Compliance Risk - Concept Proposal by Manuel L. Hermosa

Compliance Risk Management in the Business Firms: An Assessment
(Concept Title)
Chapter 1 – Introduction and Its Background
Risk management is the process of identifying, assessing and controlling

threats to an organization's capital and earnings. These threats, or risks, could stem
from a wide variety of sources, including financial uncertainty, legal liabilities,
strategic management errors, accidents and natural disasters. Information
Technology security threats and data-related risks, and the risk management
strategies to alleviate them, have become a top priority for digitized companies. As a
result, a risk management plan increasingly includes companies' processes for
identifying and controlling threats to its digital assets, including proprietary corporate
data, a customer's personally identifiable information (PII) and intellectual property
(Margaret Rouse, April 2020).
Every business and organization faces the risk of unexpected, harmful events
that can cost the company money or cause it to permanently close. Risk
management allows organizations to attempt to prepare for the unexpected by
minimizing risks and extra costs before they happen.
By implementing a risk management plan and considering the various
potential risks or events before they occur, an organization can save money and
protect their future. This is because a robust risk management plan will help a
company establish procedures to avoid potential threats, minimize their impact
should they occur and cope with the results. This ability to understand and control
risk enables organizations to be more confident in their business decisions.
Furthermore, strong corporate governance principles that focus specifically on risk
management can help a company reach their goals.
Risk management can be an extremely beneficial practice for organizations,
its limitations should also be considered. Many risk analysis techniques -- such as
creating a model or simulation -- require gathering large amounts of data. This
extensive data collection can be expensive and is not guaranteed to be reliable.
Furthermore, the use of data in decision making processes may have poor
outcomes if simple indicators are used to reflect the much more complex realities of
the situation. Similarly, adopting a decision throughout the whole project that was
intended for one small aspect can lead to unexpected results.
Concept by: Submitted to:

Manuel L. Hermosa Dr. Cecile F. Jose
RTU - DBA Student Graduate Studies, Professional Lecturer
(Concept Title)
Another limitation is the lack of analysis expertise and time. Computer

software programs have been developed to simulate events that might have a
negative impact on the company. While cost effective, these complex programs
require trained personnel with comprehensive skills and knowledge in order to
accurately understand the generated results. Analyzing historical data to identify
risks also requires highly trained personnel. These individuals may not always be
assigned to the project. Even if they are, there frequently is not enough time to
gather all their findings, thus resulting in conflicts.
As government regulations spread around the globe, geopolitical, regulatory,
legal, and compliance risks continue to present challenges in the enterprise. With the
proliferation of laws and rules and the increase in stakeholder expectations, your
organization may be more vulnerable to compliance risks than ever (Joydip Kanjilal)
Too many companies are still taking an old-school approach when it comes
to managing compliance risk. Today's issues of risk change at the speed of
business, so your strategy and process must also change quickly. Here's how to go
about doing that.
Many compliance regulations have been enacted to ensure that
organizations operate fairly and ethically. Most organizations have compliance
processes in place to make sure they adhere to all relevant laws and rules, or face
potential legal, financial, and other consequences.
Compliance risk is any threat to an organization's financial, organizational, or

reputational standing. A well-defined compliance process can reduce your
organization's overall risk of violating these standards—and facing the
consequences.
Compliance management and risk management are related, but they are not
the same thing. Risk management involves predicting and managing risks to help an
organization protect itself from risks that might eventually lead to non-
compliance. For its part, compliance management is the process of managing
compliance within the boundaries of a time frame and a budget. Non-conformance to
compliance regulations is also a risk.
You cannot have a robust risk management program without compliance, and
vice versa. However, to address compliance and risk management, you should have
(Concept Title)
distinct approaches and execution tactics for both. Non-compliance is a risk, but risk
management is not compliance.
Business is changing so rapidly that the old, reactive ways of managing
compliance risks might lead organizations to fall behind the competition or leave
them exposed to larger regulatory or reputational risks than they ever expected.
This is why some organizations are finding ways to better manage compliance
risks and be more risk intelligent, which involves being more aware of today's
risks. You need an integrated compliance model across the organization to keep
compliance risk in check, and to ensure that ethics policies are followed at every
level in the organization.
It requires a holistic approach toward managing compliance in an
organization. The goal is to provide a single, enterprise-wide solution
toward managing compliance. The benefits of an integrated compliance strategy
include reduced risk, faster time to market, reduced costs, enhanced customer
experiences, and more.
Risk managers work with companies to assess and identify the potential
risks that may hinder the reputation, safety, security and financial prosperity of their
organization. Once these risks have been identified, assessed and evaluated, risk
managers are then tasked with implementing processes and procedures to ensure
that their client is fully prepared to deal with any potential threats
(https://www.allabout careers.com/careers/job-profile/risk-manager).
.
A risk manager’s job is inspired by the mantra, “prevention is better than
cure.” It’s all about avoiding threats and mitigating the effects of those which are
essentially unavoidable.
Risk management careers are highly analytical and a large part of your time
will be focused on conducting detailed risk assessments. This process involves
analyzing documents, statistics, reports and market trends. You’ll also be required to
assess the organization’s previous risk management policies and protocols.
Risk management is also about understanding an organization’s business
objectives. You’ll need to gather information about your client’s outgoings, legal

(Concept Title)
responsibilities and environmental policies, and then evaluate the effects of any

proposed risks against these current processes.
Life as a risk manager, however, is not just about going through information
with a fine tooth comb: you’ll also need to have the ability to build relationships with
your clients and their stakeholders. For instance, based on your analysis, you’ll have
to produce risk reports, attend meetings and present your proposals to senior
members of staff.
The kind of solutions which risk managers suggest and implement are likely to
include insurance, health and safety policies, disaster recovery measures and
business continuity plans. Once these have been put in place, risk managers will
often return to organizations again in the future to conduct additional audits and
assessments.
Likewise, here in the Philippines, where a lot of struggles, problems, decisions
and make a business practically work to fulfill business organizational goals, as the
main aims of this study, a supported questions as: Is the risk manager ready facing
risk compliance decision?, Are they risk compliance oriented?, as they encountered
problems, what do they do?, and what solutions are they employed?.
In this study, the researcher will assess the Compliance Risk Management in
the business firms in National Capital Region, which was the risk manager will be the
respondents. The research paradigm (figure 1) shows three frames using the
system model approach. The first frame (Inputs) contains the demographic profile,
perceptions of the risk manager and they problem encountered and solutions when
they used compliance risk management. Likewise, on the second frame (Process)
refers to the various strategies in finding out results, and lastly, (Output) is the
updated databank on the relationship with regards to compliance risk management
variables and their significant relationship to demographic profile, perceptions,
problem encountered and upgraded solutions.

(Concept Title)
Conceptual Framework
INPUT PROCESS OUTPUT
1. Demographic profile of
the respondents:
Updated data bank of the
1.1. age;
respondents:
1.2. gender;
1.3. educational
attainment;
Significant Relationship
1.4. years in the
on the perceptions of
company; and
risk manager with
1.5. years experienced Databank of the
regards to compliance
as risk manager. respondents:
risk management in the
business firm
2. Perceptions of risk a. Demographic Profile/
manager in compliance Risk Manager:
risk management used in
the business firm. a.1. Retailer/Seller/Trader
Significant relationship
a.2. Manufacturer
on the problems
3. Problems encountered encountered by the risk
b. Statistical treatment
by the risk manager manager when they
and interpretation with
when they decide using used compliance risk
regards to collected data.
compliance risk management in the
management in the business firm.
c. Presentation, analysis
business firm.
and interpretation.
4. Solutions of the risk Upgraded solutions of

manager to avoid the risk manager
problem when using avoiding problem when
compliance risk they used compliance
management in the risk management in the
business firm. business firm.
Figure 1 – Paradigm of the Study

(Concept Title)
Statement of the Problem
This study aims to assess Compliance Risk Management decision in the

business firms as encountered by the risk manager in National Capital Region.
Specifically, it sought to answer the following:
1. What is the profile of the respondents with regard to:
1.1. age;
1.2. gender;
1.3. educational attainment;
1.4. years in the company; and
1.5. years experienced as risk manager?
2. What are the perceptions of risk manager in compliance risk management

used in the business firm?
3. What are the problems encountered by the risk manager when they decide
used compliance risk management in the business firm?
4. Is there a significant relationship in the assessment of respondents profile

to the perceptions of risk manager with regards to compliance risk management in
the business firm?
5. Is there a significant relationship in the assessment of the respondents

profile to problems encountered by the risk manager when they used compliance risk
management in the business firm?
6. What are the solutions of the risk manager to avoid problem when they use
compliance risk management in the business firm?
Hypothesis
There is no significant relationship on the assessment of the respondents

profile to the perceptions of risk manager with regards to compliance risk
management that may affect business firms.
(Concept Title)
There is significant relationship in the assessment of the respondents profile

to problems encountered by the risk manager when they used compliance risk
management in the business firm.
Scope and Delimitation of the Study
The study aims to assess risk manager as they used compliance risk
management in the business firms in National Capital Region. The respondents are
distributed in the figure 2. Sixty (60) risk manager in the National Capital Region who
used already the compliance risk management. It was delimited to Sixty (60) risk
manager in the business firm due to its peculiarity. This study will be conducted from
June to August 2020.
Figure 2
Business Firms Number of Respondents

