What is Compliance?
Compliance Framework – Other components:
Attestations, Breach Registers, Culture
In a previous article we wrote about the Key Components of a Compliance Framework, what is compliance and the importance of the Obligations Register and the relevant rules.
We defined compliance as an outcome of conforming to a rule. That rule may arise from an external source such as a law or regulation, or an internal source such as a policy, code or control.
We mentioned as well, that once the rules are understood, other processes must be put in place to ensure the rules are met and that assurance is provided to senior management and the board.
How can we achieve this assurance?
By implementing the following components in your compliance process:
- Attestations - Compliance questions can be created from key obligations and distributed to staff and executives for regular and periodic attestations that they are compliant with the relevant obligations or their underlying controls. (Refer Fig 1).
The objective of these questions is twofold; firstly, to remind staff of their obligations and secondly to give comfort to Executive Management and Board that staff are being (or at least trying to be) compliant with their obligations. Attestation reporting should aggregate responses by key risks and obligations and present the trend of compliance/non-compliance over time.
Taking this process one step further may involve providing evidence of compliance to support the attestation. This may be achieved by attaching a document or equivalent to the attestation response.
Fig 1. Compliance Question Library
- Independent compliance reviews - This involves an independent person or team reviewing compliance with specific rules and providing an opinion as to the degree of compliance. These reviews can be based on compliance testing plans and combining attestations with independent checking though sample testing of the attestation responses to ensure they have been answered correctly.
- Breach Register - Maintaining a record of all non-compliance incidents that occur. This involves identifying instances of non-compliance and managing them effectively and efficiently. This would include the identification of the reason(s) for non-compliance, its severity and determining treatment plans to reduce the chance of the breach recurring.
- Recognising that failure to comply or “non-compliance” is the result of something going wrong or failing to work. This allows us to identify the risks that can lead to non-compliance. An assessment of the risks that could cause non-compliance is then carried out. These risks are then subject to periodic risk assessments, monitoring key risk indicators and carrying out ongoing assurance testing over key controls.
- Identifying leading indicators which provide evidence of increased risk of non-compliance. This may include such things as: “number of staff who have not completed compliance training”, “number of legislative changes in period” and “level of commissions paid to sales staff”.
An appropriate combination of these methods results in the specific compliance methodology and creates the basis of the organisation’s compliance plan(s).
The optimal compliance function
In order to be optimal, the compliance function should consider the following:
Apply a risk-based approach to assessing compliance obligations. Compliance requirements should be assessed as to their level of risk. This will include assessing the impact (both financial and non-financial) resulting from non-compliance and the assessed level of likelihood that non-compliance will occur. The level of risk should drive the approach to compliance: the higher the risk, the more extensive the process.
To achieve this consider:
- Create a single location for all compliance requirements with an efficient process of keeping the library up to date.
- Create easily understood attestation questions based on obligations or their linked controls. Avoid using legal language or just replicating the legal obligation – make it practical and meaningful to the frontline who will be responding.
- Minimise the number of attestation questions asked. Where possible, a single question should cover multiple obligations.
- Minimise the frequency attestations are requested to balance the required level of assurance with effort.
- Request evidence to be provided to support the attestation being made.
- Integrate compliance risk management into the overall enterprise risk management process to avoid duplication. This should include: identifying risks that have a potential compliance impact; identify key controls over those risks; link the risks to the related compliance obligation; carry out ongoing risk assessments; key risk indicators and controls assurance over these risks.
- Be able to report all information linked to the compliance framework. This requires the linking of data in a relational database.
- Provide flexible reporting tools to allow users to define their reports.
- Deliver reporting via live dashboards rather than static reports (Refer Fig 2).
Fig 2: Compliance Dashboard
Conclusion
Compliance is an essential component of any successful organisation. The key is to maximise the value created by the function and this requires a fine balance between effectiveness and efficiency. Optimisation of the compliance function requires an informed approach to weighing up the costs and benefits and when made correctly will result in the compliance function being viewed as an enabler of the business rather than a hindrance.
Read more about the definition of compliance and how the Obligations Register helps us gain an understanding of the rules we have to conform to.
Click here to learn more about how Protecht.ERM can be configured to suit your own risk management and compliance framework.