Compliance management Flashcards
2 ways in which comp-man and risk-man are linked
- In many countries/sectors there are laws and regs that are related to the practice of risk-man in orgs (which need to be complied with)
- Due to laws and regs, there is a risk of sanctions for non-compliance (compliance risk). Risk-man tools and techniques manage this risk
3 examples of laws and regs relating to risk-man:
- Company-law and governance regs
- H&S laws and regs
- Environment laws and regs
Comp-man ensures that: (2)
- all applicable laws and regs are identified
- implications of laws and regs are assessed and understood
Comp-man includes: (2)
- putting mechanisms in place to assess whether risk-man policies, procedures and practices are compliance with laws and regs
- designing and implementing controls which monitor and maintain compliance
4 potential compliance risk events (categories of):
- Not realising a law or reg applies
- Misunderstanding a law or reg
- Consciously not complying with law or reg
- Mistakenly breaching law or reg
Groups/individuals/functions with key roles and responsibilities to comp-man: (9)
- Board
- Audit committee
- CoSec and other gov. profs
- Compliance function
- Risk-man function
- Internal audit function
- Other specialist functions (eg. H&S)
- Line managers across the org
- Staff members
Role of board in compliance management (2)
- Board has ultimate responsibility for ensuring compliance
- Boards rely on variety of assurance mechanisms for this oversight, including internal audit reports and reviews, compliance monitoring reports, etc.
Role of audit committee in compliance management (3)
- When present, usually existing exclusively of NEDs
- Specific comp-man role to ensure compliance with fin. reporting laws and regs
- May have additional compliance responsibilities as delegated by the board, such as in initially receiving audit reports and compliance reviews
Role of CoSec and gov. profs. in compliance management (2)
- May take role of compliance function / manager in a smaller org
- Where there is a separate compliance function, certain responsibilities may still sit with CoSec, including governance compliance
Role of compliance function in compliance management
Primary responsibility for day-to-day comp-man activities of an org
Compliance function’s day-to-day responsibilities may include: (5)
- Keeping up to date with new or changes to laws and regs
- Performing compliance reviews of processes, procedures, etc.
- Identification, assessment and monitoring of comp risks
- Designing and implementing controls
- Providing compliance advice to other functions
Role of risk-man function in compliance management (2)
- May have responsibility for overseeing management of comp-risks relating to risk-man
- May support other functions by providing advice on managing comp-risks
Role of internal audit function in compliance management (2)
- Internal audit will usually assess comp-man-related controls and monitoring tools
- May assist compliance function in completion of compliance reviews
Role of other specialist functions (H&S, information security, etc.) in compliance management (2)
- Where present, have central role in control of relevant compliance risks
- May provide technical advice to compliance function, CoSec, etc. on management of specific risks
Role of line managers across the org in compliance management (2)
- Responsible for ensuring their direct reports comply with applicable laws and regs, including ensuring they have necessary skills and training to be compliant
- Responsible for ensuring decisions within their line do not expose org to compliance risks
Role of staff members in compliance management (2)
- All are responsibly for making sure they conduct duties in a way that is compliant, or not-knowingly non-compliant
- Follow instructions of compliance function and other specialists
What might it be common for orgs to not be fully compliant with?
Guidance, principles and codes, where non-compliance is usually not penalised (or minimally penalised)
Costs of compliance: (3)
- Requires a lot of human resource and time
- Can be disruptive to operations
- Costly to invest in comp-man experts, create policies and implement tools
What is risk-based compliance monitoring?
Allocating the greatest amount of resource to the largest compliance risk, and less resource to smaller compliance risk
Why would an org implement risk-based compliance monitoring?
In recognition of limited resource available to be put towards comp-man, so that this can be more efficiently allocated
How would an org implementing risk-based compliance monitoring determine what are large and small compliance risks?
By measuring the probability and impact of non-compliance (ie. receiving the sanction), and assessing these against a risk matrix
Each section of risk matrix has a score (if impact = 3 and probability = 2 then exposure = 6), and then resource can be allocated accordingly
9 tools which can support comp-man activities of an org:
- Comp policies and procedures
- Comp codes of conduct
- Comp reviews and audits
- Comp impact analysis
- Gap analysis and action planning
- Comp reporting
- HR related controls
- Whistleblowing procedures
- Establishing an appropriate compliance culture
Tool to support comp-man - comp policies and procedures
- Org will either have policies focussed on comp-man, or this will be covered by other policies such as re. risk-man
- These will specify how comp-risks are identified, assessed, monitored and controlled
Tool to support comp-man - comp codes of conduct (2)
- Codes of conduct of org, and of relevant professional associations specify the type of conduct expected of staff members/directors/members of prof. ass.
- Breaches may lead to disciplinary action