1 Retailers/Sales/Trading 20
2 Manufacturing 40
Total 60

(Concept Title)
Chapter 2 Review of Related Literature and Study
This chapter deals with a review of related literature and study, which have
significant bearing on this study and will help the researcher on the appropriate
components include in the assessment of risk manager with regards to compliance
risk management in the business firms.
Related Literature and Study
Risk managers work with companies to assess and identify the potential
risks that may hinder the reputation, safety, security and financial prosperity of their
organization (https://www.allaboutcareers.com/careers/job- profile/risk-manager).
. Once these risks have been identified, assessed and evaluated, risk
managers are then tasked with implementing processes and procedures to ensure
that their client is fully prepared to deal with any potential threats.
A risk manager’s job is inspired by the mantra, “prevention is better than
cure.” It’s all about avoiding threats and mitigating the effects of those which are
essentially unavoidable.
Risk management careers are highly analytical and a large part of your time
will be focused on conducting detailed risk assessments. This process involves
analyzing documents, statistics, reports and market trends. You’ll also be required to
assess the organization’s previous risk management policies and protocols.
Risk management is also about understanding an organization’s business
objectives. You’ll need to gather information about your client’s outgoings, legal
responsibilities and environmental policies, and then evaluate the effects of any
proposed risks against these current processes.
Life as a risk manager, however, is not just about going through information
with a fine tooth comb: you’ll also need to have the ability to build relationships with
your clients and their stakeholders. For instance, based on your analysis, you’ll have
to produce risk reports, attend meetings and present your proposals to senior
members of staff.
The kind of solutions which risk managers suggest and implement are likely to
include insurance, health and safety policies, disaster recovery measures and
business continuity plans. Once these have been put in place, risk managers will

(Concept Title)
often return to organizations again in the future to conduct additional audits and
assessments.
Compliance risk is exposure to legal penalties, financial forfeiture and material
loss an organization faces when it fails to act in accordance with industry laws and
regulations, internal policies or prescribed best practices
(Whatls.com). Compliance risk is also sometimes known as integrity risk. Many
compliance regulations are enacted to ensure that organizations operate fairly and
ethically. For that reason, compliance risk is also known as integrity
risk. Compliance risk management is part of the collective governance, risk
management and compliance (GRC) discipline. The three fields frequently overlap in
the areas of incident management, internal auditing, operational risk assessment,
and compliance with regulations such as the Sarbanes-Oxley Ac in the United State
of America. Penalties for compliance violations include payments for damages, fines
and voided contracts, which can lead to the organization's loss of reputation and
business opportunities, as well as the devaluation of its franchises
According to John Spacey (https://simplicable.com/new/compliance-risk)
dated August 27, 2015 updated on November 05, 2016, Compliance risk is the
potential losses and legal penalties due to failure to comply with laws or regulations.
In many cases, businesses that fully intend to comply with the law still have
compliance risks due to the possibility of management failures. The following are a
few examples of compliance risks.
1. Environmental Risk -Potential for damage to living organisms or the environment
arising out of an organization’s activities, 2. Workplace Health and Safety - Risks
related to all aspects of health and safety in the workplace such as accidents or
repetitive strain injuries, 3. Corrupt Practices - The potential for corrupt practices
such as bribery or fraud. Organizations are generally responsible for the actions of
their employees and agents in this regard, 4. Social Responsibility - The risk
that your business activities will harm your workers or the people in the communities
in which you operate, 5. Quality - Releasing a low quality product or service that
fails to meet the expected level of due diligence in your industry or that violates laws
and regulations, and 6. Process Risk - The risk that your processes will fail
resulting in legal violations such as failure to meet your responsibilities to your

(Concept Title)
customers or partners. Process failures can also result in reporsting or

accounting errors that breach your duties to your investors.
All risk management plans follow the same steps that combine to make up the
overall risk management process:
 Establish context. Understand the circumstances in which the rest of the

process will take place. The criteria that will be used to evaluate risk should also
be established and the structure of the analysis should be defined.
 Risk identification. The company identifies and defines potential risks that

may negatively influence a specific company process or project.
 Risk analysis. Once specific types of risk are identified, the company then
determines the odds of them occurring, as well as their consequences. The goal
of risk analysis is to further understand each specific instance of risk, and how it
could influence the company's projects and objectives.
 Risk assessment and evaluation. The risk is then further evaluated after

determining the risk's overall likelihood of occurrence combined with its overall
consequence. The company can then make decisions on whether the risk is
acceptable and whether the company is willing to take it on based on its risk
appetite.
 Risk mitigation. During this step, companies assess their highest-ranked

risks and develop a plan to alleviate them using specific risk controls. These
plans include risk mitigation processes, risk prevention tactics and contingency
plans in the event the risk comes to fruition.
 Risk monitoring. Part of the mitigation plan includes following up on both the

risks and the overall plan to continuously monitor and track new and existing
risks. The overall risk management process should also be reviewed and
updated accordingly.
 Communicate and consult. Internal and external shareholders should be

included in communication and consultation at each appropriate step of the risk
management process and in regards to the process as a whole.

