The term ‘Compliance Risk’ refers to an organization’s potential exposure to statutory penalties, financial and material loss, and forfeiture due to non-compliance of applicable laws, rules and regulations, procedural non-compliances or lags, or non-conformity with internal policies, procedures, and processes or breach of contractual obligations. In other words, when a business entity fails to comply with any of its obligations, whether statutory or contractual, it exposes itself to a risk of non-compliance, which is commonly referred to as compliance risk.
In India, the laws regarding compliance risk are not covered under a specific act. However, each applicable act/ rule/ regulation will provide for penalties in case of non-compliance. For example, if a company fails to file its annual statement at the end of a financial year, it is liable for penalty under the Companies Act, 2013. Similarly, if a factory fails to obtain its license to operate, then it is liable under Factories Act, 1923.
All organizations, whether big or small, a company or a sole proprietorship, profit or non-profit, private or government, are exposed to such risks.
Compliance Risk can be of the following types:
Regulatory Compliance Risk:
Under this category, all non-compliance of statutory provisions will entail/ expose an entity to compliance risk. Generally speaking, a business entity may face a risk under the following categories. However, please note that the laws applicable to each entity will vary as per the business carried out by such entity, employees employed, etc.
Labour Compliances:
Non-compliance with applicable labor laws such as the Shops and Establishments Act, Provident Fund Act, Industrial Disputes Act, and Factories Act will give rise to such risks.
Financial and Corporate Compliances:
Non-compliance with the provisions of the Companies Act, Partnership Act, Limited Liability Partnership Act, SEBI Act, or FEMA Rules and Regulations will give rise to such risks.
Environmental Compliances:
Non-compliance with applicable environmental laws such as the Environment (Protection) Act and the rules framed thereunder will give rise to such risks.
Privacy Law Compliances:
Breach of applicable data protection laws, including the breach of the Information Technology Act and the regulations framed thereunder, will give rise to compliance risks under this head.
Procedural/ Process Compliance Risk:
Each organization has a set of policies it follows to ensure that the business of such an entity is carried out smoothly. Such policies include the manner in which the organization will function, the responsibilities each person in the organization carries, rules regarding their conduct, and various processes and procedures to be implemented to achieve the objectives of the business as carried on, for example, the policy regarding remote working or a policy regarding customer data usage, etc.
In case any employee or personnel fails to comply/ abide by such policies, then in that case, it may be said that the organization is potentially exposed to compliance risks.
In order to ensure that the compliance risk an entity is exposed to is low or minimal, the organization can: