Riak in your risk management

Compliance Monitoring; this idea that, as a second line of defence (2LOD), we carry out assurance of our business and its policies, procedures and controls.

In principle, this is proper; it’s part of the model of 3LOD, and generally speaking, it’s accepted by regulated businesses as best practice.

The real challenge then is not the principle, it’s the execution and then how we integrate the outcomes from this assurance exercise into our decision-making, our risk-based approach.

My experience tells me that the best way to do this is by bringing your outcomes into your overall risk management process. Practically, this means that your business risk assessment should house the assurance outcomes, and this is a way in which you can then attribute a confidence level to your assessment of residual risk.

If you’re not doing this, you probably have a risk in your risk management process.