(Concept Title)
Risk management strategies should also attempt to answer the following questions:
1. What can go wrong? Consider both the workplace as a whole and individual
work.
2. How will it affect the organization? Consider the probability of the event and
whether it will have a large or small impact.
3. What can be done? What steps can be taken to prevent the loss? What can
be done recover if a loss does occur?
4. If something happens, how will the organization pay for it?
Risk management approaches
After the company's specific risks are identified and the risk management
process has been implemented, there are several different strategies companies can
take in regard to different types of risk:
 Risk avoidance. While the complete elimination of all risk is rarely possible, a

risk avoidance strategy is designed to deflect as many threats as possible in
order to avoid the costly and disruptive consequences of a damaging event.
 Risk reduction. Companies are sometimes able to reduce the amount of

damage certain risks can have on company processes. This is achieved by
adjusting certain aspects of an overall project plan or company process, or by
reducing its scope.
 Risk sharing. Sometimes, the consequences of a risk are shared, or

distributed among several of the project's participants or business departments.
The risk could also be shared with a third party, such as a vendor or business
partner.
 Risk retaining. Sometimes, companies decide a risk is worth it from a

business standpoint, and decide to keep the risk and deal with any potential
fallout. Companies will often retain a certain level of risk if a project's anticipated
profit is greater than the costs of its potential risk.
Limitations
While risk management can be an extremely beneficial practice for
organizations, its limitations should also be considered. Many risk analysis

(Concept Title)
techniques -- such as creating a model or simulation -- require gathering large

amounts of data. This extensive data collection can be expensive and is not
guaranteed to be reliable.
Furthermore, the use of data in decision making processes may have poor
outcomes if simple indicators are used to reflect the much more complex realities of
the situation. Similarly, adopting a decision throughout the whole project that was
intended for one small aspect can lead to unexpected results.
Another limitation is the lack of analysis expertise and time. Computer
software programs have been developed to simulate events that might have a
negative impact on the company. While cost effective, these complex programs
require trained personnel with comprehensive skills and knowledge in order to
accurately understand the generated results. Analyzing historical data to identify
risks also requires highly trained personnel. These individuals may not always be
assigned to the project. Even if they are, there frequently is not enough time to
gather all their findings, thus resulting in conflicts.
Other limitations include:
 A false sense of stability. Value-at-risk measures focus on the past instead
of the future. Therefore, the longer things go smoothly, the better the situation
looks. Unfortunately, this makes a downturn more likely.
 The illusion of control. Risk models can give organizations the false belief
that they can quantify and regulate every potential risk. This may cause an
organization to neglect the possibility of novel or unexpected risks. Furthermore,
there is no historical data for new products, so there's no experience to base
models on.
 Failure to see the big picture. It's difficult to see and understand the
complete picture of cumulative risk.
 Risk management is immature. An organization's risk management policies
are underdeveloped and lack the history to make accurate evaluations.
Risk management standards
Since the early 2000s, several industry and government bodies have
expanded regulatory compliance rules that scrutinize companies' risk management
plans, policies and procedures. In an increasing number of industries, boards of

(Concept Title)
directors are required to review and report on the adequacy of enterprise risk
management processes. As a result, risk analysis, internal audits and other means
of risk assessment have become major components of business strategy.
Risk management standards have been developed by several organizations,
including the National Institute of Standards and Technology (NIST) and the
International Organization for Standardization (ISO). These standards are designed
to help organizations identify specific threats, assess unique vulnerabilities to
determine their risk, identify ways to reduce these risks and then implement risk
reduction efforts according to organizational strategy.
The ISO 31000 principles, for example, provide frameworks for risk
management process improvements that can be used by companies, regardless of
the organization's size or target sector. The ISO 31000 is designed to "increase the
likelihood of achieving objectives, improve the identification of opportunities and
threats, and effectively allocate and use resources for risk treatment," according to
the ISO website. Although ISO 31000 cannot be used for certification purposes, it
can help provide guidance for internal or external risk audit, and it allows
organizations to compare their risk management practices with the internationally
recognized benchmarks.
The ISO recommends the following target areas, or principles, should be part of
the overall risk management process:
 The process should create value for the organization.
 It should be an integral part of the overall organizational process.
 It should factor into the company's overall decision-making process.
 It must explicitly address any uncertainty.
 It should be systematic and structured.
 It should be based on the best available information.
 It should be tailored to the project.
 It must take into account human factors, including potential errors.
 It should be transparent and all-inclusive.
 It should be adaptable to change.
 It should be continuously monitored and improved upon.

(Concept Title)
The ISO standards and others like it have been developed worldwide to help
organizations systematically implement risk management best practices. The
ultimate goal for these standards is to establish common frameworks and processes
to effectively implement risk management strategies.
These standards are often recognized by international regulatory bodies, or by
target industry groups. They are also regularly supplemented and updated to reflect
rapidly changing sources of business risk. Although following these standards is
usually voluntary, adherence may be required by industry regulators or through
business contracts.
On the https://techbeacon.com/security/heres-better-way-do-compliance-risk-
management by Joydip Kanjilal on the article Here's a better way to do compliance
and risk management cited that as government regulations spread around the
globe, geopolitical, regulatory, legal, and compliance risks continue to
present challenges in the enterprise. With the proliferation of laws and rules and the
increase in stakeholder expectations, your organization may be more vulnerable to
compliance risks than ever.
Too many companies are still taking an old-school approach when it comes
to managing compliance risk. Today's issues of risk change at the speed of
business, so your strategy and process must also change quickly. Here's how to go
about doing that.
Many compliance regulations have been enacted to ensure that
organizations operate fairly and ethically. Most organizations have compliance
processes in place to make sure they adhere to all relevant laws and rules, or face
potential legal, financial, and other consequences.
Compliance risk is any threat to an organization's financial, organizational, or
reputational standing. A well-defined compliance process can reduce your
organization's overall risk of violating these standards—and facing the
consequences.
Compliance management and risk management are related, but they are not the
same thing. Risk management involves predicting and managing risks to help an
organization protect itself from risks that might eventually lead to non-
compliance. For its part, compliance management is the process of managing

(Concept Title)
compliance within the boundaries of a time frame and a budget. Non-conformance to

compliance regulations is also a risk. You cannot have a robust risk management
program without compliance, and vice versa. However, to address compliance and
risk management, you should have distinct approaches and execution tactics for
both. Non-compliance is a risk, but risk management is not compliance. Hence,
these two should be dealt with differently. The correct risk management strategy can
tackle both compliance and risk management.
The traditional approach
Typically, a compliance team assesses the existing program, which includes
evaluating the process and technology and analyzing ways to improve how
compliance is being managed. The compliance team also manages a budget to
invest in any new technologies needed to attain the desired objectives, and assigns
resources to reach the goals and objectives.
To identify, manage, monitor, and reduce compliance risks in an organization,
you need to take advantage of certain strategies. These include identifying the areas
of high risk, and ensuring that regulatory alerts and updates are actionable—all of
which the compliance team manages.
Doing it differently: Become more risk intelligent
Business is changing so rapidly that the old, reactive ways of managing
compliance risks might lead organizations to fall behind the competition or leave
them exposed to larger regulatory or reputational risks than they ever expected.
This is why some organizations are finding ways to better manage compliance
risks and be more risk intelligent, which involves being more aware of today's
risks. You need an integrated compliance model across the organization to keep
compliance risk in check, and to ensure that ethics policies are followed at every
level in the organization. It requires a holistic approach toward managing compliance
in an organization. The goal is to provide a single, enterprise-wide solution
toward managing compliance. The benefits of an integrated compliance strategy
include reduced risk, faster time to market, reduced costs, enhanced customer
experiences, and more.
How to approach risk management now

(Concept Title)
Companies in the same industry and of the same size are likely facing similar
compliance challenges. What are your peers doing to mitigate such risks? Business
leaders need to come up with a unique compliance management strategy that does
not follow the same approach used by their peers.
Here's why: If you are handling compliance risk management like everyone
else, how can you gain an edge? Evolve your risk management approach by
analyzing what your organization is doing today and how it should be doing it
tomorrow.
Here are six ways in which you can handle compliance in a different way:
1. Adopt a unique compliance strategy
Such a strategy may anticipate future industry trends across business,
products, services, and geographies. This will help the organization gain a
competitive advantage through well-planned compliance management programs.
2. Technology and tools
The right combination of technology and best practices can make your
compliance process more effective. With today's tools and technologies, it is not that
difficult to stay ahead. An efficient approach for managing compliance risk is to use
tools that can extract data from your systems and then tell you what is deviating from
the desired policies.
3. Framework to manage compliance risk
One way to improve how you manage compliance risk is to build a framework
and methodology for assessing the risks. This framework should, in turn, be
comprehensive and customizable. A compliance framework refers to a set of
guidelines and policies that discuss how an organization can adhere to compliance
regulations. Typically, it is developed by the compliance and risk management teams
in an enterprise. It may be built from scratch, or existing frameworks can be
leveraged. This is at the discretion of the enterprise. Some ready-built compliance
frameworks available include the COBIT 5 Framework and the Unified Compliance
Framework.
4. Increased collaboration
Increase collaboration and functional integration among all those who are
involved in various areas of compliance, including senior managers and the

(Concept Title)
compliance and risk management teams. There should also be an automated

workflow in place to deal with the complete compliance process; this workflow is
typically created by the compliance management and development teams.
5. Enterprise-wide risk management process
Risk and compliance should be integrated into an enterprise-wide risk
management process. This will ensure that any risks and compliance issues faced
by the organization are not considered in isolation. It should include all activities
related to risk management and compliance, and it should provide a framework that
can be leveraged to assess an organization's exposure to risk. This helps the
organization make timely and well-informed decisions. Employees ranging from
senior managers to risk practitioners should be involved in this. To get started,
establish an enterprise risk structure that matches your organization's structure.
6. Training
To better manage compliance risks, you should have a well-defined process
as well as well-documented policies, procedures, and guidelines. Corporate
leadership should communicate expectations and values. It is imperative that training
help make everyone aware of what he or she should adhere to—all related laws,
regulations, and company policies. Periodic checks should also be conducted to
ensure that people are following the rules—at least, until the compliance culture fully
takes effect.
Compliance should be a culture
For compliance management to be success, merely following the right strategies,
adopting the right tools, and doing the same old thing won't be enough. You must
create a culture of compliance across the organization. And, ultimately, adherence to
compliance shouldn't have to be imposed on employees, but rather, should come
from within.
Business processes fulfill business objectives and goals by executing and

