Compliance is the process by which organisations identify and meet their strategic obligations whether arising in law, standards, codes or from stakeholder expectations.

Focusing on legal obligations in isolation results in a minimalist and narrow approach, which cannot leverage an organisation’s ability to efficiently manage all aspects of compliance risk.

The Board should articulate the compliance philosophy and ensure adequate seniority, level of authority and support is given to the compliance function.


Ethics provide the overarching principles and rules which govern individual and organisational behavior.

These rules are normally documented in a values statement and reflected in policies, procedures and expected behaviors. An organisation with a strong ethical base is less likely to breach legal obligations, particularly where the law or circumstances are ill-defined, or where there is considerable variability in the circumstances that are likely to be encountered. While an organisation will have cultures appropriate to the various functions, it can have only one set of values.

The outcome from a coherent set of values is an increase in stakeholder trust leading to lower costs of doing business, ease in raising capital and greater market appeal.

Risk Management

The purpose of risk management is to identify potential events that may impact on an entity, quantify the impact and likelihood of occurrence and then manage the risk in accordance with the organisation’s risk appetite.

Risk appetite – the amount of risk an organisation will assume in pursuit of its goals – this should be defined by each organisation.

The risk appetite should be aligned to the risk culture, particularly as the risk appetite of different functions and individuals will impact on the adherence to the official (accepted) “appetite stance”.

Organisations, even with extreme risk appetite, cannot deliberately choose to ignore the law. They may however allocate fewer resources to ensure strict compliance.