Framework for governance, risk, and compliance Flashcards
Why are governance and compliance frameworks a necessary component of effective risk-management? (2)
Governance and compliance frameworks are not sufficient on their own. What else is equally important? (2)
When do problems arise?
Name 4 examples of risk-management-related governance compliance issues.
Name 4 consequences.
How can effective governance and compliance help?
(1) Without governance and compliance frameworks for RM, organisations will be vulnerable to employee bad behaviour, including negligence or criminal activity
*Effective governance and compliance frameworks for RM help all employees to understand the RM ‘rules’
(2) RM, governance and compliance are inseparable = impossible to have effective RM without appropriate governance and compliance frameworks
Risk culture and tone from the top
Problems arise when employees are incompetent in their role or do not comply with policies, procedures, and codes = inappropriate risk taking and control weaknesses
- Not following health-and-safety procedures
- Fraud and theft of company assets
- Not declaring conflicts of interest
- Accepting a bribe
Consequences could be = financial, regulatory enforcement, adverse media reporting, divert management’s attention from strategic and operational priorities
Effective governance and compliance should prevent these adverse outcomes and increase the chance that an organisation will achieve its objectives/meet the needs of its stakeholders
IMPLEMENTING EFFECTIVE RISK-MANAGEMENT POLOCIES AND PROCEDURES
For effective governance and compliance, an organisation needs to implement risk-management policies and procedures that do what 3 things?
What is the primary role of risk-management policies and procedures?
Without effective policies and procedures, what could happen?
To support effective governance and compliance, the implementation of risk-management policies and procedures require what 7 things?
(1) Comply with relevant governance codes, laws and regulations
(2) Are in the interests of stakeholders
(3) Ensure that the risk-taking and control decisions and actions of all employees support the effective setting and achieving of an organisation’s objectives
Purpose = ensure RM decisions and activities of all employees are consistent and appropriate in terms of both an organisation’s objectives, and legal and regulatory obligations
Employees would not know how to act and could make decisions that are not in the interest of the organisation or its stakeholders = chaos in organisation = inconsistent actions and decisions leading to serious governance and compliance breaches
- an explanation of why they are needed
(= ensure regulatory compliance, to protect stakeholders, and to help the organisation set and achieve its objectives) - the organisation’s RM principles in a RM policy
- clear and unambiguous roles and responsibilities
- board and senior management support
- sanctions for non-compliance e.g., verbal/written warning, withhold bonus/promotion
- communication and training
- regular reviews and updates
DETERMINING AND IMPLEMENTING AN EFFECTIVE RISK-APPETITE FRAMEWORK
From a governance and compliance perspective, employees should understand what 3 things?
A company may develop and monitor a set of risk metrics against agreed limits and thresholds. What does this allow management to do?
What would be required if the risk appetite was exceeded? (2)
- The risks that may be taken and any limits to the level of risk exposure that may be taken via a written risk appetite statement
- The risks that should not be taken where practicable
- The management roles and committees that have the authority to waive limits or take risks normally considered outside of appetite where this supports organisational objectives
Allows management to determine whether an organisation is within or outside its appetite for risk and to take action to address any issues
(1) immediate action would be required to rectify the situation
OR
(2) the board or risk committee may need to go through the agreed risk acceptance process to accept a degree of control weakness for a brief period of time.
COMPLIANCE MANAGEMENT FRAMEWORKS
How are governance, risk and compliance activities complementary? (2)
Why are compliance-management frameworks necessary? (3)
Name 5 possible consequences of non-compliance.
(1) Weak governance or non-compliance with laws and regulations can create significant risks for organisations.
* these risks need to be identified, assessed, monitored and controlled using risk-management tools and techniques
(2) Organisations that have RM frameworks need to ensure that these frameworks are compatible with all applicable laws and regulations (compliance).
* also need to ensure that they meet the needs of their stakeholders (governance) and support the achievement of their objectives
Necessary to ensure compliance with:
1. an organisation’s internal policies and procedures
2. applicable laws and regulations (such as health-and-safety or environmental regulations)
3. standards, guidelines and codes of conduct that the organisation has chosen to comply with, such as ISO 31000
Compliance risks = (1) criminal sanctions or fines, (2) loss of licence to operate, (3) disrupt the efficiency of day-to-day operations, (4) long-lasting financial and reputational consequences, (5) in a plc can reduce the value of shareholder equity (VW)
COMPLIANCE MANAGEMENT FRAMEWORKS
What are the 5 components of an effective compliance-management framework?
