As compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process.
Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of the business. Compliance professionals should be able to say with some degree of authority what will happen in the next three months, six months, twelve months, twenty-four months. This can facilitate resources deployment where they think is appropriate to meet these future demands.
By starting with forecasting, a compliance function utilizes risk assessment to consider issues that forecasting did not predict or issues that the forecasting model raised as a potential outcome warranting a deeper dive. If the business is moving into a new product or sales area and is required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.
Risk-based monitoring follows from the issues that the risk assessment identified as the highest risk areas. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling are continuously refined based on incoming data.
These three tools tie back into process management and process improvement; there is balance between what is important for the business or proper execution versus the practical aspects of the whole process. If there is a one-in-three chance of a compliance failure occurring, and the company could predict that in advance; the executive committee probably could stop the activity before a compliance failure and possible legal violation.
This is how the risk management process can work to fulfill the three prongs of a compliance program: prevent, detect and remediate. You are using the risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you must use the risk management tools available to you and, when a situation arises, remediate when required.
This is not only where the rubber meets the road, but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement.