Compliance management Flashcards
Compliance management helps an organisation do what?
What are the 2 ways that compliance management and risk management are linked?
What is compliance risk?
How can it be managed?
To balance the costs and benefits of compliance to ensure that its compliance activities are cost effective and support the achievement of all it objectives
= CM exists to help prevent non-compliance (or partial compliance) and over-compliance (which increases the cost of compliance and may lead to inefficiency and ineffective processes)
- In many countries and organisational sectors there are laws and regulations that are related to the practice of RM in organisations (which need to be complied with)
- Whenever there are laws and regulations, there is a risk that an organisation will face sanctions where it is found to be non-compliant with these
Compliance risk = the risk of criminal sanction or a financial or reputation loss as a result of actual or perceived non-compliance with all applicable laws, regulations, standards, guidelines and codes of conduct
Using RM tools and techniques
RISK-MANAGEMENT RULES AND REGULATIONS
Organisations are subject to a variety of laws and regulations.
Compliance management ensures what 2 things?
What does compliance management include? (2)
Where risk-management policies, procedures and practices are found to be non-compliant, compliance management can help ensure what?
Name 3 examples of consequences of compliance risk events.
CM ensures that:
(1) All applicable laws and regulations are identified
(2) The implications of these laws and regulations for an organisation’s decisions and processes are assessed and understood
CM includes:
1. putting mechanisms in place to assess whether the RM policies, procedures and practices within an organisation are compliant with applicable laws and regulations; and
2. designing and implementing controls which monitor and maintain compliance
Help ensure that actions are taken to make these compliant, and to manage any related dialogue with the relevant supervisory or regulatory agencies
A. fines
B. imprisonment of key staff
C. negative media coverage (and reduction in share price)
MANAGING COMPLIANCE RISK
Name 6 examples of potential compliance risk events.
- An organisation does not realise that a law or regulation exists or applies to it e.g., law/reg new or changed
- Organisation aware but lack of certainty concerning how to comply with the law or regulation e.g., principles and outcomes-based regulation where no single way to comply
- Uncertainties may exist over when or how a law or regulation may apply to different contexts e.g, Modern Slavery Act in UK
- An organisation’s management makes a conscious decision not to comply with a law or regulation e.g., compliance deemed too costly, inefficient, or conflicting with other rules
- Staff members take decisions or actions that cause the organisation to breach a law or regulation (can be accidental or deliberate)
- Complexities and conflicting priorities within processes and procedures may make it hard to design them to ensure full compliance AND achieve organisational objectives
E.g., financial crime rules have made it harder for people to open bank accounts = account opening process is much longer and greater amounts of documentation is required
ROLES AND RESPONSIBILITIES FOR COMPLIANCE
What is the Board’s role?
How does the Board do this?
What is the Audit Committee’s role?
What is the Company Secretary’s role?
Board = assure themselves that all necessary compliance management arrangements are in place to maintain an appropriate level of compliance with applicable laws and regulations (have ultimate responsibility for ensuring that an organisation is compliant)
Boards rely on a variety of assurance mechanisms to oversee the compliance management activities of an organisation (compliance monitoring reports, compliance-focused internal audit reports)
AC = to ensure that an organisation complies with the laws and regulations that relate to financial reporting (Provision 25) AND compliance responsibilities delegated to them e.g., reviewing internal audit reports and compliance reviews
Company secretary = ensure that the organisation is compliant with company law as well as other governance related laws and regulations and reporting this to the board
ROLES AND RESPONSIBILITIES FOR COMPLIANCE
What 6 things may the Compliance Function’s role include?
What is the Risk-Management Function’s role?
What is the Internal Audit Function’s role?
- keep up to date w/ new laws and regs
- support internal audit
- perform compliance reviews
- identify/assess/monitor compliance risks
- design/implement controls to mitigate compliance risk events
- work with authorities to help resolve compliance breaches
RMF = support the compliance function by providing advice on how to manage compliance risks AND design tools and techniques for the identification, assessment, monitoring and control of compliance risks
IAF = complete thematic audits that look at CM arrangements
ROLES AND RESPONSIBILITIES FOR COMPLIANCE
What is the Line Manager’s role?