- Establishing compliance standards = imposed by laws or regulations or those set by an organisation
- Developing compliance processes and controls = including (1) compliance management policies and procedures, (2) compliance reporting and escalation processes, and (3) compliance training and communication
- Linking compliance management with internal control = these are closely related and sometimes the terms are used interchangeably
- Risk based compliance = where activities or decision that have a higher degree of compliance risk should receive more compliance management resources
- Roles and responsibilities = which vary according to an organisation’s sector, scale and structure, but commonly include the compliance function, board, risk and audit committees, and company secretary
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ESTABLISHING COMPLIANCE STANDARDS
An organisation’s compliance standards are a combination of what 2 things?
For both, what are the relevant degrees of compliance and levels of discretion?
- compliance standards imposed on the organisation via laws and regulations
- compliance standards determined by the organisation to meet its objectives and stakeholder needs
Imposed standards = must comply with very little discretion
E.g., Health and safety/environmental compliance = As Low As Reasonably Practical.
* Where discretion is used it is recommended that an organisation discusses these standards with the relevant regulatory or supervisory agency to avoid any subsequent disagreements
Voluntary standards = much more discretion over degree of compliance expected from employees
E.g., internal policies and procedures and code of conduct
* Discretion usually on cost-benefit grounds = where the costs of compliance exceed the benefits, a degree of non-compliance may be accepted BUT any case of non-compliance should be reported to the audit committee or board so directors are kept informed
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - DEVELOPING COMPLIANCE PROCESSES AND CONTROLS
What are the 3 processes and controls required to ensure that the agreed compliance standards are enforced within an organisation?
What 3 things should a compliance-management policy contain?
Name 2 compliance-management common principles.
Name 2 examples of compliance-management procedures.
- Compliance-management policies and procedures
- Compliance reporting and escalation processes
- Compliance training and communication
COMPLIANCE-MANAGEMENT POLOCIES AND PROCEDURES
Detailed compliance-management policy should contain:
(1) The expected compliance standards and principles
(2) Reporting and escalation arrangements
(3) Roles and responsibilities for the board, SM, other managers and employees
Common compliance management principles include:
A. Expectation employees will act honestly and with integrity
B. Compliance-related risks must be monitored adequately, and all cases of non-compliance escalated to the appropriate level of management
There may be procedures for:
(i) Reporting and escalation
(ii) Temporarily allowing non-compliance on cost-benefit grounds
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - DEVELOPING COMPLIANCE PROCESSES AND CONTROLS
What does compliance reporting provide?
What are the 2 common forms of reporting?
Why are escalation processes needed?
Who should escalation be to?
Training can be delivered to help employees understand what 2 things?
What else can supplement or support formal training?
COMPLIANCE REPORTING AND ESCALATION PROCESSES
Provides assurance to directors and managers that organisation is complying with relevant laws and regulations and any compliance risks are managed effectively
- Periodical review of compliance = prepared by cosec and reported to board
- Compliance monitoring and reporting to management and SM = much more regularly (daily control-effectiveness checks to ensure that compliance with financial crime regulations are adhered to)
Escalation processes are needed for when ineffective controls are detected or where employees or managers are not behaving in an appropriate manner
Escalation should be to the appropriate level of management
* Serious non-compliance that threatens whole organisation = board
*Less serious = line manager
COMPLIANCE TRAINING AND COMMUNICATION
Training (Provided in-house or externally) can be delivered to help employees understand:
(1) importance of complying with all applicable laws and regulations
(2) operate the relevant compliance controls effectively
Regular communication on compliance responsibilities e.g., emails, memos, team discussions
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - LINKING COMPLIANCE AND MANAGEMENT WITH INTERNAL CONTROL
How are compliance management and internal control linked? (2)
In larger organisations where these activities may be organised into separate functions, what actions may need to be taken?
- Compliance management and internal control are closely related = 2 terms may be used interchangeably and compliance management may be viewed as part of internal control or vice-versa
- Ensuring that employees are complying with laws and regulations, internal policies and procedures, external standards, guidance and codes is an important part of internal control
Action may be needed to co-ordinate the activities of these functions
*Busy line-managers and employees will not want two separate functions asking them to perform very similar activities
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - RISK BASED COMPLAINCE
Risk-based compliance is organised on the principle of what?
