Risk, Compliance, internal control and the Management System

Organizations operating in safety-critical environments often talk about risk management, compliance, and internal control systems as separate domains.

In practice, they are deeply interconnected.

A useful way to understand this is not as a stack of documents or departments, but as a system that guides how an organization deliberately operates close to the boundaries of control.

The shepherd at the edge

It’s early morning. Mist still clings to the hills like a half-forgotten thought. A shepherd stands with his dog, watching a restless flock spread across the slope.

Behind them: safe, overgrazed land. Short grass. Predictable. Nothing ever goes wrong there… but nothing really grows either.

Ahead: the edge of a ravine.

Not a dramatic cliff, not the kind that makes headlines. Just a long, sloping drop where the ground becomes uncertain, and where, right along the rim, the grass turns impossibly green. Thick. Fresh. Untouched.

Every shepherd knows this place.

That’s where the best nourishment is. That’s also where things can go wrong.

He lets the flock drift forward.

Not freely. Never freely.

The dog moves first, a silent extension of his will. Wide arcs. Subtle pressure. Keeping the edges tight. Watching for the one sheep that wanders a little too far, a little too confidently.

The shepherd isn’t trying to eliminate risk. He’s managing distance.

Too far back, and the flock weakens over time. Too close, and one misstep becomes a fall.

So he constantly adjusts:

• A whistle here
• A shift in position there
• A sharper correction when needed

And always, in the back of his mind, a question he never fully answers:

How many sheep am I willing to lose, if it means the flock thrives?

Because absolute safety would mean turning away from the edge entirely. And turning away from the edge would mean settling for less.

So he walks the line.

Not recklessly. Not passively. But deliberately.

Balancing control and opportunity, every step of the way.

Risk: not only what to avoid, but where to go

Risk is often framed as something negative.

But in reality, risk has two sides:

• Downside: incidents, non-compliance, financial loss, reputational damage
• Upside: efficiency, innovation, better use of assets, competitive advantage

Every organization continuously balances these forces.

Operating too conservatively leads to missed opportunities. Operating too aggressively increases the chance of failure.

The real question is:

How close do we choose to operate to the edge, and what level of loss is acceptable if control fails?

Risk Appetite: a strategic choice

This balance is defined through risk appetite.

Leadership determines:

• Which risks are acceptable
• Which must be reduced or eliminated
• Which are worth taking or even amplifying

This is not purely technical. It reflects:

• Experience and judgment of decision-makers
• Organizational culture
• Financial resilience
• External responsibilities, especially in high-risk industries

Two companies under identical regulations can behave very differently because their risk appetite differs.

The Management System: the organization’s playbook

The management system is where these choices are formalized.

It consists of:

• Policies
• Procedures
• Roles and responsibilities
• Operational rules

It answers: “Given our risks and our ambitions, how do we run our organization?” It sits at the center of everything:

• Above it: laws, regulations, and standards
• Below it: daily operations and execution

And it serves two critical purposes:

1. Translation: turning external requirements into internal rules
2. Reference: defining how performance is judged

In essence, it is the organization’s own statement of:how it intends to remain in control

Compliance: aligning with external expectations

Compliance ensures that the management system correctly reflects:

• Applicable laws and regulations
• Industry standards
• Permit conditions and obligations

It answers: “Does our playbook meet what is required from us?” If this alignment is incorrect, the organization is at risk of: non-compliance by design

ICS (or ICS, the Internal Control System): proving control in practice

ICS translates the management system into execution.

It defines:

• Controls
• Workflows
• Checks and balances
• Evidence collection

It answers: “Are we actually doing what we said we would do?” This is where inspections, approvals, monitoring, and logging take place. If this layer fails, the organization faces: non-compliance in practice

Two fundamental gaps

Every organization must actively manage two types of gaps:

1. Between regulations and the management system

• Requirements are misunderstood, incomplete, or outdated

Result: The organization is structurally misaligned with its obligations

2. Between the management system and operations

• Procedures are not followed
• Controls are inconsistently applied
• Evidence is missing or unreliable

Result: The organization cannot demonstrate control

Closing the loop: Plan – Do – Check – Act

What regulators, inspectors, and auditors ultimately expect is not documentation, but a functioning system. This system typically follows the Plan–Do–Check–Act (PDCA)cycle:

Plan

• Identify risks
• Define policies, procedures, and controls
• Align with regulations

Do

• Execute operations and controls
• Capture evidence

Check

• Assess whether:
• Identify deviations and incidents

Act

• Implement corrective measures
• Improve controls and procedures
• Reassess risks

This cycle becomes especially critical after incidents, where organizations must demonstrate not only what happened, but how their system responded.

Liability: where systems become personal

In regulated and high-risk environments, this system directly connects to accountability.

When failures occur, key questions arise:

• Were risks properly identified and assessed?
• Was the management system adequate?
• Were controls defined and implemented?
• Was execution consistent and verifiable?
• Were deviations detected and addressed?

These questions underpin:

• Organizational liability
• Personal liability of directors and management
• Responsibilities of specific roles in safety and compliance

In other words: The integrity of the entire system becomes legally relevant.

One coherent model

Bringing it all together:

• Risk Management defines direction and priorities
• Risk Appetite determines how far the organization is willing to go
• Management System defines how the organization operates
• Compliance ensures alignment with external requirements
• ICS ensures execution and evidence

And in practice, they form a continuous loop:

Risk → Management System → Controls → Evidence → Insight → Risk

To make this model operational, it must be understood not as a static chain, but as a continuous improvement cycle.

The loop follows the rhythm of Plan–Do–Check–Act: risks and choices are defined (Plan), translated into controls and executed (Do), verified through evidence and insight (Check), and continuously adjusted through improvements and renewed risk evaluation (Act).

Only when this cycle is actively closed does the model move from documentation to real control.

The real challenge

Most organizations already have all these elements.

The challenge is that they are often:

• Fragmented across departments
• Document-driven rather than execution-driven
• Difficult to monitor in real time
• Hard to keep aligned with changing requirements

A final thought: Are we in control?

Control is not achieved by writing more procedures.

It is achieved when:

• Risks are clearly understood
• Choices are explicitly made
• Rules are consistently applied
• Evidence is continuously available
• And gaps are systematically closed

Or, simply put:

Risk defines where you operate. The management system defines how you operate. Compliance defines what is expected. ICS proves that you are in control.

The real work lies in continuously aligning all four.