Risk Management, or Enterprise Risk Management (ERM), is the process of identification, analysis and acceptance or mitigation of uncertainty to an organization's capital and earnings. These threats, or risks, can include financial uncertainty, legal liabilities, strategic management errors, IT security threats (malware, unwanted access to sensitive data, etc.), accidents and natural disasters. Employees within the Risk Management Group are essentially responsible for evaluating all the risks the company faces, formulating responses and plans of action to mitigate and respond to those risks and to make such plans of action available to all stakeholders, shareholders and potential investors (typically within the company's annual reports).
Common Risk Management job titles: Chief Risk Officer, Chief Executive Officer (CEO), Board of Directors
The Compliance Group is responsible for the regulation of all company activities to ensure that they are in line (in "compliance") with all applicable laws, rules and regulations, as well as internal codes of conduct, policies and procedures. The group works with the Risk Assessment function to identify risk areas, implement controls to protect the organization from those risks (e.g., monitoring incoming and outgoing communications by employees, flagging emails if certain key words or complaints are evident, recording all written correspondences, reviewing transactions or activities of the company, etc.), and set guidelines to handle issues of non-compliance. Additionally, employees within this function typically undergo periodic training sessions to keep up-to-date on ever shifting internal and external regulations and policies.
Common Compliance job titles: Chief Compliance Officer (COO), Compliance Officer, Compliance Enforcement Officer, Compliance Investigator
Corporate governance is the system of rules, practices and processes by which a company is directed and controlled. The policies that are developed by the Corporate Governance Group impact all aspects of the organization ranging from performance measurement standards, public disclosure of records, policies for the assignment of Board of Director seats, etc. The Corporate Governance Group must balance the interests of and assign responsibilities to many groups of stakeholders in the company, including shareholders, board members, C-Suite staff, upper management (SVP, EVP, VP), customers, suppliers, government entities and community members.
Common Corporate Governance job titles: Senior Paralegal, Corporate Governance Coordinator, Policy Administration Analyst
The Ethics function serves as the company's internal control for policies or situations related to issues of ethics, improprieties or misconduct from the company's employees, especially with regards to executive leadership. The Ethics function is usually responsible for company-wide training and education on issues such as conflicts of interest and ethical decision-making. They are also in charge of investigating complaints (internal or external) of ethical misconduct or conflicts of interest from senior management. Additionally, the Ethics Group is tasked with reviewing other corporate policies to confirm that those policies are in accordance with the company's ethical philosophies.
Common Ethics job titles: Ethics & Compliance Officer, Ethics & Compliance Coordinator, Ethics & Compliance Training Manager
The Internal Audit Group periodically examines the efficiency and performance of both the company's risk control functions (e.g., the Risk Management function, the Compliance function, etc.) as well as the company's other departments (e.g., HR, Finance, etc.) so as to ensure that all aspects of the company's business are adhering to defined internal and external policies, laws and regulations. The Internal Audit Group then reports its findings to management and business unit leaders while making recommendations to improve internal systems and procedures, risk management and governance processes and internal controls. This function is typically independent of any other role in the company to enable unrestricted evaluation of management activities and employees. Audits performed by this group typically look into the company's business structure, internal and external regulation compliance, standards of employee behavior and the structure and performance of the company's information systems.
Common Internal Audit job titles: Internal Auditor, Staff Auditor, Internal Compliance Auditor
The Risk Assessment Group is tasked with researching and determining both current and future risks that may become hazardous to the company's business operations. The Risk Assessment Group's responsibilities range anywhere from identifying new competitors, data security issues, reputational or Public Relations (PR) risk, financial or liquidity risk, product recalls or even weather or natural disaster risks, among other things. The Risk Assessment Group works closely with the Corporate Governance function, who will implement corporate policies based on the findings of the Risk Assessment function.
Common Risk Assessment job titles: Market Risk Analyst, Regulatory Compliance Analyst, Compliance Monitoring Analyst
The Risk Reporting Group is tasked with defining the company's data collection procedures (related to collecting information concerning potential risks and overall policy and employee compliance), creating clear and understandable reports and distributing them to company management and government institutions. Such reporting is often facilitated through risk management information systems and typically contains the risk profile for the organization (the most significant risks and why they are considered to be so, how such risks are being controlled, and any particular control gaps that are identified and how these are proposed to be filled), the chances in that risk profile since the last report and the performance of the risk management "system" or framework. The reports compiled by the Risk Reporting function deal with issues such as environmental friendliness, financial misstatements or food/drug safety issues.
Common Risk Reporting job titles: Regulatory Reporting Analyst, Regulatory Specialist, Regulatory Reporting Business Analyst