Areas of higher compliance risk include what?
Risk-based compliance management will require what?
The principle that activities or decisions that have a higher degree of compliance risk should receive more compliance-management resources
*Greater compliance-management resources will be devoted to the areas of greater risks = more internal audits
Include laws and regulations that could result in criminal sanction or enforcement action that might affect the achievement of an organisation’s objectives
Require an assessment of compliance risk = identifying and evaluating the probability and impact of a variety of adverse compliance scenarios
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES
Roles and responsibilities for compliance management will vary according to what?
Which organisations may not have a dedicated compliance function?
What is the role of the compliance function? (6)
What should the company secretary or governance professional do?
An organisation’s sector, scale and structure
A small organisation = role may be performed by a nominated manager (such as the company secretary) or be outsourced to an external compliance services provider
- Keeping up to date with legal and regulatory changes
- Communicating with legal, regulatory and supervisory agencies, such as the HSE
- Monitoring the effectiveness of compliance procedures and controls
- Compliance monitoring reporting to management and the board of directors or trustees
- Working with all other managers and business functions to ensure that any non-compliance is rectified as quickly as possible
- Co-ordinating compliance-related training and communication activities
Should work with the compliance function to ensure board has the assurance information that it needs to determine whether its compliance arrangements are appropriate
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES
What is the board accountable for in relation to compliance-management?
What can help with this?
What is the role of the risk and audit committees in relation to compliance-management? (2)
How often should a company’s compliance management policy be reviewed and approved?
Board is accountable for the effectiveness of its compliance-management activities and any cases of non-compliance
Compliance-management reviews and exception reports on any serious cases of non-compliance can provide a board with the assurance that it needs and to take action where necessary
Risk and audit committees will support the work of the board on compliance management = include
(1) looking into the detail of compliance reviews and relevant internal audits
(2) may oversee any actions taken to address identified compliance weaknesses or areas of non-compliance
Annually by risk and/or audit committee and board
COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES
Is compliance management equal responsibility of all employees within an organisation?
What are the managers responsible for? (3 and 3)
If an employee behaves in a non-compliant manner, why is it often not their fault?
No = all employees have a personal responsibility (and should make every effort) to comply with internal organisational policies, external laws and regulations, but not equal responsibility
Managers are responsible for ensuring that:
(1) appropriate incentives are in place to ensure compliance
(2) their staff have the training and support they need to behave in a compliant manner
(3) employees are being compliant = might include:
A. Monitoring the effectiveness of local compliance procedures and controls
B. Taking steps to address non-compliance on the part of employees
C. Escalating concerns to more senior management and the compliance function
Employee non-compliance is usually the result of ineffective management or weak organisational compliance-management arrangements
GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES OF DEFENCE
Governance structures for risk-management will vary according to what?
Which type of organisations use the the 3 lines of defence approach?
What is the approach based on and why?
Which 3 roles are separated? (3)
For the approach to be effective, what needs to happen?
Industry sector, and scale and complexity of an organisations’ structure and operations
*Small, simple organisation = governance of RM framework left to board
Organisations in the financial sector with strong support from regulators (but also large, more complex organisations)
A classic governance control = segregation of duties = ensures no conflicts of interest (this is an advantage)
Separates 3 complementary roles in the governance and operation of a RM framework:
1. Day-to-day risk-taking, assessment and control
2. Oversight of how risks are taken, assessed and controlled
3. Assurance that risk-taking, assessment and control activities are operating effectively and that the decisions made are consistent with the organisation’s objectives
Individuals need to regularly communicate and at times work together = must be trust (built up if understand each other and the value of the 3 roles) (this is an advantage)
GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES OF DEFENCE
What are the 1st, 2nd, and 3rd lines of defence?
What is each of the lines responsible for / what do they provide?
What is each line’s primary role?
1st line = operational management
* = front-line decision-makers who take, assess and control risk
* ensure decisions they make are consistent with organisation’s strategic and RM objectives
2nd line = risk management
* = design and implement RM framework and risk reporting to SM and board
* ensure that business managers follow framework and make RM decisions that are consistent with organisation’s objectives
3rd line = internal audit
* = provide assurance to SM and board that RM framework is operating effectively
* ensure any weaknesses in design or implementation of RM framework are detected and controlled