Enterprise Risk and Compliance Management: 10 Best Practices

Introduction

Boards and executive teams face a genuine tension: regulators expect airtight compliance programs while the business demands speed. Most organizations try to resolve it by merging risk and compliance into a single blended function — and end up satisfying neither goal.

The real problem is absent ownership: no clear decision rights, no separate accountability structures, and governance frameworks that look fine on paper but collapse under actual pressure.

PwC's 2025 Global Compliance Survey of 1,802 executives across 63 territories found that 59% report greater confidence in compliance decision-making from coordinated compliance activities. Yet technology adoption across 11 or more compliance activities sits at just 49% — meaning most organizations are coordinating in principle while still operating in silos in practice.

Enterprise risk management (ERM) and compliance are complementary but distinct disciplines. Getting that relationship right — with governance that holds under pressure, not just on paper — is what separates resilient organizations from perpetually reactive ones. The ten practices below provide a framework for doing exactly that.

TL;DR

  • Risk and compliance share data and priorities but must maintain separate accountability structures to satisfy regulators
  • Board-level risk appetite is the prerequisite — without it, risk and compliance functions pull in opposite directions
  • Compliance requires its own risk assessments and direct board access, independent of enterprise risk reporting
  • Decision rights and escalation thresholds are what make governance real: they must be inspectable, not just written down
  • Board reporting should surface trend and materiality — stable dashboards consistently outperform dense status updates

Why the ERM–Compliance Relationship Matters

ERM is the organization-wide process for identifying, assessing, prioritizing, and responding to all categories of risk — strategic, operational, financial, cyber, and third-party — to protect and advance business objectives. Compliance management is the specialized function responsible for legal and regulatory obligations within that broader landscape.

The coordination model works as follows:

  • ERM acts as the enterprise-wide aggregator and strategic reporter
  • Compliance maintains specialized expertise and independent oversight
  • Both functions share data and align on risk priorities
  • Both retain separate accountability structures

That last point isn't optional. The DOJ's 2024 Evaluation of Corporate Compliance Programs specifically evaluates whether compliance has "sufficient autonomy from management" and "direct access to the board of directors or the board's audit committee." Compliance filtered exclusively through enterprise risk fails that test.

That autonomy requirement is exactly where execution breaks down. According to Protiviti's 2023 ERM Survey, most organizations still report uneven coordination across governance activities — precisely the gaps regulators probe first. The ten practices below address them directly.

10 Best Practices for Enterprise Risk and Compliance Management

Practice 1: Articulate Risk Appetite at the Board Level

Risk appetite is the foundational input to every control decision. Without a board-endorsed statement defining how much risk the organization will accept across strategic, operational, cyber, and compliance domains, risk and compliance teams will calibrate controls differently, often at cross-purposes.

Risk appetite is not a single number. The IRM defines it as "the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives." In practice, it must define tolerance thresholds by risk category:

  • Zero tolerance: Bribery, sanctions violations, material financial fraud
  • Low tolerance: Data privacy breaches, critical system downtime
  • Moderate tolerance: Strategic market risk, competitive pricing decisions
  • Higher tolerance: Innovation initiatives, new market entry

Four-tier enterprise risk appetite tolerance framework from zero to higher tolerance

Where this breaks down: boards approve statements like "we maintain a low risk appetite" — language that provides no operational guidance. A useful statement answers: what is "not acceptable" in specific business terms? What dollar amount of financial loss, what hours of downtime, what customer harm threshold crosses from acceptable to material?

In Tyson Martin's board advisory engagements, the risk appetite process follows a structured workshop: agree on crown jewels (critical assets and data) and impact types, define what "not ok" means with measurable thresholds, confirm what the board owns versus management owns, and produce a one-page statement with an assigned owner. That format: plain language, specific thresholds, clear ownership, gives compliance and risk teams the shared language they need to make control stringency decisions.

Practice 2: Conduct Separate, Compliance-Specific Risk Assessments

Regulators don't treat a compliance risk assessment folded into an enterprise-wide assessment as equivalent to a standalone one. The DOJ's 2024 ECCP asks specifically whether a company has identified and analyzed its compliance risk profile, whether the assessment is current, and whether periodic review drove updates to policies and controls. The UK Ministry of Justice Bribery Act guidance identifies risk assessment as one of six "adequate procedures" principles for organizations operating under that statute.

How the two assessments should relate:

Assessment Scope Audience Detail Level
Compliance-specific Bribery, antitrust, data privacy, trade compliance, sector regulations Compliance function, board audit committee Full detail
Enterprise-wide All risk categories including compliance summary Board, C-suite, ERM function High-level summary

High-level compliance risks appear on the enterprise register. The full detail stays within compliance. This structure satisfies both regulatory expectations and enterprise reporting needs without collapsing the two into one.

Practical mechanics:

  • Compliance owns and conducts its own assessment, with input from business units and legal
  • Update at minimum annually and additionally when entering new markets, launching new product lines, or completing acquisitions
  • "Tailoring the program to the assessment" means control stringency, training focus, and monitoring intensity should directly reflect what the assessment found, not a generic template

Practice 3: Clarify Decision Rights and Escalation Thresholds

Governance documents describe what should happen. Decision rights specify who is authorized to make which call. Escalation thresholds define the precise conditions under which a matter moves from management to the board. Without both, every significant incident becomes an improvised response.

The structure:

  1. First line (business units) — makes operational decisions within defined parameters
  2. Second line (risk, compliance) — challenges and validates those decisions
  3. C-suite/board — receives notification when matters cross pre-defined thresholds

Thresholds must be tested before an incident, not discovered during one. That testing happens through tabletop exercises focused on decision-making under realistic conditions.

The standard for decision rights frameworks is inspectable execution: the ability to show regulators and auditors exactly who decided what and when.

Tyson Martin's advisory engagements build decision rights maps that answer five questions without ambiguity:

  • Who accepts risk, and at what threshold?
  • Who approves security exceptions, and for how long?
  • Who decides budget tradeoffs when security competes with delivery?
  • Who declares incident severity, and who can shut systems down?
  • Who owns vendor go/no-go decisions for critical suppliers?

Escalation thresholds are expressed in business terms: hours of downtime, dollar amounts of financial impact, customer data exposure limits. Not technical jargon. The output is a one-page escalation ladder, reviewed quarterly and stress-tested annually.

Three-line decision rights escalation ladder with thresholds and ownership levels

Practice 4: Establish Dual Reporting Structures for Compliance

Compliance should report operationally to the CEO or COO for day-to-day coordination. It must also maintain functional reporting to the board's audit committee for governance oversight. This dual structure preserves the independence regulators require while enabling operational efficiency.

Three situations where direct board access is non-negotiable:

  • The company's compliance risk profile materially changes: new markets, new product lines, new regulatory obligations
  • Major new compliance laws take effect that require board-level awareness and resource decisions
  • Significant investigations or allegations of misconduct occur

Compliance routed exclusively through enterprise risk fails the independence test the DOJ specifically evaluates. The audit committee relationship isn't a formality. It's the mechanism that allows compliance to escalate concerns that management might have reason to minimize.

Practice 5: Define Clear Ownership for Cross-Functional Risks

Risks that cross multiple departments (AI governance, supply chain due diligence, modern slavery, conflict minerals) are frequently unowned in practice because accountability is diffuse. The fastest way to starve a pet is to give everyone the responsibility to feed it.

EY's 2023 Global Board Risk Survey of 500 global board directors found 60% say emerging risks are insufficiently addressed in their risk frameworks, a direct consequence of unclear ownership.

The RACI model (Responsible, Accountable, Consulted, Informed) is the practical tool for resolving this:

Role Definition
Responsible Does the work
Accountable Owns the outcome — one person only
Consulted Provides input before decisions
Informed Notified after decisions

RACI assignments covering compliance, risk, legal, procurement, and business unit functions should be reviewed annually and whenever organizational structure changes. The accountable role must be singular. Shared accountability is no accountability.

Practice 6: Build Board-Ready Risk Reporting That Shows Trend, Not Trivia

Board reporting is frequently the weakest link in enterprise risk and compliance governance. Boards receive dense status updates that obscure materiality rather than clarifying it. Effective board reporting answers three questions:

  1. What changed since the last briefing?
  2. What decisions does the board need to make?
  3. What is the organization's current risk posture relative to its stated appetite?

The EY survey reinforces the problem: 61% of boards are not aligned with each other on material risks likely to affect the organization over the next 12 months.

What good board reporting looks like:

  • One to two pages or two to four slides, consistent every reporting period
  • A stable set of 8–12 metrics with trend indicators (improving, stable, worsening)
  • Top risks written in business impact terms, not technical language
  • A "Decisions requested" box with one to three items, each with options, cost ranges, and a recommended path
  • Separation of "must fix" from "good to improve" so priorities are obvious

A common failure mode: overhauling reporting formats whenever there is a new risk leader. That destroys continuity and forces boards to re-learn the structure each quarter instead of spotting patterns.

Tyson Martin's board advisory engagements are built around this problem — producing plain-English risk posture reports and stable dashboards that give boards the clarity to act without requiring technical expertise. Consistent format means oversight feels like governance, not a recurring orientation session.

Board-ready risk reporting dashboard structure showing five key components and metrics

Practice 7: Integrate Emerging Risk Domains — AI, Cyber, and ESG

Traditional ERM frameworks were built around financial, operational, and strategic risks. Three domains now require dedicated governance treatment alongside those categories:

AI Governance EU AI Act Article 9 requires a documented risk management system for high-risk AI systems: established, implemented, maintained, and documented. Responsible deployment policies, bias monitoring, and accountability frameworks are no longer optional for organizations with AI embedded in products or operations.

Cyber Resilience The SEC's 2023 cybersecurity rule requires disclosure of cybersecurity risk management, strategy, governance, and material incidents. NIST CSF 2.0 added the Govern function in 2024, elevating cyber governance from IT risk to board-level accountability.

ESG Disclosure The EU's Corporate Sustainability Reporting Directive (CSRD) makes sustainability reporting mandatory for in-scope organizations. Only 7% of CCOs report their ESG compliance programs are fully developed and operational, according to KPMG's Global CCO Survey, a significant maturity gap for organizations with global operations.

Gap assessments against these three domains should be part of the next compliance risk assessment cycle, not deferred to a future initiative.

Practice 8: Coordinate Systematically with Internal Audit

The three-lines-of-defense model defines three distinct roles:

  • First line: Business units own and manage risk in daily operations
  • Second line: Risk and compliance monitor, challenge, and support
  • Third line: Internal audit independently validates the effectiveness of both

Compliance and internal audit are not duplicates. Compliance monitors continuously. Audit validates effectiveness periodically and independently. Treating them as interchangeable weakens both.

Practical coordination mechanism: quarterly meetings between compliance, risk, and audit leadership covering:

  1. Upcoming assessments and audit plan alignment to avoid duplication
  2. Control deficiencies from recent audits requiring compliance follow-up
  3. Emerging risks that require new frameworks before the next audit cycle

Compliance champions mitigation strategies. Audit validates whether implementation is effective. That division of labor, maintained consistently, is what makes the three lines more than an organizational chart.

Three-lines-of-defense model showing business units risk compliance and internal audit roles

Practice 9: Implement Continuous Monitoring, Not Just Periodic Reviews

Annual or semi-annual compliance reviews create windows of undetected risk. Continuous monitoring closes that gap and aligns with how regulators now evaluate program effectiveness. The DOJ's ECCP asks whether compliance programs undergo periodic testing and review, and whether risk assessments are updated after problems emerge.

The adoption data supports the shift: PwC's 2025 survey found 75% of organizations use technology for compliance and transaction monitoring, and 53% report faster identification and proactive response to compliance issues as a result.

