<a href="tel:+211912351135">+211 912 351 135</a>  &nbsp &nbsp <a href="mailto:info@boss.gov.ss"> info@boss.gov.ss </a> &nbsp &nbsp <a href="https://login.microsoftonline.com/" target="_blank">Staff Email</a> &nbsp&nbsp <a href="https://web.facebook.com/BankOfSouthSudan"><i  fa-facebook"></i></a>&nbsp&nbsp&nbsp <a href="https://twitter.com/bss_original"><i  fa-twitter"></i></a>&nbsp&nbsp&nbsp <a href="https://www.linkedin.com/company/banok-of-south-sudan/"><i  fa-linkedin"></i></a> +211 912 351 135     info@boss.gov.ss     Staff Email           

Role of Risk and Compliance management

Introduction and understanding of the below terms

Risk is the degree of uncertainty or potential financial loss inherent in an investment (D Van Well-Stam et al. 2003).

The Basel Committee of Banking Supervision defines Compliance risk as the state of being in accordance with established guidelines or specifications set by an organization.

The program an organization implements, assures its employees and third parties on the need to obey all relevant laws, regulations, and other obligations the business might have. 

More plainly, we could say corporate compliance is about helping your organization to avoid trouble with the law. You implement a Code of Conduct, policies, procedures, and other internal controls to steer your workforce to certain standards of behavior. The objective is to assure that the company’s conduct remains in compliance with the law.

According to (Matt Kelly, 2021) risk management is the program an organization implements to help it identify and avoid unwanted risks. As you can see, risk management is broader than corporate compliance. It can encompass an enormous range of risks, and many of them will have nothing to do with violating laws or regulations.

Many central banks differ in how they operate, but one thing they have in common is a compliance department. The compliance department acts as a bank’s internal police force. It is the unit that ensures that a financial institution complies with applicable laws, regulations, and rules, and it plays an essential role in helping to preserve the integrity and reputation of the bank.

Furthermore (Marshall, 2020) writes that the compliance department ensures that a business adheres to external rules and internal controls. In the financial services sector, compliance departments work to meet key regulatory objectives to protect investors and ensure that markets are fair, efficient, and transparent. They also seek to reduce system risk and financial crime.

These objectives are designed to support consumer confidence in the financial system. Financial services organizations also are subject to regulatory business rules that govern advertising, customer communications, conflicts of interest, customer understanding and suitability, customer dealings, client assets, and money as well as rule-breaking and errors.

The compliance department is tasked with closely watching that financial services businesses adhere to external regulations and internal controls. It also identifies risks that an organization faces and advises on how to avoid or address them.

The 2008 financial crisis led to increased regulatory scrutiny and regulation, leading compliance departments to go from an advisory role to active risk management.

A compliance department typically has five areas of responsibility; identification, prevention, monitoring and detection, resolution, and advisory. It implements controls to protect the organization from those risks. Compliance monitors and reports on the effectiveness of controls in the management of the organizations risk exposure. The department also resolves compliance issues as they arise and advise the business on rules and controls.

The compliance department’s ultimate goal is to ensure that a bank does not cross the lines drawn by legislators, regulators or its board of directors (Marshall Hargrave, 2020). Since banks’ activities vary, duties also vary, but each bank should clearly and specifically have the responsibilities for its compliance department outlined.

Common tasks include monitoring the bank’s activities and controls and identifying and analyzing risk areas. This may include assessing and testing the adequacy of the bank’s policies and equipment, such as security and risk assessment tools. The compliance team may also design and implement solutions to address any identified risks, develop compliance programs for new regulations, and oversee employee training programs.

In most cases banks need to transform the role of their compliance departments from that of an adviser to one that puts more emphasis on active risk management and monitoring. In practice it means expanding beyond offering advice on statutory rules, regulations, and laws and becoming an active co-owner of risks to provide an independent oversight of the control framework.

Given this evolution, responsibilities of the compliance function are expanding rapidly to include the following:

  • Generating practical perspectives on the applicability of laws, rules, and regulations across businesses and processes and how they translate into operational requirements.
  • Creating standards for risk materiality for example, definition of material risk, tolerance levels, and tie to risk appetite.
  • Developing and managing a robust risk identification and assessment process or tool kit, for instance comprehensive inventory of risks, objective risk-assessment scorecards, and risk-measurement methodology.
  • Developing and enforcing standards for an effective risk-mediation process for instance root cause analysis and performance tracking to ensure it addresses root causes of compliance issues rather than just “treating the symptoms.”
  • Establishing standards for training programs and incentives tailored to the realities of each type of job or work environment.
  • Ensuring that the front line effectively applies processes and tools that have been developed by compliance.
  • Approving clients, transactions, and products based on predefined risk-based rules.
  • Performing a regular assessment of the state of the overall compliance program
  • Understanding the bank’s risk culture and its strengths as well as potential shortcomings

Risk culture most serious failures across financial institutions in recent times have a cultural root cause leading to heightened regulatory expectations, (Kharkiv Lyubov, 2018).

Elements of “strong” risk culture are relatively clear and include timely information sharing, rapid elevation of emerging risks. Effective execution of these expanded responsibilities require a much deeper understanding of the business processes by compliance. There are several practical ways to achieve this set up links:

  1. Incorporating process walk-throughs into the regular enterprise compliance-risk assessments for example, facilitated workshops with first line and second line to assess inherent risk exposures and how they affect business processes.
  2. Implementing a formal business-change-management process that flags any significant operational changes for example, volumes, products, workflows, footprint, and systems to the second line.
  3. Developing a robust tool kit for objectively measuring risk, for example quantitative measurement for measurable risks, risk markers for risks harder to quantify, common inventory of risky outcomes, and scenario analysis and forward-looking assessments.

Compliance risk management is the process of identifying and assessing legal penalties, financial losses, and material losses, associated with an organization’s failure to act under certain laws and regulations. Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. These risks stem from a variety of sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.

(James Chen, 2023) states that Systematic risk refers to the risk inherent to the entire market or market segment. Systematic risk, also known as undiversifiable risk, volatility risk, or market risk, affects the overall market, not just a particular stock or industry. is due to the influence of external factors on an organization. Such factors are normally uncontrollable from an organization’s point of view. It is a macro in nature as it affects a large number of organizations operating under a similar stream or same domain. It cannot be planned by the organization.

(James Chen2023), unsystematic risk is a risk or potential danger that is inherent to a specific company or industry. It can be greatly reduced through portfolio diversification across different industries and classes of assets. is due to the influence of internal factors prevailing within an organization. Such factors are normally controllable from an organization’s point of view. It is a micro in nature as it affects only a particular organization. It can be planned, so that necessary actions can be taken by the organization to mitigate (reduce the effect of) the risk.

(Paul J.M. Klumpes, Patrick Kelliher, 2013) state that the categories of risk in the Business or liquidity risk is also known as liquidity risk. It emanates (originates) from the sale and purchase of securities affected by business cycles, and technological changes.

Volatility Risk Particularly in investment, risk refers to the risk that a portfolio may experience changes in value due to volatility (price swings) based on the changes in value of its underlying assets – particularly a stock or group of stocks experiencing volatility or price fluctuations.

Inflation risk, sometimes called purchasing power risk, is the risk that the cash from an investment won’t be worth as much in the future due to inflation changing its purchasing power.

Market risk is a broad term that encompasses the risk that investments or equities will decline in value due to larger economic or market changes or events. 

Liquidity risk is involved when assets or securities cannot be liquidated (that is, turned into cash) fast enough to ride out an especially volatile market. This kind of risk affects businesses, corporations or individuals in their ability to pay off debts without suffering losses. As a general rule, small companies or issuers tend to have a higher liquidity risk due to the fact that they may not be able to quickly cover debt obligations. 

Strategic risk arises when a business does not operate according to its business model or plan. When a company does not operate according to its business model, its strategy becomes less effective over time, and it may struggle to reach its defined goals.

Compliance Risk is the risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested

Reputation Risk is the risk to earnings or capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services, or continue servicing existing relationships

Foreign Exchange Risk is the risk to earnings or capital arising from movement of foreign exchange rates. This risk is found in cross-border investing and operating activities. Market-making and position-taking in foreign currencies should be captured under price risk

Inherent Risk is typically defined as the level of risk in place in order to achieve an entity’s objectives and before actions are taken to alter the risk’s impact or likelihood.  Or is the amount of risk that exists when some threat goes untreated or unaddressed. 

Residual Risk is the remaining level of risk following the development and implementation of the entity’s response. Or is the risk that remains after your organization has implemented all the security controls, policies, and procedures you believe are appropriate to take.

In accordance with the Basel Core Principles for Effective Banking Supervision; any Central Bank should compliance with below risks as priority that links to:

  • Data privacy and cybersecurity breaches. Data privacy practices assure that a bank protects customers’ personally identifiable information (PII) while conducting transactions. Cybersecurity is even broader, meant to protect all the bank’s electronic processes from disruption by unauthorized parties (including unauthorized employees) The absence of robust cybersecurity procedures and internal controls within banks can expose the bank to risks ranging from data breaches and financial fraud, with the risks of regulatory sanctions and civil lawsuits close behind.
  • Anti-Money Laundering (AML) violations. AML compliance refers to processes, regulations, technological solutions, and other initiatives that combat money laundering efforts, keeping illegitimate funds from entering legitimate financial flows. Banks found guilty of AML violations can face significant legal and regulatory consequences, including fines and reputational damage.
  • Customer Due Diligence (CDD) failures. A bank’s failure to authenticate its customers’ identities, and to understand their business activities, financial transactions, and risk exposure, are referred to as CDD failures. Inaccurate client identification and verification, poor record-keeping, and inadequate customer transaction monitoring are the most common causes of CDD failures.

Basel Committee stated that the best components of a Bank’s regulatory compliance & risk management mechanism.

  • Risk assessment programs– mapping defined laws and regulations that apply to various lines of business and establishing a consistent risk language, thresholds, and tolerances.
  • Compliance technology– Document tech platforms used by compliance and leverage automation possibilities for risk assessment, testing, reporting, and issue management.
  • Policies and procedures– Develop formalized compliance and risk policies, procedures, and controls documentation. After that, establish and socialize business operating principles.
  • Compliance monitoring and testing– Agree on scope, frequency, and schedule for monitoring and testing. After that, align on corrective actions and remediation plans.
  • Governance– Set and communicate the ‘culture of compliance’ by establishing clear roles and responsibilities. Then define governance processes and manage compliance risk committees.
  • Regulatory interaction and coordination– Enterprise-wide rigor for risk examinations, determining communication protocols, and standard responses for regulator inquiries.

Basel 11 Core Principles for Effective Banking Supervision; to effect the Risk & compliance management system the below should be in place: 

  • Policies and procedures: Written documentation outlining the organization’s approach to compliance and how it will be achieved. 
  • Regulatory change management. A process for effectively identify and implement regulatory change. 
  • Compliance risk assessments: A documented approach to Identifying and evaluating potential areas of non-compliance and taking appropriate measures to mitigate those risks. 
  • Training and communication: Tools for ensuring that all employees are aware of their obligations under relevant laws and regulations. 
  • Monitoring and reporting: Methods for tracking compliance performance and reporting to senior management, the board, and regulators. 
  • Complaint management: A system for identifying, logging, resolving, and analyzing consumer complaints.  
  • Response and corrective action: A program that addresses compliance breaches promptly and takes appropriate remedial action to prevent reoccurrence.
  • Risk evaluation. Here is where organizations determine how to respond to the risks they face. Techniques include one or more of the following:
  • Risk avoidance: The organization seeks to eliminate, withdraw from or not be involved in the potential risk.
  • Risk mitigation: The organization takes actions to limit or optimize a risk.
  • Risk sharing or transfer: The organization contracts with a third party (e.g., an insurer) to bear some or all costs of a risk that may or may not occur.
  • Risk acceptance: A risk falls within the organization’s risk appetite and tolerance and is accepted without acting.
  • Risk treatment. This step involves applying the agreed-upon controls and processes and confirming they work as planned.
  • Monitoring and review. Are the controls working as intended? Can they be improved? Monitoring activities should measure key performance indicators and look for key risk indicators that might trigger a change in strategy.

ISO’s guidelines Currently fixed five-step for Risk & Compliance Management used by financial institutions worldwide:

  1. Identify the risks.
  2. Analyze the likelihood and impact of each one.
  3. Prioritize risks based on business objectives.
  4. Treat (or respond to) the risk conditions.
  5. Monitor results and adjust as necessary.

The similarities between compliance and risk management?

Despite those differences, compliance and risk management do have a lot in common. For example:

  • Both functions rely on the same basic tools: risk assessments, policies and procedures, internal controls, testing, documentation, and reporting.
  • Both functions exist in the Second Line of Defense, helping senior management to guide operating business units in the First Line of Defense to achieve the company’s objectives.
  • Both functions want the same “ideal state” of operating, where they rely foremost on automated, preventive controls to keep the organization from experiencing unwanted events such as a bribery scandal, a privacy breach, or a liquidity crisis.

In fact, some voices in the compliance and risk management fields argue that compliance is a subset of risk management: it exists to manage compliance risks specifically, which is just one part of a much larger whole. According to this line of thinking, companies develop their corporate compliance function first because it’s a necessity; then they develop a risk management function later, as a next step in evolution, to navigate today’s complex business environment.

There are several approaches that the Department for Risk & Compliance Management can held the central bank can use to manage uncertainty. Below is a breakdown of the most common risk management strategies:

Operating Practices: There are countless operating practices that managers can use to reduce the riskiness of their business. Examples include reviewing, analyzing, and improving their safety practices; using outside consultants to audit operational efficiencies; using robust financial planning methods; and diversifying the operations of the business.

Deleveraging: Companies can lower the uncertainty of expected future financial performance by reducing the amount of debt they have. Companies with lower leverage have more flexibility and a lower risk of bankruptcy or ceasing to operate.


It is critical for the Bank of South Sudan (BoSS) to establish and maintain a culture of compliance and integrity. Without it, even the most carefully designed compliance controls will be vulnerable to failure. Culture begins with a sincere commitment to compliance and ethics at the leadership level. The commitment is reflected in several ways, beginning with its inclusion in a code of conduct or business ethics that is written in a manner that clearly articulates expectations of behavior. Leadership can also reinforce and clarify this culture through other communications. Communication and training are also important tools for promoting an ethical culture because each reinforces an overall mindset of compliance and integrity, while also improving awareness of key compliance issues.

Prepared by: Amedeo Oliha Peterno

Banking Operations Department

Accounts Division

Back Office

Leave a Reply

Your email address will not be published.