In recent years compliance has become a very important topic for businesses for many reasons, not least of which is the fact that failure to comply with certain regulations results in heavy financial penalties that can put many organisations under severe pressure.
One of the most important components within compliance is risk management, particularly compliance risk itself, and any sound compliance programme needs to include a risk management framework to enable the management and control of risk, which is always changing and evolving as new laws and regulations are put into place by various governing institutions across different industry sectors.
An important consideration when looking to establish a compliance risk management programme is to take an enterprise-wide approach. To date most organisations have focused on control alone when it comes to compliance risk, and the risk management side is conducted mainly by the risk management department or the internal auditor. However, because of the importance of compliance risk it is vital that this be an initiative undertaken throughout the organisation, following a set process that includes risk identification, both quantitative and qualitative analyses of compliance risk, defining the risk appetite for compliance and establishing a risk mitigation plan for compliance.
A quantitative analysis is an important part of the process, as one of the main goals of incorporating compliance risk is to evaluate, quantify and prioritise legal ethics, misconduct and compliance risk specific to an organisation or the industry it belongs to. Quantifying compliance risk provides a rationale for the entire compliance programme, as if you are aware of all of the potential risks involved then training can be accurately designed within the overall compliance framework. An important thing to remember is that the compliance programme must be aligned with both localised, national and international compliance requirements, and a benchmark should be developed to measure programme effectiveness either on a national level or within the specific industry, to provide internal guidelines for the compliance programme.
While designing and implementing a compliance risk management programme may seem like an onerous task, the fact is that it will have benefits beyond simply improving compliance and will have a positive impact on the financial aspect of the business.
Over the past few years organisations have spent large sums of money on compliance management without much direction. A compliance risk management programme will help to prioritise the budget and needs regarding the compliance programme, which in turn helps to modify and improve it and at the same time reduce the risk within compliance, all of which have a positive impact on the bottom line. A compliance risk management framework will also help to identify any deficiencies within the design, management and administration of the overall compliance programme.
Some of the vital information required for best practice in compliance risk management includes an examination of all of the major areas within an organisation regarding potential misconduct, which needs to be examined contextually. It is also necessary to address the current risks and identify what the potential risks may be, and have a thorough understanding of industry specific risks.
Including and involving all levels of the organisation is another best practice recommendation. Often what happens is that each different department will have its own siloed compliance programme, and each of these departments needs to know what to comply with regarding both mandatory and voluntary requirements, and each department should contribute this information in order to conduct an overall organisational risk assessment.
Best practice also recommends outsourcing the risk assessment to a risk expert within the compliance environment so that the outcome can be documented and objectively reported on. This report needs to communicate to both the board of directors and the compliance committee.
The compliance risk assessment needs to be both qualitative and quantitative, as mentioned previously, as each area needs to be quantified. If this quantification process is not present before compliance risk occurs the organisation will have no idea of the costs involved in falling to these risks, and the legal fees and cost to reputation from compliance misconduct can be very expensive to the organisation, not just in terms of short term profits but also long term damage.
Compliance risk management not only needs to be presented to the board, it is also vital to measure employee knowledge of the programme as well as areas where there are high levels of misconduct, and these results should be benchmarked internally and externally to determine progress through a coordination between internal audit and risk management.
Constantly changing laws and regulations require compliance, but in order to do so it is necessary to understand what these legalities are to build up a comprehensive compliance programme. This needs to be an ongoing process, since as laws and environments change the compliance programme will change as a result.
By Jayen Vyravene, Managing Partner of Quency