coordinating value-adding activities, thereby creating value for the organization
(Rikhardsson et al., 2006; Sienou, Lamine and Pingaud, 2008). Historically the focus
of business process improvement has been on increasing value by levering
efficiency and effectiveness (Kettinger, Teng and Guha, 1996; Jeston and Nelis,
2006). However, the execution of business processes can lead to the manifestation
(Concept Title)
of risk. Risk, in turn, can reduce value created by business processes and create
negative returns. When considering the risk adjusted value of a business process the
overall perceived value to the organization changes (Zur Muehlen and Rosemann,
2005; Rikhardsson et al., 2006; Jallow et al,2007; Zoet et al., 2009). To prevent the
manifestation of risk and preserve added value effective governance needs to be
applied. To realize a proper governance structure organizations implement
compliance and risk management and business rules
management solutions (Ross, 2003; IT Governance Institute, 2007; Tarantino,
2008).
In the paper authored by Ravesteyn, P., Versendaal , J., & Zoet, M. “A
Business Rules Viewpoint on Risk and Compliance Management”, 24th Bled
eConference eFuture: Creating Solutions for the Individual, Organizations and
Society June 12 - 15, 2011; Bled, Slovenia, they defined a meta-model in order to
answer the research question: how to integrate risk management, compliance
management and business rules management, such that it gives a complete,
accurate and usable representation for organizations? They elaborated the
difference between operational and compliance risk leading to the conclusion that
both are specific risk concerns an organizational stakeholder can be hold
responsible for. Additionally they elaborated on the relationship between operational
risk, compliance risk, BRM and requirements resulting in the defined meta-model.
The metamodel has been tested on 103 situations at six organizations; the paper
discussed one particular situation in detail. The research enables us to conclude that
our meta-model contributes to the integration of the different fields. While doing so
our approach does not contradict or conflict with current languages present in the
fields of enterprise architecture or business rules. This work represents a further step
in research on synthesizing risk management, compliance management and BRM.
While that work has focused on constructing and validating a meta-model, future
research should explore a proper way of presenting, communicating and using the
meta-model. A promising approach and direction for subsequent research would be
the work of Engelsman et al. (2010), who have created a comparable model
(ARMOR). The model has significant differences though. ARMOR does not address
business rules, yet it deals with requirements and implementation mechanisms in a

(Concept Title)
more detailed manner thereby aligning with a specific modeling language:

Archimate. Recognizing this difference ARMOR might provide a possible modeling
language on top of our meta-model.
Risk management is achieved through a certain step and methodologies that
are selected based on the type of the risk involved. One type of the risks that
business organizations are likely to face is the ethics risk. Risks associated with
ethics revolve around the consequences of unethical and immoral action at any level
of the organization. Although all employees must comply with the ethics of the
business entity, the management bears the major responsibility of maintaining ethics
as they are always faced by decision making concerning ethics. They often set an
example for the rest of the staff to follow. The relationship between risk management
and business ethics is strong and clear. Ethics must be considered by risk
management officials to avoid any unethical actions that might not only harm but
also destroy the whole business. The modern business history is abundant with
examples of companies that incurred great losses in the form of reputation loss or
financial loss due to fines because of scandals and unethical actions. It seems that
risk management cannot be effective and efficient without taking into consideration
business ethics risks. It can be concluded that business ethics is not just a fancy
term that corporations brag about in the business world; compliance with business
ethics is a real comparative edge to organizations that follow an effective risk
management.
Based on the research findings by Abdeldayem, MM. & Darwish, S., “Risk
Management and Business Ethics: Relations and Impact in the GCC”, the following
recommendations are suggested for business organizations. Through these
recommendation businesses could achieve proper business ethics risk
management:
 Business management should learn from history that although unethical business
practice may result in quick profits, it causes great harm to the company when
exposed such as reputation loss and huge compensations for the harmed
 Business ethics must be considered an essential aspect of risk management as an
ethics risk is so serious that it may lead to the destruction of the whole business.

(Concept Title)
 There is many business ethics risk management model that is useful for
organizations to follow; however, the model for managing ethics risks must be based
on predefined ethical principles that take into consideration the interests of all people
involved.
 Managers must be a role model for the rest of the employees in an organization,
as such, trust and loyalty become prevalent in the work environment.
 Ethical issues must be an approach based on predetermined ethical principles to
avoid any bias by any party.
Every enterprise must, as part of its business activities, face certain risks that
may lead to a reduction in the value of the organization, its weakening or even may
be the reason for its decline. Therefore, it is necessary to prevent these risks or
minimize their impact. And with it grows the importance of risk management, which
Veber (2014, p. 604) describes as "a systematic and coordinated way of working
with the risks applied throughout the organization, i.e. at all levels of management,
including all processes and all kinds of risks with respect to their relationships." Many
managers believe they pay close attention to the risks, however, especially in small
businesses the risks are monitored unsystematically, at random, intuitively and
informally. Quite often, the predominant belief is that the management or the owner
knows well all possible risks, so there is no need to deal with them separately.
Another pitfall is the monitoring of risks with only narrowly defined criteria, which can
lead to biased results and erroneous managerial decisions (see Alquier, Tignol,
2006).. For example: the critical problem, which greatly affects the decision-making
of the enterprise, is to identify potential cost savings (Vetráková, Potkány, Hitka,
2013). Another misconception is that the term risk management refers only to
interventions, or remedial measures that are taken in response to the manifestations
of risks. This article focuses on risk analysis in a small business as part of risk
management, using methods that are suitable for such an entity, and in relation to
the other stages of risk management. The aim is to identify risks that could
significantly affect the performance of the selected small business. The SMEs play
fundamental role in society from an economic and social point of view; in Europe
they comprise 99.8% of the total number of companies (Verbano, Venturini, 2013).

