I think the term is "boiling the ocean" unless in this emerging green environment consultants are now boiling the world.
I would generally agree that, “not all risk professionals understand compliance” and as a result perform incomprehensible compliance risk assessments. But I find the converse to be also true in that many companies and compliance professionals conflate the idea of a risk assessment with the more extensive concept of enterprise risk management. The less formal and incomplete view of a risk assessment likely comes from the advent of SOX and the U.S. Sentencing Guidelines. Both require companies to assess risks annually, with potential consequences for organization’s that don’t. That has driven companies to focus primarily on their compliance risks (since those are the most immediate worries), which is only one component of the overall risk profile that a business may be incurring.
A comprehensive risk management assessment as part of an ERM program would be more far-reaching than an ethics and compliance risk assessment and would delve deeper into strategic planning, operational, and internal controls, as well. The danger here, as points out, is with compliance risks not being addressed and enforced under the authority of the compliance program. Likewise, I've seen where the Chief Compliance Officer leads the enterprise-wide risk assessments and establishes the compliance function as a proxy for enterprise-wide risk management; in other words, risk-management methodologies comprises a subset (one of the 8 elements) of the Compliance Program’s activities—with the danger here of risk management operating within the narrow confines of a compliance risk assessment and neglecting the broader range of risks.
There have been several studies suggesting that while compliance risks may be more immediate, most loss in shareholder value is attributable to strategic and operational blunders; companies that suffered the greatest losses were exposed to more than one type of risk but fail to recognize and manage the relationships among different types of risks
You don't have to boil the ocean to do a reasonably competent and comprehensive risk assessment that includes compliance risks. I think it just takes a better understanding of each other's respective disciplines.
Attorneys and other GRC professionals often confuse the compliance and ERM frameworks. For example, the Practising Law Institute (PLI) had a past event where one of the session topics involved Distinguishing ERM from compliance. So it seems attorneys need to get educated that they are not the same thing.
A risk management program can collaborate and work well with a compliance one. It doesn't have to be a turf issue. Depending on the organization it may make sense to have a CRO and CCO with one subordinate to the other. For highly regulated industries compliance covers every kind of risk such that the Chief Compliance Officer also manages ERM; for others, compliance risks are a small subset of the broad range of risks to be managed.
I think you can have an integrated role. Maybe an ERM program is an appropriate integration of principles from SOX (302 and 404) with the Sentencing Guidelines? In conjunction they both require companies to assess risks that are both criminal and civil, within a broad range of categories both financial and non-financial. If that is true, it probably doesn’t matter if Risk is under Compliance or vice versa. Maybe the roles of the CRO and CCO are suited to be merged? I think this can be accomplished in an effective way that marriages the strengths of both disciplines But I suspect Roy will think that this will only get in the way of Compliance fixing problems.