We live in a world of rules. Compliance with those rules is critical, not only to protect your organization from regulatory actions, fines and damaged reputation, but because it’s the right thing to do to protect all of our diverse stakeholders from risks that we bring to them. Our Compliance and Compliance Management webinar held in February 2023 gave a practical overview of best practice compliance and compliance risk management processes using a risk-based approach. In this blog, we'll discuss the audience polls and the questions asked at the webinar.
Poll results
What obligation sources does your compliance management function cover?
Multiple answers |
# |
% |
Regulatory |
342 |
81% |
Contractual |
105 |
25% |
External standards |
120 |
29% |
Internal policies, codes, procedures etc |
178 |
42% |
License conditions |
88 |
21% |
Total (all regions) |
420 |
|
As we would expect, regulatory was top of the list, and the place where most people start before expanding into other areas. Interestingly when we look at EMEA and North America, internal policies and procedures came up in second place. There does seem to be a much higher focus on policy compliance in North America than the other regions.
What most closely represents your approach to compliance?
Single answer |
# |
% |
Compliance-based |
200 |
54 |
Ethically-based |
62 |
17 |
Risk-based |
109 |
29 |
Total (EMEA and APAC only) |
371 |
|
An interesting mix here. We would expect the compliance-based approach to be dominant. A risk-based approach to compliance is higher than we would expect – but this may be based on definition and interpretation.
The personal example is the willingness to travel over the speed limit if you are taking an injured person to hospital. This is actively and knowingly choosing noncompliance. An alternative interpretation of the risk-based approach is to accept that there may be some inadvertent noncompliance, rather than being knowingly noncompliant.
What is your main source of regulatory content?
Single answer |
# |
% |
All of the above |
32 |
53 |
External content providers (Note who in chat) |
5 |
8 |
The regulations in a format other than direct from regulator |
7 |
12 |
The regulator websites, including examination procedures |
16 |
27 |
Total (North America only) |
60 |
Just over half of our North American participants sourced their regulatory content from multiple sources. Of those from a single source, they’ve come from the regulators themselves. In total, 61% obtain their regulatory content from external content providers. While our poll doesn’t make any distinction on organization size, we’d assume that those not receiving this content are either smaller in size or growing the maturity of their compliance program. Given the constant regulatory change landscape, easily ingestible external sources will become increasingly important.
Do you convert your regulatory compliance requirements into easy-to-understand obligations?
# |
% |
|
No |
129 |
34 |
Yes |
252 |
66 |
Total (APAC and EMEA only) |
381 |
|
Having ‘plain language’ obligations makes it easier to communicate with your people on their obligations, and ultimately enable them to meet them. This might include simple summaries that account for cross-references within or across regulatory obligations, or as with our LexisNexis integration also include practical guidance and recommend potential controls to obligation owners.
Do you risk rate your obligations?
# |
% |
|
No |
151 |
43 |
Yes |
201 |
57 |
Total (APAC and EMEA only) |
352 |
|
I would have expected the number who risk-rated their obligations to be slightly higher. While the aim is to comply with all obligations, they are not all created equal. An open challenge for those that don’t – how do you know which obligations you need to pay more attention to and gain assurance that they are being met?
Do you define compliance risk as “the risk of non-compliance”?
# |
% |
|
No |
102 |
26 |
Yes |
288 |
74 |
Total (all regions) |
390 |
|
Although it is clear many organizations define compliance risk as the “risk of non-compliance”, we at Protecht find it much more effective to define it as the “risks that could lead to non-compliance”. This creates the following benefits:
- Risk registers tend to be filled with ‘noncompliance with….’ for every obligation that you have.
- Rethinking compliance risk as the “risks that could lead to non-compliance” means that your operational and compliance risks are the same thing and can be managed together, saving time and effort.
- Assuming “Meeting compliance obligations” is a key organizational objective, non-compliance is an impact on that objective and therefore non-compliance is an impact, not a risk event.
Questions
Q3: How can you assess risk rating obligations?
Q5: Would you position the regulatory affairs function with compliance?
Q6: Isn’t the failure to wear PPE a cause rather than an impact?
Q7: How do you assign ownership to an obligation that is required across a broad organization?
Q8: What timeframes and headcounts would an organization expect to see?
Q12: How effective has the system been in supporting external audits or regulatory examinations?
Q14: What level of maturity you should be at before procuring a tech platform?
Q16: Are you a proponent of combining the risk and compliance functions?
Q18: How can you make a zero tolerance compliance risk appetite work in practice?
Q20: It would be good to hear about how to synchronise risk and compliance controls.
Q1: What do you think is the most efficient, and less burdensome way, of managing all compliance obligations on an ongoing basis?
The eternal challenge is the trade-off between efficiency and effectiveness. Taking a risk-based approach to compliance helps with this trade-off, enabling you to focus on the obligations (and related controls) that matter the most to your organization and your customers. Having a systematic way to manage your obligations also goes a long way to achieving this outcome. This allows you to maintain visibility of what needs attention across the organization, and can provide metrics on how the compliance program itself is performing.
Q2: How do you ensure distinction between first line and second line if the compliance function sits in the second line?
The critical point is to ensure that the different responsibilities of a Line 2 compliance team compared to Line 1 are well defined and communicated. In an ideal world, the Line 2 Compliance team is not responsible for ensuring compliance. We like to use the analogy of a person driving alone in a vehicle. There is no compliance officer making sure they put on their seatbelt or adhere to the road rules – that is the responsibility of the driver. Compliance teams should not be responsible for operating controls that belong to Line 1.
While some will argue for complete independence (and independence is called for in ISO 37301 on compliance management systems), in practice the Line 2 team should act as a business partner. This may be providing guidance or advice, such as how Line 1 might consider control or process design in order to comply. If ‘complete’ independence is required, large organizations may also have Line 1 compliance teams that provide that level of advice and assist with implementation of controls, or may be charged with operating specific controls in Line 1.
Q3: How can you assess risk rating obligations?
Note: this answer combines the following questions asked at the webinars:
- In risk rating obligations, do organizations tend to limit that to an assessment of penalties or look more broadly at reputation and brand impacts?
- Any recommendations in Obligations rating methodology?
- Can you elaborate or give overview of how to risk rate obligations? Is this a criticality focused /inherent rating? Thanks
Risk rating obligations is often assessed on either 1 dimension – impact if noncompliance were to occur – or 2 dimensions – the likelihood of noncompliance, and impact if noncompliance were to occur.
Whichever method you choose, we recommend focusing on the impact of noncompliance (akin to an inherent rating), as this helps drive controls assurance activity on the controls that matter the most if they were to fail. We recommend that you consider all of the impacts on your organization's objectives. We see three common approaches to rating compliance:
- Assessing potential impact against each of their defined impact categories
- A single rating assessed against the highest impact type
- A single assessment aggregated from multiple impact types
Q4: In your experience, is it only in exceptional circumstances where organizations accept a risk appetite for non-compliance above zero?
We hope so! Where there is a choice an ethical, good corporate citizen organization would be expected to have a zero appetite for non-compliance. The only exceptions I have seen that feel OK to live with are:
- Where it is impossible to comply. We have had telco clients where some compliance obligations relating to the introduction of 5G could not be met because the technology needed to comply did not exist.
- Where the meeting of the compliance obligation leads to an unacceptable side effect and that side effect is deemed greater than not complying. We have seen this in the Health & Safety space where to comply would create greater danger for the employee.
So yes – we would like to see this as an exception!
Q5: Would you position the regulatory affairs function with compliance?
This will come down to how your organization is structured and particularly on the responsibilities and scope of your regulatory affairs function and compliance function. Some considerations might include:
- Whether regulatory affairs includes proactive risk management activity, such as lobbying for regulatory change, which might be best considered supporting specific Line 1 objectives
- Whether regulatory affairs is involved in responding to regulatory scrutiny, enquiries and investigations that might be considered Line 1 functions
- Whether the scope of your compliance extends beyond the regulatory, reducing the overlap in the teams
If you do include them together, it should be clear what their mandate is, and what their resourcing requirements are to ensure they can adequately meet those mandates.