(Concept Title)
On the research study by Doupalová, V., & Myšková, R. , “Approach to Risk

Management Decision-Making in the Small Business”, stated that Correctness of
solution to any problem is always associated with the quality of the analysis that is
performed as part of risk management. It is a repetitive process that includes risk
identification, risk assessment and follow-up measures to reduce them, and
throughout this process it is necessary to carry out checks and monitoring. The risk
analysis cannot therefore be independent and must always be based on the needs
of the company management. It is necessary to regularly monitor and assess any
new or induced risks - given that the company and its surroundings are constantly
evolving. Events that may occur and need to be taken into account relate not only to
the emergence of new risks, but also the passing of some threats. The actual
identification of risks is based on analyzing the internal and external environment of
the company in order to identify all the factors that could in any way affect the targets
set by the company. It is necessary that it is dealt with by a group of workers, not just
an individual. In practice of small businesses, it often happens that due to fears of
misuse of information, the identification of risks is carried out only by the owner or a
manager. It is true that the sources and scope of information differ depending on the
size of the enterprise, however, experience shows that cooperation with the
skeleton staff supports the early detection of potential threats and opportunities. In a
small Enterprise, particularly beneficial are group discussions (brainstorming, Delphi,
etc.), under which the risks can be identified and assessed by the probability of their
occurrence and the extent of their impact on the basis of an educated guess. The
qualitative risk analysis methods can be combined with mathematical calculations,
including the use of undemanding, commonly used statistical methods. This
procedure, in which it is also advisable to determine the risk impact using financial
expression (usually a loss), helps to make decisions on accepting or rejecting the
risk, and also supports the correct choice of appropriate measures. For the visual
presentation of the results of the risk analysis, it is possible to use the so-called risk
matrix. Its level of detail depends on the needs of the management. When doing
business, we can never completely eliminate potential risks; however, in the case of
negative factors we can reduce them through appropriate procedures and measures.
Even in a small business, the management can choose the proactive approach

(Concept Title)
consisting in e.g. the transfer of risks to other entities, the creation of reserves,
obtaining of additional information and others. It can be supplemented with any
activity aimed at reducing the adverse consequences of risks, e.g. diversification,
risk sharing and insurance. Rapid changes in the economic situation and the growing
rivalry in the competitive environment lead to displacing of the traditional approach to
risks, which was defensive and passive, according to Chevalier (1994). Therefore,
even a small business management should focus primarily on eliminating the causes
of controllable risks. This requires constantly obtaining relevant information, focusing
on better use of the company resources and developing relationships with
customers. Small and medium businesses still make insufficient use of grants and
projects, due to the lack of information and fear of potential , often unidentified, risks.

(Concept Title)
Chapter 3 Research Methodology
This chapter deals with the research design, instruments used, subject of the
study, sampling technique, data gathering procedure, and statistical treatment of
data, which provided the framework in answering questions posed in the study.
Research Design
The researcher will utilize and apply the descriptive-correlation design.

According to Sevilla, et. Al. (2017), this designed determine the extent to which the
variables are related to each other in the population of interest. The critical
distinguishing characteristic is the effort to estimate a relationship, as distinguished
from simple description.
Further, the study will use the descriptive method of research, which will
describe and interpret the assessment of risk manager in using compliance risk
management.
Descriptive research involves description, recording, analysis and

interpretation of the status and condition that are obtained in a particular research
situation. It is also a method that described and interprets the revealed condition and
the relationship that exist and do not exist, practices that prevail people point of view.
It usually involves comparison or contrast, and may attempt to discover a cause and
effect relationship that exist between non-manipulative variables.
Locale and Population of the Study
The study will involve sixty (60) risk managers in business firms in National
Capital Region. They were categorized as Retailers/Sellers/ Traders and
Manufacturing business firms.
The list of company will be requested and taken from Security and Exchange
Commission; and the risk manager shall be randomly selected based on their
availability to answers questions on an structured questionnaires.
(Concept Title)
Data Gathering Instrument, Procedures and Validations of Questionnaires
A questionnaire as the main tool of the study which is based from reading of
books, journals, and magazines. It had three parts, the cover letter, demography,
and the question proper itself.
Cronbach’s alpha will be used in determining the reliability of the instrument.

