I think there’s a layer between compliance and risk management. Risk management only steps in when we know what are the risks beyond compliance that we have to deal with. For example, when the business introduces a new technology that is yet to be covered or adequately covered by existing regulations or standards. There must be a way to figure out what are the risks that the new technology introduces. That’s the layer of strategy to surface the risks and make them visible for risk decisions to be taken. Without visibility, we may not know we are not compliance, neither will there be risk management decision to be made.
That’s a really good point. I agree there’s that “layer” between compliance and risk. Compliance gives us the base, but strategy is what helps surface new risks – especially when the business brings in something that regulators haven’t caught up with yet. Without that visibility, we’ll miss both compliance gaps and risk exposures.
I think there’s a layer between compliance and risk management. Risk management only steps in when we know what are the risks beyond compliance that we have to deal with. For example, when the business introduces a new technology that is yet to be covered or adequately covered by existing regulations or standards. There must be a way to figure out what are the risks that the new technology introduces. That’s the layer of strategy to surface the risks and make them visible for risk decisions to be taken. Without visibility, we may not know we are not compliance, neither will there be risk management decision to be made.
That’s a really good point. I agree there’s that “layer” between compliance and risk. Compliance gives us the base, but strategy is what helps surface new risks – especially when the business brings in something that regulators haven’t caught up with yet. Without that visibility, we’ll miss both compliance gaps and risk exposures.