited resources. There are constraints on time, shrinking budgets and staff (especially in the oil & gas arena), so the judicious application of these resources spells the difference between mediocrity and success. This cannot come from compliance audits alone.

If the corporation’s business risk tolerance is already within acceptable limits, why blindly adhere to a compliance standard for protection? Applying risk insights supports defendable and justifiable deviation from compliance standards in these cases. The mandates of blind compliance can require excessive and unnecessary expense that is not needed or implementing business policy that is outdated. Sole dependence on compliance for one’s security program will do that – and will ensure your operation is the proverbial “cost center” because the risk tolerance (low) does not match the compliance standard (medium or high).

Likewise if the company’s operation is increasingly vulnerable to unacceptable levels of loss, why stop at “security-through-compliance” measures? Achieving “compliance only” creates a false sense of security, especially in a dynamic environment where threats, vulnerabilities and other factors are changing quickly. This can be in a region where threats are rapidly growing, business environments are influx, or in a situation where businesses are going through a merger or acquisition process. Compliance alone ignores the larger view that true risk analysis provides, and is bound to leave the company operation exposed to risks beyond acceptable limits. Both are recipes for disappointment and loss.

Summary

Your organization will substantially benefit from an approach that manages the relationship between compliance and risk, deriving appropriate value from each. Compliance tools provide streamlined process to achieve baseline protections. A greater understanding of risk allows you to challenge compliance requirements that are either inadequate or excessive. Using assessed risk to justify deviation from non-regulatory standards on an exception basis – increasing or decreasing protections – provides a proven and defensible basis for adjustments to the compliance regime. Where justified, selected sites or operations can receive additional protection. Alternately, the program provides allowance for specialized situations where the operation or threats deviate significantly from the baseline. This is particularly true when one is dealing with cookie cutter regulatory regimes. Having the justification that good risk analysis provides is the best way to manage the auditor – facts speak for themselves.

When it’s all said and done, it is the actions that follow a compliance and risk management program that result in success and value. Why limit your success by wearing blinders (compliance) versus utilizing a panoramic view (risk) to identify and mitigate threats? Compliance is a good starting point. However, organizations that allow risk to be the driving force with compliance as a strong input will come out on top.