What 2 things does this include?
What is the role of all staff members?
LM = ensure that their direct reports comply with applicable laws and regulations, and that compliance-related controls are used in an effective manner
= responsible for ensuring that the decisions they make do not expose the organisation to compliance risks
(1) ensuring that compliance-related policies are complied with, and that processes and procedures are performed in a compliant manner
(2) ensuring that their employees have the skills and training they need to conduct their duties in a compliant manner
Staff = responsible for conducting their duties in a way that is compliant = follow the instructions of the compliance function and other compliance-related specialists to ensure that their actions or inaction does not expose the organisation to unnecessary or excessive compliance risks.
Why is compliance management costly?
What is a large part of the cost?
What 3 things does this include?
What are the 4 problems?
What can help?
= organisations may have to invest in compliance management experts, design and implement compliance management policies, procedures and tools, and ensure that these policies, processes, and tools are working as intended
= monitoring of an organisation’s compliance activities (to ensure staff and management understand their compliance-related responsibilities and are taking all measure to ensure compliance with laws and regulations)
(1) conducting compliance reviews, where the day-to-day operation of compliance-related controls is investigated
(2) detailed internal audits
(3) monitoring of compliance indicators e.g., measuring the number of unauthorised policy or procedure breaches
- organisations do not have limitless resources to monitor compliance
- the act of monitoring compliance can be disruptive to the operations of an organisation.
- Compliance reviews and audits take up valuable staff and management time.
- SM and directors have limited time to devote to reviewing compliance monitoring activities and initiate subsequent corrective actions
Risk-based compliance monitoring
RISK-BASED COMPLIANCE MONITORING
What is the concept of risk-based compliance monitoring?
It is a mechanism for what?
How can it help organisation?
An organisation’s exposure to compliance risk will depend on what?
High levels of compliance risk exposure may be the result of what?
Where risk-based compliance is used, it is common for compliance risks to be assessed using what?
Each organisation that decides to use risk-based compliance will need to assess what?
= the greatest amount of resource is devoted to the largest compliance risks, such as the risk of criminal sanctions
Is a mechanism for assessing the costs and benefits of compliance monitoring = where costs exceed the benefits, resource is decreased and vice versa
Helps an organisation to allocate its compliance monitoring resources in a cost-effective way
The probability of non-compliance and the resultant impact of non-compliance in terms of fines, liability claims or other sanctions
A high probability of non-compliance, a high impact of non-compliance, or a combination of the two
A risk matrix = Compliance risks in the ‘red’ zone will have the greatest level of monitoring resources devoted to them = monitoring will be more frequent and may be more in-depth
*Amber and green compliance risks will have proportionately less monitoring resources devoted to them
Assess the probability and impact of all its compliance risks
COMPLIANCE MANAGEMENT TOOLS
What are the 9 tools that may be used to support the compliance management activities of an organisation?
Why does an organisation need compliance policies, procedures and codes of conduct?
What role do HR controls, and whistleblowing policies and procedures, play in controlling compliance?
- compliance policies and procedures
- compliance codes of conduct
- compliance reviews and audits
- compliance impact analysis
- gap analysis and action planning
- compliance reporting
- HR- related controls
- whistleblowing procedures
- establishing an appropriate compliance culture
to emphasise the importance of complying with applicable laws and regulations, and to explain what staff members must do to ensure compliance
exist to prevent and mitigate compliance breaches = deter staff members from deliberate acts of non-compliance
COMPLIANCE MANAGEMENT TOOLS - COMPLIANCE POLOCIES AND PROCEDURES
What are the 2 types of compliance management policies and procedures organisation may have?
Policies that are focused on compliance management will specify what?
Compliance management procedures will specify what?
Organisations may have policies and procedures that are focused on:
(1) compliance management
(2) other activities that have a compliance element
CM Policies will specify how compliance risks are to be identified, assessed, monitored and controlled AND explain the various roles and responsibilities that exist for compliance management
CM procedures will specify how particular compliance risks are to be monitored and controlled.
*E.g., Procedures for monitoring and reporting on suspicious transactions (suspected money-laundering activities)
COMPLIANCE MANAGEMENT TOOLS - COMPLIANCE CODES OF CONDUCT
Organisation may have one or more codes of conduct in place that are compliance related. What other codes of conduct may an organisation abide by?
