Risk and Compliance Management: Differences, Similarities, and How to Integrate Them
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
Your organization’s ability to achieve and maintain compliance is only as robust as the internal compliance controls you have in place.
Internal controls are most effective when they’re embedded into the business processes they are designed to govern. Unfortunately, many organizations leave them siloed in departments, which leads to a disorganized and inadequate system prone to control failure.
Failing to embed controls into business processes leaves organizations vulnerable to risk and attacks that could be expensive — or in the worst cases, even existential. This article will discuss the importance of embedding compliance controls into business processes, explore common frameworks for designing, implementing, and managing internal controls, and explain how to use modern GRC technology to automate the process.
Internal controls are measures that organizations put in place to ensure that all policies and procedures are followed throughout every business process to ensure compliance with regulatory, legal, and standards requirements, reduce the organization’s overall risk exposure, and enhance operational efficiency and effectiveness.
Here are a few examples of what implementing internal controls looks like:
These controls are usually designed and intended to work together as a system to prevent various risk events from occurring and impacting a company’s operations. Each risk or compliance requirement will have its own set of corresponding controls, and compliance is the act of conforming to the requirements of these controls.
For example, planning vulnerability testing on a regular cadence, requiring employees to periodically change their passwords, putting two-factor authentication into place on employee devices, and running phishing simulations are all controls that can be implemented and used in conjunction with each other to improve your organization’s cyber defenses and reduce its cyber risk exposure.
Failing to put adequate compliance controls in place means your organization is flying blind when it comes to attaining, maintaining, and proving compliance.
Internal controls are a fundamental component of any successful compliance management program. These compliance controls are typically directly mapped to the regulatory requirements, laws, and standards frameworks that organizations are either required to or desire to comply with.
Without internal compliance controls, your organization has no way to guarantee to the greatest extent possible that compliance requirements are being followed, and therefore, no way to ensure compliance. That can lead to penalties such as fines or reputational damage, and exposes your organization to the types of risk that the regulations were designed to prevent from causing problems.
To truly understand why compliance controls are necessary and how they affect your organization’s risk posture and exposure, we need to unpack a couple of additional concepts: inherent risk, control risk, and residual risk.
Inherent risk is the level of risk your organization faces before any controls are put into place to control or mitigate it. (Inherent risk carries a different meaning in audit management: It’s the risk that an error or misstatement could appear in a company’s financial documents or statements due to a reason other than a failure of internal controls.)
To understand your organization’s inherent risk exposure is to acknowledge that doing business always carries some level of risk that you’ll need to navigate. Internal compliance controls are one way that organizations begin to wrangle this risk into something manageable.
Despite your best efforts, sometimes the controls you put in place simply fail to prevent a risk event from occuring. This is known as control risk. Using these failures as learning moments can help you improve your controls and mitigate future controls risk.
Residual risk is the level of risk that remains even after you’ve put internal controls in place. No matter how hard you try to mitigate all of the risk your organization faces by implementing internal controls, it’s nearly impossible to remove all risk entirely. If your residual risk after controls are applied is not within your organization’s risk appetite and risk tolerance levels, you need to find ways to put even more robust controls in place.
Compliance controls can take a variety of forms. Each compliance control will focus on a different area of your organization’s risk landscape, or a few different controls can focus on different aspects of the same risk, like in the cybersecurity example above.
Most compliance controls fall under one or more of these archetypes:
Preventive controls are the first line of defense in your compliance controls architecture. These types of controls are designed to head off risk events all together, preventing them from ever occurring and causing problems for your organization.
Some examples of these types of controls are phishing simulations, protocols for ensuring all entrances to and exits from facilities are always secured, cybersecurity firewalls to prevent unauthorized access, safety signage, and legal reviews.
Detective controls are the next line of defense. These controls are used to flag problems or incidents that your preventive controls weren’t able to stop, so they can be fixed before they start to cause issues for your organization.
Detective controls include audits, budget reviews and reconciliations, inventorying of physical goods and assets, and log monitoring.
When both preventive and detective controls fail and a risk event occurs, organizations use corrective controls to mop up the mess as best as they can. Corrective controls can also be applied to preventive and detective controls to improve them and prevent the same problem from impacting the organization again.
Examples of corrective controls include reviewing access privileges of both current and former members of the organization and revoking them as necessary following a data breach or installing more secure fencing around a sensitive facility after a break in and providing any available evidence to the appropriate authorities.
When risks require multiple levels of controls for mitigation, the primary, first-line control is known as a key control, while any controls that kick into gear if the key control fails are known as secondary controls.
Let’s use an example most of us can relate to — aerospace engineering and air travel — to paint a picture of what these three types of controls working in conjunction might look like.
When aerospace engineers set to work designing or improving a new commercial aircraft, they know the stakes are extremely high to prevent any risk events from occurring during flight — the lives of dozens or even hundreds of people could be on the line.
So, they install redundant systems for all of the critical components of the aircraft, from the engines to the landing gear to the flight control computers. That’s an example of putting preventive controls in place, and the redundancies could be considered secondary controls. The sensors in the cockpit and at air traffic control alert the pilots of any errors, allowing them to take the necessary actions. These are detective controls. If an incident does occur, the aerospace engineers use the information they’re able to collect afterwards to make further improvements and hopefully prevent future incidents. Those are corrective controls.
