17 September 2014: Protecht was proud to be a part of Compliance Solutions Day 2014 hosted by Lexis Nexis and Compliance Network Australia at the C3 Convention Centre in Vienna, Austria.
The following post is an overview of David Tattam's presentation:
Optimising the Compliance Function in 2014 and Beyond
Compliance means conforming to a rule. That rule may arise from an external source such as a law or regulation or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.
The issue for an organisation is: how can conforming with the rule(s) be ensured? This is the key objective of a compliance function. The methods we can use to ensure we conform with the rules are many and varied and an organisation needs to determine what compliance methodology will be used. The compliance methodology should balance a desired level of compliance against the cost and time in achieving that level of assurance. Getting this balance right will lead to an optimal compliance function.
Considerations when designing an optimal compliance function include:
1. Understanding what the relevant rules are
Before we can consider conforming to a rule, we need to understand what the rules are and what they mean. For external compliance this necessitates having access to a library of relevant laws and regulations that is kept up to date at all times. For most organisations this is a difficult task due to the sheer volume of rules. This library may be maintained internally which will require dedicated compliance / legal staff to remain aware of all relevant obligations and ensuring they are always kept up to date. Alternatively, this library may be accessed externally through a subscription service and maintained by a third party such as LexisNexis.
For internal compliance, there needs to be a library of policies, procedures and controls which is also kept up to date across the business.
2. Once the rules are understood, processes must be put in place to ensure the rules are met and that assurance is provided to senior management and the board. This can be achieved using one or more methods including:
- Responsibility for compliance with each rule must be assigned to a department and / or specific role / individual.
- Creating attestation questions from the rules and obtaining regular and periodic sign off by the relevant rule owner (Refer Fig 1). These attestations may be aggregated upwards so that senior staff are attesting compliance of their departments based on the attestation results from staff below.
- Taking this process one step further may involve providing evidence of compliance to support the attestation. This may be achieved by attaching a document or equivalent to the attestation response (Refer Fig 1).
- Independent compliance reviews. This would involve an independent person or team reviewing compliance with specific rules and providing an opinion as to the degree of compliance. These reviews would be based on compliance testing plans.
- Combining attestations with independent checking though sample testing of the attestation responses to ensure they have been answered correctly.
- Maintaining a record of all non-compliance incidents that occur. This involves identifying instances of non-compliance and managing them effectively and efficiently. This would include the identification of the reason(s) for non-compliance and determining improvement to reduce the chance of the incident recurring. Recognising that failure to comply or “non-compliance” is the result of something going wrong or failing to work. This identifies the risks that can lead to non-compliance. An assessment of the risks that could cause non-compliance is then carried out. These risks are then subject to periodic risk assessments, monitoring key risk indicators and carrying out ongoing assurance testing over key controls.
- Identifying leading indicators which provide evidence of increased risk of non-compliance. This may include such things as: “number of staff who have not completed compliance training”, “number of legislative changes in period” and “level of commissions paid to sales staff”.
An appropriate combination of these methods results in the specific compliance methodology and creates the basis of the organisation’s compliance plan(s).
The optimal compliance function
In order to be optimal, the compliance function should consider the following:
Apply a risk based approach to compliance. Compliance requirements should be assessed as to their level of risk. This will include assessing the impact (both financial and non-financial) resulting from non-compliance and the assessed level of likelihood that non-compliance will occur. The level of risk should drive the approach to compliance, the higher the risk, the more extensive the process.
- Create a single location for all compliance requirements with an efficient process of keeping the library up to date.
- Create easily understood attestation questions based on obligations. Avoid using legal language.
- Minimise the number of attestation questions asked. Where possible, a single question should cover multiple obligations.
- Minimise the frequency attestations are requested to balance the required level of assurance with effort.
- Request evidence to be provided for attestations made.
- Integrate compliance risk management into the overall enterprise risk management process to avoid duplication. This should include: identifying risks that have a potential compliance impact; identify key controls over those risks; link the risks to the related compliance obligation; carry out ongoing risk assessments; key risk indicators and controls assurance over these risks.
Be able to report all information linked to compliance requirements. This requires the linking of data in a relational database.
- Provide flexible reporting tools to allow users to define their reports.
- Deliver reporting via live dashboards rather than static reports (Refer Fig 2).
Compliance is an essential component of any successful organisation. The key is to maximise the value created by the function and this requires a fine balance between effectiveness and efficiency. Optimisation of the compliance function requires an informed weighing up of costs and benefits and when made correctly will result in the compliance function being viewed as an enabler of the business rather than a hindrance.
If you would like to know more about how to optimise your compliance function and capability, please contact the Protecht.EME team via phone +43 1 53 712 4843 or email firstname.lastname@example.org