Q6: Isn’t the failure to wear PPE a cause rather than an impact?
In the example in the webinar, the failure to wear the Personal Protective Equipment when it was required results in a breach in a compliance objective – therefore it is an impact on our objectives.
A cause is where – when you ask why?, the answer if either “It just is” of “It is outside of your influence”. Not wearing the required PPE is not “just is” and “not outside of influence”. There is a reason for not wearing the PPE – that is the cause.
Q7: How do you assign ownership to an obligation that is required across a broad organization?
Always a challenge! Perhaps a good example are employment or work conditions that need to be applied across the entire organization, and therefore apply to all people leaders. There are a few ways to manage this:
- Single ownership, distributed assurance – One person, perhaps a Head of HR, is assigned ownership of the obligation. They may be responsible for implementing enterprise-wide controls. Individual people leaders may be assigned attestations to confirm that they are adhering to those control standards, providing some reporting on how well the obligation is being managed.
- Multiple owners – The same obligation can be allocated to multiple owners. This might be applicable if they are responsible (and have the appropriate freedom) for defining controls or processes specific to their area that may differ from other areas.
We see the former more than the latter, but each have their place. Care should be taken to ensure that whichever method you choose, your people understand their specific obligations. Particularly when multiple owners are assigned, it is important that they know where the boundaries lie. It can result in obligations falling through the cracks, where each owner believes they are being compliant, but the organization as a whole may not be compliant.
Q8: What timeframes and headcounts would an organization expect to see?
Note: this answer combines the following questions asked at the webinars:
- What's the timeframe you have seen to complete a Compliance register/ obligations? How big a team have you seen to do a sufficient job to capture relevant obligations?
- What kind of headcount would you expect for an organization of around 800 headcount globally?
The first question assumes that an obligations register can ever be called complete! If we assume you are building it from scratch and aiming to get to a ‘steady state’, timeframes will depend on many factors:
- Automation vs manual processes (such as regulatory newsfeeds with plain language obligations vs people trawling through legislation and regulations)
- The activities your organization performs and the size of the related regulatory landscape
- Whether the scope of your compliance program includes voluntary commitments
- Whether you are capturing obligations only (in the first instance), or also capturing controls
Team size and resources is also important – and a difficult question to answer given the above variables. It’s not uncommon for compliance teams to be relatively small – a Gartner report from 2021 put compliance spend at US$162K per 1000 employees. If you are starting from scratch, you may pull together a short-term project team in order to get the compliance program up and running.
Q9: Do you have any recommendations for compliance teams when approaching executive and senior staff to owning obligations?
The answer may well depend on the compliance culture in your organization (it shouldn’t, but we are being realistic)! If the Compliance department has endorsement and reporting lines to the governance body, then you are in a better position to have these conversations if you expect pushback.
We prefer the carrot method to the stick, but this will depend on your culture and the reason you expect pushback. At Protecht, we like to say that “Whoever owns the objectives, owns the associated risks and obligations”. As stated earlier, we like using the analogy of someone driving alone in the car – they are responsible for wearing their seatbelt, and for knowing what the speed limit is and abiding by that limit. This analogy might provide the clarity you need.
If you don’t have higher level buy-in or support, you’ve got a harder job ahead of you in reframing the compliance culture. Particularly if the pushback is of the nature of “Isn’t that the compliance team’s job?”, here are a few potential avenues to try:
- Ask the executive to think about scenarios where they had no compliance team (this could be in your organization if the compliance team is new, or perhaps when they worked elsewhere). Who was expected to comply in those scenarios? How did they comply without a compliance team?
- Ask the executive, if they don’t own it, then which other executive do they think owns the obligation? Based on their answer, you might then point out (if applicable) that the proposed ownership doesn’t align with ownership of related objectives.
- If you have the appropriate access, escalate to an appropriate forum – CEO, compliance committee, wider management team etc explaining that ownership needs to be confirmed. If you do, approach from a position of curiosity (we need to clarify who owns this) rather than blame (this person doesn’t want to own this) and invite the executive to explain their position to their peers in order to reach a compliant resolution for the organization.