What do codes of conduct specify?
Name 6 things that a code of conduct may cover.
Staff members found to be in breach of a code of conduct may be subject to what?
Professional associations may have codes of conduct that they expect their members to adhere to.
Codes of conduct specify the type of conduct that is expected of relevant staff members, managers and directors = may include rules which must be followed at all times, as well as guidance on the standards of behaviour that are expected
Codes may cover:
1. general principles e.g., behave lawfully, ethically, honestly etc.
2. use of organisational assets and info
3. declaring/managing Conflicts of interests
4. dealing with customers and service users
5. behaviour when using social media/internet
6. reporting concerns about the conduct of staff members and other stakeholders
Disciplinary action = official warning letter, loss of a bonus or pay rise, dismissal
COMPLIANCE MANAGEMENT TOOLS - COMPLIANCE REVIEWS AND AUDITS
What is a compliance review?
What may compliance reviews look at?
What do compliance reviews investigate?
How are weaknesses addressed?
How can other internal audits help compliance?
Compliance reviews = a form of internal audit that review and report on the effectiveness of compliance-related controls
Reviews may look at specific laws and regulations or specific operational areas, such as health and safety, or IT security
Investigate whether compliance controls are used in an appropriate manner and whether additional controls are required
Weaknesses will be ranked in order of priority and actions agreed to ensure they are addressed in a timely manner
Other internal audits of key organisational processes and functions may identify compliance-related issues
COMPLIANCE MANAGEMENT TOOLS - COMPLIANCE IMPACT ANALYSIS
What is a compliance impact analysis?
What will is assess?
What are the direct financial costs?
What are the indirect financial costs?
The completion of an effective compliance impact analysis requires what 3 things?
Compliance impact analysis = a form of risk assessment that investigates the impact of a compliance breach
will assess and attempt to quantify the direct and indirect financial costs of a breach
AND may assess non-financial impacts such as reputation effects
The direct financial costs = any fines or costs that are incurred in the event of a breach = includes legal and court costs.
The indirect financial costs = the costs associated with managing the effects of a breach
* E.g., cost of staff time that may be devoted to managing the aftermath of a breach, such as dealing with regulators, lawyers and the media
- input from a cross-functional range of experts, such as compliance managers, risk managers, finance specialists and public relations experts;
- the analysis of any existing information within the organisation, such as pre-existing risk assessments and compliance reviews; and
- regular updates as new information is obtained
COMPLIANCE MANAGEMENT TOOLS - GAP ANALYSIS AND ACTION PLANNING
What does a compliance gap analysis help do?
How is it done?
What happens where gaps are identified? (2)
When does gap analysis work best?
When is gap analysis common?
A compliance gap analysis helps an organisation to assess whether its existing policies, processes, procedures and compliance controls are sufficient to comply with relevant laws and regulations
The law or regulation is broken down by article, subsection or paragraph, and an assessment is made as to whether existing policies, processes, procedures and compliance controls are sufficient to ensure compliance with each article, subsection or paragraph
(1) Where gaps are identified these may be prioritised in terms of ‘low’, ‘medium’ or ‘high’ gaps
(2) Action plans may be included within a compliance gap analysis where gaps are identified
Gap analysis works best when completed by a small team of relevant experts
Compliance gap analysis are common for new laws and regulations, or where there are major changes to existing laws and regulations
COMPLIANCE MANAGEMENT TOOLS - COMPLIANCE REPORTING
What may compliance reports include? (2)
Who are compliance reports produced by?
Who are they provided to? (2)
Compliance reports may include:
(1) the output from a range of other compliance activities, including risk-based compliance assessments, compliance impact analyses, compliance reviews and compliance gap analyses
(2) a summary of any new laws and regulations, or changes to existing laws and regulations
Produced by the compliance function and overseen by Cosec
- Provided to the board and AC where relevant to help provide assurance that the organisation is compliant with relevant laws and regulations
- Provided to SM and department or functional management to help them monitor the effectiveness of their compliance-management activities and take action to address any weaknesses