Implementing internal compliance controls shouldn’t be viewed as something that can be done in a vacuum. Internal controls are at their most effective when they’re embedded into the business, risk, and compliance processes and programs that they’re intended to protect and augment, and when they work together within those processes.
Embedding controls into your processes creates an efficient system that meets the demands of compliance management with ease. Controls are the set of activities that guide, manage, and regulate toward a specific directive. Embedding controls is about assessing risk, providing oversight, and reporting on the company’s control posture.
A system that embeds controls into the process is a higher level functioning system that is proactive to risk and can quickly adjust and error-correct when necessary, without a major disruption to the enterprise.
Additionally, centralizing your controls in governance, risk, and compliance software can help you get an eagle’s eye view of your controls landscape and a more granular view mapped to each of your business processes. This can help you quickly glean how effective your controls are, where they could potentially fail, or where gaps that need to be rectified exist.
Some of the potential cost benefits to embedding controls into your processes are:
When controls are not embedded in business processes, organizations are not able to easily identify gaps or problems with their controls program.
This leads to reactive risk and compliance management. Some of the worst consequences are that managing controls becomes a burden, rather than a business enabler or source of strategic opportunity. The current state of the organization’s controls becomes difficult to grasp and visualize enterprise wide, remediating issues becomes time and man-power consuming, teams are not confident in test results, and operational costs increase.
These issues are felt across the enterprise, and can include:
Implementing controls and ensuring compliance is never an easy lift. It’s a complex process, and it can be difficult to know where or how to get started. Fortunately, many have tread this road before you, and there are numerous resources available.
Here are a few common compliance controls frameworks and resources you can use to get your internal compliance controls program off the ground:
The Committee on Sponsoring Organizations (COSO) publishes the COSO Internal Control - Integrated Framework. It is one of the most commonly-used frameworks for designing internal controls processes in use today. As such, we’ll explore it in a little more detail.
The framework relies on five components and 17 principles, all designed to work together as a system:
Control environment: This component focuses on the culture and the “tone at the top” of the organization. It deals with expectations around how people act, integrity and ethics, board independence, structure, authority, and responsibility, and attracting and retaining talent. It relies on five principles:
Risk assessment: Organizations are expected to carry out regular, thorough assessments of the risks that they face. Four principles underpin this component:
Control activities: Once risk has been assessed, COSO requires controls to be put in place. This component includes three principles:
Information and communication: COSO places a high premium on effective communication and flow of information to relevant stakeholders. This component relies on three principles:
Monitoring activities: Finally, the framework requires ongoing monitoring of internal controls. This component includes two principles:
The Sarbanes-Oxley Act of 2002, commonly referred to as SOX, is a federal law in the United States that was passed in response to a series of high-profile corporate scandals, including the infamous Enron scandal, that made having effective internal controls, specifically around finance, accounting, and fraud, more important than ever. Most importantly for compliance controls management, SOX actually requires regulated companies to document their internal controls and their effectiveness.
COBIT, or Control Objectives for Information and Related Technology, is another common and globally-recognized framework for managing compliance controls focused specifically on IT and cybersecurity risk. Developed by the Information Systems Audit and Control Association (ISACA), COBIT 5 and COBIT 2019 are the framework’s most recent updates.
The NIST Cybersecurity Framework from the National Institute of Standards and Technology is another common cyber risk management that covers various compliance controls. It has five components — identify, protect, detect, respond, and recover — that each include multiple subcategories involving various internal controls.
These two commonly-adopted standards frameworks from the International Organization for Standardization (ISO) deal with managing enterprise risk (ISO 31000) and information security risk (ISO 27001). They lay out requirements for establishing, managing, and improving risk management programs, which includes the design and implementation of various internal controls.
The Unified Controls Framework (UCF) and Secure Controls Framework (SCF) are large libraries of compliance requirements and controls. The Unified Compliance Framework has a broader focus, encompassing all compliance requirements, while the Secure Controls Framework focuses solely on information security, data privacy, and cybersecurity controls.
The UCF is sold commercially, while the SCF is free to use.
While it’s possible to manage your internal compliance controls program through traditional methods like spreadsheets — organizations have been doing it for years, after all, in the absence of a better solution — doing so can lead to control gaps and noncompliance.
In recent years, advances in GRC technology have seen platforms like LogicGate Risk Cloud emerge, which has made it possible to centralize and automate implementation, management, and monitoring of internal controls. Having a single source of truth for your organization’s controls allows you to streamline audits, avoid control redundancy, automate evidence collection, and improve program efficiency by dynamically linking risks, controls, evaluations, and evidence. All of that makes it significantly easier to embed your compliance controls into your business processes.
Schedule a demo of LogicGate Risk Cloud today to learn how you can drive up the efficiency and effectiveness of your controls compliance program and improve your organization’s overall security.
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
Cybersecurity incidents like ransomware attacks and data breaches are grabbing many of the risk and security headlines these…
Cyber attacks have been around for as long as the internet has existed, but they’ve been growing in…