What "continuous" means in practice:

  • Automated flagging of anomalies in transactional data, not waiting for human review cycles
  • Ongoing control testing, not just point-in-time assessments
  • Real-time dashboards that surface exceptions for human review rather than batching findings for the next audit
  • Escalation triggers that fire when thresholds are crossed, not when the calendar says it's time

The shift from periodic to continuous isn't primarily a technology decision. It's a governance decision about whether the organization is willing to act on information when it surfaces, not on a schedule.

Practice 10: Measure Effectiveness with Metrics That Drive Decisions

Most compliance programs are evaluated on activity metrics: trainings completed, policies reviewed, audits closed. These measure effort, not effectiveness.

Five outcome metrics that indicate real program effectiveness:

  1. Issue identification and resolution time — how long from detection to remediation
  2. Control testing results by domain — coverage quality on highest-risk areas, not aggregate counts
  3. Third-party risk coverage percentage — percent of critical vendors with current reviews and tested incident communication paths
  4. Speak-up channel utilization rates — volume, type, and disposition of reports relative to organization size
  5. Training comprehension scores — not completion rates, but demonstrated understanding by risk-relevant role

Five compliance program effectiveness outcome metrics replacing lagging activity indicators

KPMG's 2021 CCO Survey of 249 compliance officers found 72% use audit results and 45% use regulatory actions as primary effectiveness measures, both lagging indicators that arrive after problems surface.

These five metrics should be reviewed quarterly to drive resource allocation and program improvement decisions. A metric that no one acts on belongs off the dashboard. The practical filter: if this goes red, does someone have to act? Can you name who, by role? Is there a deadline? If the answer to any of those is no, keep it off the management dashboard.

Conclusion

The ten practices above aren't independent initiatives. They form a governance architecture: risk appetite sets the boundaries, decision rights define who acts within them, dual reporting keeps both functions accountable, and outcome metrics prove the architecture is working.

Organizations that treat these as checkboxes will continue experiencing the execution gap between documented intent and operational reality. The gap shows up in incidents, regulatory examinations, and audit findings — not in governance frameworks.

For boards and executive teams who need to move faster than an internal build allows, Tyson Martin provides interim and fractional CISO and board advisory services — whether that means stabilizing governance after an incident, preparing for a regulatory examination, or building oversight structures before a material gap is discovered.

Connect on LinkedIn or reach out directly to discuss your specific situation.

Frequently Asked Questions

What are the five components of enterprise risk management?

The COSO 2017 ERM framework defines five components: Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; and Information, Communication, and Reporting. They operate as a continuous cycle — each informing the others — rather than a linear sequence.

What is the ISO standard for enterprise risk management?

ISO 31000:2018 is the primary international standard for risk management. It applies across organization types and sizes, spans six areas from leadership and integration through evaluation and improvement, and is flexible rather than prescriptive in its requirements.

What is the difference between enterprise risk management and compliance management?

ERM encompasses all organizational risk categories — strategic, operational, financial, and compliance — to support enterprise-wide decision-making. Compliance management focuses specifically on legal and regulatory obligations. Compliance risk sits within ERM but requires specialized expertise, independent oversight, and its own assessment methodology to satisfy regulators.

What is the three-lines-of-defense model in enterprise risk management?

The first line consists of business units that own and manage risk in daily operations. The second line — risk management and compliance — independently monitors and challenges first-line controls. The third line, internal audit, independently assesses the effectiveness of both. Each line has distinct accountability to the governing body.

How should compliance risk be reported to the board?

Compliance should have direct, functional reporting access to the board's audit committee — independent of the enterprise risk reporting chain. That reporting should cover material changes in compliance risk profile, major new regulatory requirements, and significant investigations. Board-level compliance reporting should show trend and materiality, not operational status detail.

How often should an enterprise risk assessment be updated?

Enterprise risk assessments should be reviewed at minimum annually and whenever significant changes occur — new markets, acquisitions, or material incidents. Compliance-specific assessments follow the same cadence; DOJ guidance specifically asks whether the compliance risk assessment is current and subject to periodic review.