Q10: How do you see ISO compliance fit into compliance management? And do you think safety risk professionals confuses the word compliance (ie they use the word compliance audits)?
I’ll assume you mean voluntary compliance with any of the myriad ISO standards, rather than referring to ISO 37301 compliance management system. We would see this fit into compliance management as a voluntary commitment – however these can essentially turn into mandatory requirements if you advertise that you are adhering to or are certified against that standard.
I’ve not come across the potential safety misuse of the word ‘compliance’, and it may be contextual. If it’s used in place of a safety risk assessment, I would say that is incorrect. However, if they are using it to evaluate whether controls are in place – that are required and therefore represent a compliance obligation – then I can see that being a reasonable (though specific) application of the word compliance.
Q11: What is good practice - to just have binary Yes/No options, or other options e.g. "partially compliant"?
We recommend binary Yes/No options. This reduces the ambiguity related to being “partially compliant”. What does it mean? If it is regulatory or contractual, are you in breach or not?
We do see instances where customers group lower-level obligations against a broader higher level obligation, or assess the same compliance obligation against multiple business units. They may then report these as ‘partially compliant’ if some of the underlying obligations are not met. However, we recommend this approach only if you distinguish different actions or escalations. If the action is the same for ‘Partially Compliant’ or ‘Not Compliant’, we suggest removing the ambiguity.
Q12: How effective has the system been in supporting external audits or regulatory examinations?
While it will depend on the specific need, the system can support extraction or use of information by external parties. We’ve seen it used in the following ways:
- Extracting reports or dashboard outputs to be delivered to regulators / audits for their examinations. This might include risk profiles, control assessments, or incident management dashboards
- Extracting individual records to support deep dives or specific enquiries
- Enabling read-only access to auditors/regulators. While this is not a common approach, this enables those parties to review data, including audit trails for when records have changed. This demonstrates transparency while also enabling efficiencies
While the question is focused on external audit, internal audit may also be users of the system to conduct internal audits over the activities performed by other teams.
Q13: How are obligations or regulatory requirements mapped and cascaded into the system/dashboard? Are the obligations summarized for conciseness and understanding?
Our integration with LexisNexis includes their ‘plain language’ obligations, which summarizes the obligations, while linking to the detailed requirements. They can be mapped to controls, risks, actions, and attestations.
This allows for filtering by specific topic or risks, immediate insights into areas where action may be required, and allowing for drilling down into more specific information.
Q14: What level of maturity you should be at before procuring a tech platform?
Full original question: Without a GRC / ERM platform it feels a bit chicken and egg to a) manually collate the information needed for integrated reporting to be effective, and establish repeatable processes for this and b) loading these processes into a technology platform to produce dynamic dashboards. Do you have any advice on what level of maturity you should be at before procuring a tech platform?
Let’s be honest, we nearly all start with Excel (I’ve been there). If you are just starting out, I’d recommend picking one particular piece of regulation to focus on and develop a pilot. This can help you understand the information that you want to capture, and how you might want this to link to other elements of your ERM / GRC processes and practices.
In procuring an ERM system, it may be less about maturity, and more about demonstrable benefits. Those benefits can be simple cost savings (efficiencies gained compared to system costs), as well as a range of other benefits that you ultimately want to achieve in your compliance program – such as improved insights in where to focus, control optimization, and reduction in compliance breaches.
Q15: While the Compliance and Risk function may have an ethically-based approach, how do you convince other teams, such as sales, that it's the right approach?
A few things to consider:
- Work on the culture. Transition from a pure sales culture to an ethical culture.
- Remove / reduce commissions and bonuses linked purely to sales.
- Create a balanced scorecard linked to performance and bonusses etc which include a range of measure, including ethical.
- Recruit the right people, who have an ethical bone!
- Get tone at the top right!
Q16: Are you a proponent of combining the risk and compliance functions?
Risk and compliance are different functions, and we recommend they are not combined.
