Sometimes referred to as the risk professions, this quartet has overlapping but distinctive roles. I recently heard these broad definitions and added my own for audit.
Law interprets statutory and judicial rules and makes sure internal constituencies understand them. Compliance applies the rules to day-to-day conduct and monitors the level of observance. Risk supervises and manages risks, including those associated with inadequate compliance. Audit checks on specific instances of compliance or not, especially financial controls.
One view is that compliance and audit serve as police functions, looking back at behavior. From that vantage, law and risk look forward and try to prevent problems.
This huge topic pours over the puny dikes of a blog post. I have written about these control functions, all being areas closely tied to the reputation of the company. Today, however, let me defer to another day a longer review (See my post of Oct. 21, 2005: a combined Compliance, Ethics and Investigation (CEI) unit; Dec. 10, 2005: at Egg, all the risk functions of the company – legal, audit, risk and compliance – report through the Chief Risk Officer to the board; Nov. 22, 2008: discussion of the broad scope of the term “control functions”; Nov. 30, 2008: “general compliance” vs. “regulatory compliance,” run by legal; Aug. 13, 2009: risk management differs from compliance and internal audit – but from legal?; Jan. 2, 2009: don’t charge legal with responsibility for risk management; and Feb. 9, 2010: at Clorox, general counsel oversees business ethics, corporate governance, “risk management, internal audit, compliance, corporate communications, crisis management, and business continuity planning”.).