Posted on

Compliance ≠ Risk Management

The 2008 Annual Report for the Manly-Warringah Rugby League Football Club Limited (the Club) does not mention risk or risk management. If one looks at the list of 40 positions within the administration and football departments, there is no Risk Manager. In fact, ‘risk’ is not mentioned in any of the position titles listed at all. With this in mind then, it is not surprising the Club’s recent response to an alleged incident involving one of their senior players appeared ad-hoc and poorly planned.

Many sporting codes fall into the same trap. They impose compliance on players; however, they do not manage risk very well.

Outside sport, there is also a popular misconception by some senior executives and senior managers that compliance by way of a code-of-conduct, legislation or contract (or other such requirement) removes the need for risk management. Employers are required to comply with occupational health and safety (OH&S) legislation in states and territories. However, the fact that an organisation complies with OH&S legislation does not remove the risk of an incident or accident occurring.

Measuring compliance involves a pass or fail judgement. You have either complied or you have not. Compliance typically deals with treating the ‘likelihood’ (i.e. reducing the probability) of an event occurring. Typically, compliance does not treat the ‘consequence’ should an event materialise.

Compliance with an imposed requirement also does not involve measuring residual risk; i.e. the risk that exists after control measures are applied.

A new home may comply with the Standard for Construction of Buildings in Bushfire-Prone Areas (AS 3959:2009 – Standards Australia); however, there is still a risk that a bushfire could occur and the home still burn down. Compliance with this construction standard may reduce the ‘likelihood’ of the house being destroyed, but it doesn’t treat the ‘consequence’ of the house being destroyed. The compliance control is only as effective as other measures that may be taken, such as: clearing the bush from around the home, having fire retardant curtains, and reducing materials in the home which are above the self-ignition temperature threshold.

So how effective is compliance management?

Compliance management is important; however, this does not abrogate an organisation’s responsibility to assess the effectiveness that this control mechanism has on reducing the overall risk. Without a risk management framework in place, compliance management is a poor attempt to gloss-over the cracks in an organisation’s corporate governance.

What is surprising, however, is how straightforward it can be to fix those cracks.

Key ingredients

The recipe for creating a risk management framework is simple. It should include the following three ingredients:

  1. Common Language: All parties should have a clear understanding of the terms being used when discussing risk management. This avoids confusion and misunderstanding.
  2. Structure: Take one pre-prepared Australian Standard for Risk Management (AS/NZS 4360) from Standards Australia and modify the generic approach to suit the organisational need.
  3. Culture: Factors relating to ‘how things are done around here’ that combine to ensure people proactively use the risk management framework to assist achieve the goal which is to cost and effectively manage risk.


Risk management is often cast aside from the day-to-day mindset of people because there are perceptions that:

  • nothing will be done about reported risks
  • management will adversely react if risks are reported, and ·
  • visibility of risks creates a negative impression.

The value of risk management needs to be demonstrated to people within the organisation. Negative perceptions need to be debunked and senior management needs to embrace the level of change required and lead the way. Introducing a risk management culture is effectively a change management project.

In an article for Risk Magazine, 21 June 2005 (Risk management in practice: risk culture at IAG), Peter Sutherland (Head of Group Risk & Compliance, IAG) and Dr Katarina Hackman (Senior Manager Change Strategy in Group Risk & Compliance, IAG) stated: “Most risk professionals see risk management as a process… To a degree this is true but this view misses the fact that risk management can equally be seen as a set of behaviours”.

For risk to be taken seriously (and subsequently managed effectively) sponsorship should start at the top and cascade down through the organisation. Policy development and ongoing communications from senior management need to reinforce risk management behaviour. People need training and support for this to be successful. Such training and support will underpin the introduction of a new common structure and language for managing risks.

Common structure and language

Australian Standard AS/NZS 4360 is the risk management framework used by many public and private sector organisations. It is a good place to start when implementing risk management in most organisations.

Regardless of the approach, the first challenge is to sort out definitions. Many communication problems can be solved by everyone using standard terms. The Australian Standard provides definitions for risk management terms, some of which are:

Risk – Risk is measured in terms of likelihood and consequences. It is the chance of something happening that will have an impact upon objectives.

Likelihood – Likelihood used as a qualitative description of probability or frequency (i.e. of something occurring).

Consequence – Consequence is the outcome of an event expressed qualitatively or quantitatively. The outcome may be a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event.

Event – An event is an incident or situation, which occurs in a particular place during a particular interval of time.

Magnitude – The Australian Standard also provides for ‘magnitude’ to be assigned when undertaking risk analysis. Magnitude is used to describe the level of risk (or exposure). Magnitude is assigned by using a matrix to combine likelihood and consequence such that a descriptive measure can be assigned. When people say something is a “High Risk” they are articulating the magnitude of the risk.

(Source: AS/NZS 4360 Risk Management, Standards Association of Australia)

With definitions clearly understood a common process can be applied. The Australian Standard provides a clear process for risk management.

If we strip back the layers of this risk management process there are some very simple things that should be done:

  1. Scope and structure – Ensure that the organisational and strategic context is understood and establish risk evaluation criteria. The scope needs to clearly define what the risk management process is being applied to. Define a structure for the identification and analysis of risk within the scope.
  2. Events, causes and scenarios – Generate a comprehensive list of events which may affect each element of the structure. Also identify possible causes and scenarios.
  3. Analysis – Analyse risk by considering any existing control measures (i.e. such as compliance with OH&S legislation), the causes of risk (e.g. failure of a safety harness), the consequences (e.g. serious injury) and the likelihood that those consequences may occur. The magnitude is assessed in the context of the existing controls. This is commonly referred to as Inherent Risk (i.e. which is the assessment of risk before any new controls are applied)
  4. Evaluation – Evaluate the risks against the established risk evaluation criteria (see scope and structure). If any of the risks fall into the low or acceptable risk categories they may be accepted with minimal treatment.
  5. Treatment – Treat risks by:
    • Avoiding the risks by deciding not to proceed with the activity which is likely to generate risks (where practicable)
    • Reducing the likelihood of an occurrence
    • Reducing the consequences
    • Transferring them to another party (i.e. abatement)
    • Retaining the risks once they have been reduced or transferred.

Treatments applied to reduce the consequence or likelihood may be referred to as ‘controls’. After applying controls, there may still be residual risk (i.e. the risk remaining once controls have been applied). Risk treatment continues until a point is reached where the risk is retained (i.e. the risk is acceptable).

Using scenarios, the value of risk management (over and above compliance) can be demonstrated. The Risk Definition and Classification contained in Appendix E of the AS/NZS 4360 Risk Management, Standards Association of Australia are often referenced in risk analysis.


Following are two independent scenarios where Inherent Risk is being assessed in the context of Existing Controls; Further Controls are being recommended and Residual Risk is being assessed. These scenarios demonstrate transparency in the process of implementing controls. In both scenarios a combination of controls has been used to treat Consequences and Likelihood in order to reduce Magnitude.

Scenario 1 – OH&S


  • Major local commercial construction company.
  • Significant high-profile property developments.
  • Recent difficulty with unions.

Risk Event

  • Worker falls from high-rise construction site.

Existing Controls

  • Compliance with OH&S.
  • Independent audit to demonstrate compliance with OH&S.
  • OH&S training
  • Safety harnesses.

Inherent Risk

Consequence – Major (4)

  • Reputation of company significantly damaged nationally, major financial loss.
  • Death or severe injury.
  • Potential for legal action against the company.

Likelihood – Possible (C)

  • Might occur at some time.

Magnitude – Extreme (C4)

  • Immediate action required.

Further Controls

  • Adopt safe design processes (as advocated by the Australian Institute of Architects – Safe Design Policy) and integrate hazard identification and risk assessment early in the building procurement process (i.e. reduce likelihood)
  • Media management training for senior staff (i.e. reduce consequences).
  • Negotiate protocol with Unions for handling serious incidents (i.e. reduce consequences).
  • Open disclosure of residual building site risks and site staff involvement in establishing controls (i.e. reduce consequences).
  • Communicate safe design issues to clients and contractors and keep records of these communications (i.e. reduce consequences).
  • On-site emergency response crew trained to provide immediate triage should an accident occur
    (i.e. reduce consequences).
  • Safety nets (i.e. reduce likelihood)

Residual Risk

Consequence – Moderate (3)

  • Reputation of company damaged (nationally).
  • Financial loss.

Likelihood – Unlikely (D)

  • Could occur at some time.

Magnitude – Moderate (D3)

  • Management responsibility – Project Director.


Scenario 2 – Player behaviour


  • Nationally recognised sporting club with high media profile.
  • Significant income from sponsorship.
  • Strong fan-base.
  • Strong local community involvement.

Risk Event

  • Player is accused of a criminal offence.