A Cronbach’s alpha coefficient will show the instrument reliability.
Data will be gathered, collect, tabulate and will compute based on the desired
analysis according to the statement of the problem of the study. The data were then
subjected to analysis using descriptive statistic such as percentage, frequency
counts, and standard deviation and mean to describe the profile of the respondents.
To determine relationship of the risk managers profile to their perception in
compliance risk management used by the business firms, and relationship of risk
managers, and relationship of risk managers profile on the encountered problem
when they used compliance risk management in solving problems, Pearson product
moment correlation will be used.

(Concept Title)
References:
Abdeldayem, MM. & Darwish, S., (2019) “Risk Management and Busines
Ethics: Relations and Impact in the GCC”, International Journal of Civil Engineering
and Technology (IJCIET) Volume 10, Issue 10, October 2019, pp. 489-504, Article
ID: IJCIET_10_10_047 Available online at http://www.iaeme.com /ijciet/issues. asp?
JType=IJCIET&VType=10&IType=10 ISSN Print: 0976-6308 and ISSN Online: 0976-
6316
Doupalová, V., & Myšková, R. (2015), “Approach to Risk Management
Decision-Making in the Small Business”, University of Pardubice, Faculty of
Economics and Administration, Pardubice 530 02, Czech Republic - Procedia
Economics and Finance 34 ( 2015 ) 329 – 336
Ravesteyn, P., Versendaal , J., & Zoet, M. “A Business Rules Viewpoint on

Risk and Compliance Management”, 24th Bled eConference eFuture: Creating
Solutions for the Individual, Organizations and Society June 12 - 15, 2011; Bled,
Slovenia
https://www.allaboutcareers.com/careers/job-profile/risk-manager
https://searchcompliance.techtarget.com/definition/compliance-risk
https://searchcompliance.techtarget.com/definition/risk-management
https://techbeacon.com/security/heres-better-way-do-compliance-risk-
management


Compliance Risk - Concept Proposal by Manuel L. Hermosa

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Compliance Risk - Concept Proposal by Manuel L. Hermosa

Încărcat de

Drepturi de autor:

Formate disponibile

Compliance Risk Management in the Business Firms: An Assessment

Chapter 1 – Introduction and Its Background

Risk management is the process of identifying, assessing and controlling

Concept by: Submitted to:

Another limitation is the lack of analysis expertise and time. Computer

Compliance risk is any threat to an organization's financial, organizational, or

Concept by: Submitted to:

responsibilities and environmental policies, and then evaluate the effects of any

Concept by: Submitted to:

INPUT PROCESS OUTPUT

4. Solutions of the risk Upgraded solutions of

Figure 1 – Paradigm of the Study

Concept by: Submitted to:

Statement of the Problem

This study aims to assess Compliance Risk Management decision in the

Specifically, it sought to answer the following:

1. What is the profile of the respondents with regard to:

1.3. educational attainment;

1.4. years in the company; and

1.5. years experienced as risk manager?

2. What are the perceptions of risk manager in compliance risk management

4. Is there a significant relationship in the assessment of respondents profile

5. Is there a significant relationship in the assessment of the respondents

There is no significant relationship on the assessment of the respondents

There is significant relationship in the assessment of the respondents profile

Scope and Delimitation of the Study

Business Firms Number of Respondents

Concept by: Submitted to:

Chapter 2 Review of Related Literature and Study

Concept by: Submitted to:

Concept by: Submitted to:

customers or partners. Process failures can also result in reporsting or

 Establish context. Understand the circumstances in which the rest of the

 Risk identification. The company identifies and defines potential risks that

 Risk assessment and evaluation. The risk is then further evaluated after

 Risk mitigation. During this step, companies assess their highest-ranked

 Risk monitoring. Part of the mitigation plan includes following up on both the

 Communicate and consult. Internal and external shareholders should be

Concept by: Submitted to:

 Risk avoidance. While the complete elimination of all risk is rarely possible, a

 Risk reduction. Companies are sometimes able to reduce the amount of

 Risk sharing. Sometimes, the consequences of a risk are shared, or

 Risk retaining. Sometimes, companies decide a risk is worth it from a

Concept by: Submitted to:

techniques -- such as creating a model or simulation -- require gathering large

Concept by: Submitted to:

Concept by: Submitted to:

Concept by: Submitted to:

compliance within the boundaries of a time frame and a budget. Non-conformance to

Concept by: Submitted to:

Concept by: Submitted to:

compliance and risk management teams. There should also be an automated

Business processes fulfill business objectives and goals by executing and

Concept by: Submitted to:

more detailed manner thereby aligning with a specific modeling language:

Concept by: Submitted to:

Concept by: Submitted to:

On the research study by Doupalová, V., & Myšková, R. , “Approach to Risk

Concept by: Submitted to:

Concept by: Submitted to:

Chapter 3 Research Methodology

The researcher will utilize and apply the descriptive-correlation design.

Descriptive research involves description, recording, analysis and

Locale and Population of the Study