One of the potential downsides – particularly if people are cross-skilled and expected to work across both disciplines – is that resource allocation or attention can become uneven. They also require different skill sets and different types of analysis.
Risk management includes managing all types of objectives, of which compliance is just one. At the strategic level, for example, it should include making risk-informed decisions on which strategies to pursue, which may include the review of business plans and financial projections. Compliance on the other hand, requires different types of analysis and processes. While you should take a risk-based approach to compliance, you should take that approach to most disciplines.
That said, they should share common tools and frameworks to improve efficiency and reporting. For example, using the same framework to document controls and link compliance to operational risks can allow for reporting of all types of risks, while allowing for a focus on specific risk types, like compliance, where required.
Q17: What are your thoughts on the crossover between operational risk and compliance risk when thinking about managing non-compliance with internal policies and standards?
We see compliance risk as a sub-set of operational risk. When it comes to internal policies and standards, the question to ask is; What are the likely outcomes that follow noncompliance with those policies? Usually those policies exist to manage some form of risk. In this case you would:
- Document the policy requirements as a compliance obligation
- Document the risk(s) the policy is designed to address
- Link the obligation to the risk
You might also call out the specific elements of the policy as controls that are designed to mitigate the risk.
Q18: How can you make a zero tolerance compliance risk appetite work in practice?
Original question: When talking about zero tolerance compliance risk appetite – assume most firms would accept there is some level of tolerance when articulating Board level appetites – otherwise would always be reported as out of appetite – perhaps not helpful or realistic and worthy of Board attention.
This highlights the importance of culture and communication when it comes to compliance, compliance risk, risk appetite and tolerance.
If you adhere to the principles of ISO 37301 on compliance management systems, it states that even if you assess risk of noncompliance as low, it doesn’t mean you should accept noncompliance – which you could say by default means your risk tolerance should be zero. Risk appetite is generally considered ‘the amount of risk you are willing to accept in pursuit of objectives’, but practically you have to accept that noncompliance is possible. When we provide training or consulting to our clients on risk appetite, when it comes to compliance risk, we make it clear that zero risk appetite doesn’t mean that it won’t happen; but that action and review should always occur if there is noncompliance.
We hear some concerns that stating it in these black and white terms might cause people to under-report (tip: don’t incentivize based on zero or low number of reported breaches). An alternative statement is that the organization won’t tolerate deliberate noncompliance, or won’t tolerate nonreporting of noncompliance in order to drive different behaviour.
Q19: Could we have different appetite for mandatory and voluntary risk – maybe less strict with voluntary compliance?
While you could, this could become problematic for a couple of reasons:
- What is voluntary today might become mandatory tomorrow (either by regulation or by presenting a particular expectation)
- What is voluntary (what you say you will do) may sometimes be even more important than regulatory; your values and policies might tell your employees a lot about what you company stands for – and subsequent violation of them might tell them even more
Of course, for those that are voluntary you might change your policies and practices if those things aren’t working for you – but that would be actively changing them as opposed to being less strict with adhering to them.
Q20: It would be good to hear about how to synchronize risk and compliance controls.
Music to our ears! As we mentioned in the webinar:
- Complying is (or should be) an objective of all organizations
- Risk is the effect of uncertainty of objectives; what are the events that could lead to noncompliance?
- A control is a measure or action intended to modify risk
By following this process, we have now linked risk and compliance controls together. Risks may have noncompliance as just one of several different types of impact (such as financial, reputation etc). We recommend documenting controls using a common method, using the same control library with the same characteristics. Thinking about them in this way helps align your risk and control frameworks.
Next steps: watch our compliance and compliance risk management webinar
We live in a world of rules. Compliance with those rules is critical, not only to protect your organization from regulatory actions, fines and damaged reputation, but because it’s the right thing to do to protect all of our diverse stakeholders from risks that we bring to them.
However, managing compliance is a formidable task due to the sheer quantity of compliance needs.
In this free on-demand webinar, Protecht’s Chief Research and Content Officer, David Tattam and our VP North America Terry Lee will provide you with a practical overview of best practice compliance and compliance risk management processes using a risk-based approach: