Market risk is visible in the daily moves of prices. Compliance risk, by contrast, looks like zero most of the time — and tips the company over the moment it surfaces. It is hard to reverse, and it damages reputation, an asset that is slow to rebuild. That is what sets it decisively apart from other risks.
01"Looking Like Zero" Is the Most Dangerous State
Market risk and credit risk show up in the numbers almost every day, as profit and loss. That is precisely why they register as objects of management. Compliance risk, by contrast, can run for years with zero loss. Put out a non-compliant piece of material and, as long as no one happens to flag it, nothing visible occurs on the surface. These instances of "nothing happened" accumulate quietly.
The problem is that this accumulation breeds not reassurance but illusion. The floor mistakes a track record of "it has been fine so far" for low risk. There is a structural bias rooted in human cognition: because the events are rare, they are underestimated. Low frequency and low severity are two different things. A single serious deviation strikes approvals, trust, and the share price all at once.
02The Singularity of Compliance Risk, Along Three Axes
Set out what makes this risk different along three axes — frequency, severity, and recovery. Contrast it with market risk, and you can see why the ordinary instincts of risk management do not carry over well.
Underestimated because rare
Because losses seldom occur, the floor stacks up a record of "it was fine" and dulls its sensitivity to risk. A low probability of occurrence is readily converted into complacency.
One blow tips the company over
Invisible in normal times, yet the damage when it lands is large. Suspension of approvals, surcharge penalties, and loss of trust arrive together. The quiet of peacetime and the swing in a crisis are asymmetrically far apart.
Reputation breaks in an instant, rebuilds at high cost
Reputational capital takes time to build but breaks in an instant. Unlike a financial loss, it is hard to hedge with insurance, and the cost of recovery is asymmetrically large.
The Ministry of Health, Labour and Welfare's report on its monitoring of sales-information-provision activities shows that deviations are not confined to a single company but recur across the industry. The premise that "our company is fine" is hard to support on the data. On the materials-review floor, "no problem so far" is treated not as reassurance but as the strongest warning signal. That is the standing rebuttal to the underestimation bias.
03The Core of Liability Is Not the Size of the Loss but the Absence of a System
Compliance risk also differs from other risks in how liability is assigned. Lose money on market risk and, if it was the result of taking commensurate risk, that loss does not by itself amount to a breach of duty. In the compliance domain, however, what is asked is less the outcome — that a loss occurred — than whether a system to prevent it had been built.
The Osaka District Court judgment in the Daiwa Bank shareholder derivative suit (September 20, 2000) held management liable less for the enormous loss itself than for failing to build an internal control system to manage risk. Article 362, paragraph 4, item 6 and paragraph 5 of the Companies Act require the board of a large company to put an internal control system in place. In compliance risk, "the absence of a control system" sits at the center of liability. The idea is that responding after an incident is too late; the path must be cut off at the design stage.
04To the Materials-Review Floor — The Second Line That Carries the Rebuttal
Everything so far connects straight to the practice of materials review. The single piece of material the reviewer faces is the point where this low-frequency, high-severity risk takes concrete form. The more unflagged deviations pile up, the stronger the floor's pressure to "make it look effective" grows — justified by a past free of incident.
That is exactly why the reviewer's role is to keep carrying the rebuttal to the underestimation bias. "Because this wording has passed before" is no evidence that the risk is low. Protect the asset that no insurance can hedge — reputation — and leave a record that the system is working. The pressure of short-termism we saw in A-07, "The Tug-of-War Between the Quarter and the Decade — Short-Termism vs. Long-Term Value," appears here overlaid on the underestimation of this low-frequency risk. Do not mistake short-term calm for long-term safety. That is the reviewer's stance, grounded in the singularity of compliance risk.
- Compliance risk is low-frequency, high-severity. Invisible in normal times, it tips the company over in a single blow. Low frequency and low severity are not the same thing.
- "No problem so far" is a warning signal, not reassurance. There is a structural bias — underestimation because the events are rare.
- Reputational capital breaks in an instant and recovers at an asymmetrically high cost. Unlike a financial loss, it is hard to hedge with insurance.
- As the Daiwa Bank case shows, the core of liability is the failure to discharge the duty to build internal controls, not the size of the loss.
- Ministry of Health, Labour and Welfare. Report on the Monitoring of Sales-Information-Provision Activities. Records cases of deviation in the provision of sales information for pharmaceuticals. Shows that deviations are not confined to particular companies but recur across the industry (company names anonymized).
- Daiwa Bank Shareholder Derivative Suit, Osaka District Court judgment of September 20, 2000. Recognized directors' liability for failing to build an internal control system for risk management, rather than for the loss itself. Connects to the duty to establish internal controls under Article 362, paragraph 4, item 6 and paragraph 5 of the Companies Act.
- COSO ERM (2017). A framework for enterprise risk management. Sets out an approach that treats compliance risk and reputation as integrated with strategy and governance.