Compliance monitoring is probably an established method of assuring us of good management of regulatory risk. However, if your monitoring is not feeding your risk assessment, there is a fatal flaw.
Compliance Monitoring; this idea that as a second line of defence (2LOD), we carry out assurance of our business and their policies, procedures and controls.
In principle, this is proper, it’s part of the model of 3LOD and generally speaking it’s accepted by regulated businesses as being best practice.
The real challenge then, is not the principle, it’s the execution and then how we integrate the outcomes from this assurance exercise into our decision making, our risk-based approach.
My experience tells me that the best way to do this is by bringing your outcomes into your overall risk management process. Practically this means that your business risk assessment should house the assurance outcomes and this is a way in which you can then attribute a confidence level to your assessment of residual risk.
If you’re not doing this, you probably have a risk in your risk management process.