Existing Controls

  • Player Code of Conduct (i.e. compliance).
  • Player’s contract (i.e. compliance).

Inherent Risk

Consequence – Major (4)

  • Reputation of club significantly damaged (nationally).
  • Major financial loss.
  • Community adversely affected.

Likelihood – Possible (C)

  • Might occur at some time.

Magnitude – Extreme (C4)

  • Immediate action required.

Further Controls

  • Training and education (i.e. reduce likelihood).
  • Prepare a ‘Response Plan’ (i.e. reduce consequences).
  • Negotiate protocol at the national level for alleged criminal matters (i.e. reduce consequences).
  • Media management training for senior officials and players (i.e. reduce consequences).

Residual Risk

Consequence – Moderate (3)

  • Reputation of club damaged (nationally).
  • Some financial loss.
  • Community adversely affected.

Likelihood – Unlikely (D)

  • Could occur at some time.

Magnitude – Moderate (D3)

  • Management responsibility – Chief Executive Officer.

Compliance alone is not enough

In both scenarios, compliance management is not enough to reduce the exposure of the organisation to adverse consequences; i.e. residual risk still exists. The question is: do the controls (when applied) provide an acceptable risk profile?

Complying with OH&S requirements in the construction context presented does not help if things go wrong. Similarly, a basic risk assessment would clearly show the existing compliance approach to control player behaviour (imposing Player Code of Conduct and Player Contract requirements) are inadequate in treating the consequence. The existing controls do not provide an acceptable residual risk profile and the risk requires further treatment and management.

Tools can help

Most medium and large sized organisations are now turning to risk management software as the key tool to manage risk.  Planning is a critical stage of implementing risk management software. The saying goes: “if you automate a bad process, ‘garbage’ will be delivered at the speed of light”.  There is a plethora of risk management software on the market which can support the process; however, if the process is bad to begin with, it may just get worse if you automate it.

Business Process Re-engineering (BPR) was the consultant catchphrase of the 1990’s. The concept is still around but it now has a different name – Business Transformation. Regardless of the name, the concept of analysing existing processes to determine if they are delivering best value is still fashionable. Continuous improvement should occur within every business so that where processes are identified as deficient, they can be fixed (Larson A, 2003, Demystifying six sigma: a company-wide approach to continuous improvement).

Before implementing risk management software, a process review of the risk management framework is imperative to ensure the process is optimal. Only then can increased value be delivered.

In looking for a software provider, seek an organisation that can:

  • support the process review and re-design task
  • plan the implementation to maximise stakeholder involvement
  • implement the software with methodologies to drive increased user acceptance, and
  • provide ongoing application and process support to underpin continuous improvement of the risk management system implementation.

There are some fundamental issues to tackle when shopping for risk management software, as is demonstrated in the following table.


Flexibility – The basic concept of risk management will not change substantially over the life of the software; however, your ‘maturity of use’ will. This will result in changes to definitions within the risk definition and classification, the calculation of magnitude and depth of controls applied. The software must have the flexibility to change without the need for significant re-investment.

Scalability – The initial implementation may see a few key people use the risk management software. When the culture of risk management becomes instilled within your organisation, usage will inevitably increase. The software must be able to cope with forecasted growth.

Sociability – Risk management software should not be deployed in isolation from other key business systems. Interoperability is important to ensure people can interact with the risk management software when using their day-to-day business systems (e.g. reminders issued via email).

Usability – If the risk management software is user-friendly, people will use it. If it hard to use, they won’t use it. There must be adequate training to ensure people can use the software efficiently and effectively.

With any software implementation it is important to define what success is. Consider having a definition of success which encompasses the level of acceptance by users. Without this acceptance, it does not matter how good the risk management software is, it will be reluctantly used, or avoided altogether.


The evidence is clear: Compliance does not equal Risk Management.

Organisations need to comply with a number of obligations, such as those contained in: legislation, contracts, codes-of-conduct and other such requirements. Compliance management is, therefore, an important function within any organisation.

Compliance management should only be considered as a small part of managing exposure. Without an all-encompassing approach to risk management, an organisation has a corporate governance crack as wide as the Grand Canyon. To fix this requires:

  • a sound risk management framework with a common language, structure which is underpinned by a risk-aware culture to use it
  • effective risk management processes, and
  • tools to improve efficiencies and deliver better outcomes in risk management.

Source by Anthony Rowley

Leave a Reply

Your email address will not be published. Required fields are marked *