Compliance risk is the possibility of legal or regulatory sanctions, financial loss, operational restriction or reputational harm arising from failure to comply with applicable law, regulation, licence conditions, contracts, industry standards or internal policy. It is also associated with conduct and integrity because compliance concerns fair and ethical behaviour.
Compliance risk management identifies obligations, assesses exposure, assigns ownership, designs controls, monitors performance and corrects deficiencies. Policies alone are insufficient: an organisation needs evidence that requirements operate through decisions, systems, products, third parties and everyday work.
The framework should form part of wider governance, enterprise risk and internal-control arrangements. Its scope should reflect the organisation’s size, sector, markets, products, customers and delivery channels.

