What is a Compliance Footprint?
PWC Identified in a report over 12 years ago that “few have had true success with establishing real-time, proactive monitoring programs that allow them to get ahead of issues and violations, reduce costs, and drive operational excellence to enhance compliance and create a competitive advantage.”
This position has not improved in the last 12 years.
IDENTIFY AND RECORD / ASSESS THE SOURCES OF COMPLIANCE REQUIREMENTS
This can be a formidable task for internal teams and even external regulatory consultancies due to the volume of laws and regulations most organisations are subject to. The sources of requirements need to be identified, recorded and understood. This gives rise to the necessity for a compliance requirements / compliance commitments or ‘Compliance Footprint’ in the form of a register.
This register should ideally include:
- The legislation or Regulation identifier
- The sections and sub-sections of the regulations that may apply
- The parts of the organisation to which the requirements apply
- Penalties for non-compliance – listed comprehensively
- A link to policies and processes that support compliance
- A link to the risks and related controls, that could lead to non-compliance from thorough risk assessments, audits and management information.
There must also be a process for keeping the requirements up to date with alerts sent out to the relevant parts of the business when requirements change.
The creation and maintenance of this Compliance Footprint can either be achieved internally if you have the appropriate experienced resources or externally using external legal and/or Compliance experts to develop and maintain these these systems, such as our GAIRUS program.
Good business practice for management of all industries is effective compliance. Most legislation and regulations are written in complex legal language which are difficult to understand by the business. It is therefore essential that these requirements are translated into plain English. We will refer to these plain English translations as “compliance obligations” and will use these to create the Compliance Footprint register. The keys to success in creating obligations from requirements are:
The obligations need to be in simple, easy to understand language.
There needs to be as few obligations as possible. This requires, where possible, obligations generated from multiple sources being combined into a single obligation.
This process is best performed by someone who has a Legal and/or Compliance background and yet also understands the nature and needs of the business. Again, it can be performed internally if you have the resources or use an external expert.
It is also useful to attach other information to the obligations including;
- Who is the primary owner and any interested parties?
- An assessment as to whether you are compliant with the obligations?
- Date of last review — the frequency of review may possibly be linked to the risk rating?
- What attestations are being asked about the obligations (for UK SMCR this is a reasonable steps issue)?
- What is the key risk/s linked to this obligation?
- What are our key controls demonstrating compliance with the obligation?
- Have these been tested to our satisfaction?
So you have to ask yourself if you have sight of how you are impacted and how, if left unchecked, your whole organisation can be impacted by the actions of one individual, causing regulatory censure and scrutiny.
The next step which can be commonly overlooked, is to ensure that business processes enable continuous ongoing compliance with obligations. This requires: Governance, Tools & Training. This then needs to provide some output into the management information viewed by senior managers. Reporting in relation to the Compliance Footprint and your internal Monitoring Plan should look to include the following areas:
Aggregation of obligations by risk rating compared to firm’s risk appetite
Obligations deemed non-compliant or needs improvement in the current state
Alerts where a review is required or a revision is needed (along with official publication and approval, as well as firm wide promulgation)
Overdue/outstanding mitigation plans and their status.
Many firms declare a very low or minimal risk appetite, but fail to have the framework in place to alert them to issues.
Specific requirements also befall a firm if they are seeking or maintaining an ISO certification, such as 9001, 27001 or 31000 series. There is a need to demonstrate certain surveillance, monitoring, reporting and primary actions. For example, The ISO 31000 Risk Management: Principles and Guidelines standard sets out the following 7 steps:
- Communication and Consultation. This requires consulting with stakeholders to understand risk appetite. Risk appetite for compliance risk has been mentioned earlier.
- Understanding the Context. This requires identifying the objectives of compliance which are commonly considered to be:To comply in order to protect the organization from:Financial loss including fines and management effort
- Risk identification involves identifying the key risks that could lead to non-compliance with the relevant obligation. Related controls over the key risks should also be identified.
- Risk Analysis involves assessing the size of the risk. This is usually achieved by assessing the likelihood and impact of the risk.
- Risk evaluation involves the comparison of the risk against risk appetite.
- Risk Treatment, if required, involves changing the risk through internal controls, process re-engineering or avoidance.
- Monitoring and Review involves the ongoing monitoring of the risks.
Quite often, most firms overlook the range of 5 Key management processes using the excuses of being “too small”, or “we are small enough to all know what is going on”. Fine until someone is hit by the proverbial bus and is incapacitated in some way. Then a huge gap can appear in your strategy.
In addition to that a failure of the 6 key review strategies can seriously compromise your business and today, after the past 2 years of a pandemic roller coaster, no one can afford time out of the market or having to spend management time blocking up the leaking ship because we failed to buy that extra tin of tar for the hull.