Regulatory risk implies the possibility of violations of laws, regulations, contractual terms, rules or applicable internal policies, which have a negative financial or non-financial impact on the organization. Given this, risk management has the purpose of creating and protecting the value generated by your organization against said risks.

In addition, certain criteria or general principles must be established, which in Panama tend to lead to an effective commitment of the Board of Directors; the proper management of each level of risk and the gradualness of the respective level of due diligence; traceability through permanent monitoring; decision-making based on data, that is, on concrete evidence; continuous improvement through self-assessment and model improvement, which goes hand in hand with ongoing risk and context assessment; demonstrate consistency with the national risk assessment, establish an integrated process approach with complete, accurate and statistically treated information; with adequate documentation that allows demonstrating the effectiveness of the model and the understanding of the reasons for a higher or lower assignment of a risk level, risk factor or indicator.

The Panamanian model is divided into four stages: design, implementation, evaluation and feedback. To begin with, the design is divided into: compliance policy, sufficiency of resources, adequate training, permanent evaluation and adequate documentation. Secondly, the implementation is divided into: process and risk indicators. Thirdly, the evaluation is divided into: calibration of the tools and periodic validation. Finally, the feedback points to a permanent improvement. The foregoing allows us to address the context through the aforementioned process, in which we identify, analyze and evaluate the inherent risk (risk in an uncontrolled state) and establish how to treat the residual risk, that is, the risk that remains after applying the respective controls. All of the above allows us to generate indicators and communicate said risks.

It should be understood that this approach establishes a minimum acceptable level for the regulator and we must highlight that the risk-based approach and risk management itself, is not limited to regulatory compliance, but to all functions of the organization.