In an environment where the global economic recession, demise of major financial institutions and changing business landscape has led to stricter regulations in major industries and countries around the world, the word “Regulatory Compliance” has become an all-important language that can make or mar an organisation and its directors.
Organisations are therefore increasingly elevating the processes and structures they need to enhance compliance with regulations. The awareness of existing and new legislation applicable to an organisation as well as the implication of compliance or otherwise with the provision of each piece of legislation is a major focus area for the board.
In achieving effective Compliance Regulatory Management within an organization, the integrated roles of key management functions; mainly Legal, Compliance, Risk and Internal audit must be understood and enabled.
Legal / Compliance
It is the responsibility of the Legal/Compliance function to stimulate and train the board and management on legislation pertinent to the organisation. The core responsibilities of this function spans across the compilation and maintenance of a “legislative universe” for the organization. New requirements arising from amendments to existing or new legislation should be identified, analysed and communicated to both management and the board.
The Legal/Compliance function should also work with the Risk Management function to undertake the risk prioritization of all applicable pieces of legislation and this should be documented for monitoring purposes in a document called the Compliance Risk Management Plan (“CRMP”). The CRMP should contain key legislation clauses translated into plain language, key issues, impacted area – process, systems and policies, controls, risk exposure, responsible parties and the monitoring plan from business units. The CRMP should be utilized for ongoing monitoring and report-back to both management and the board. This unit should also identify and report any non-compliance issues to the board.
The Risk Management function should support the Compliance Office with the risk rating of the relevant legislation once such legislation becomes operational in the business. A compliance risk register for the regulatory universe, showing both the inherent and residual ratings of each piece of legislation, based on impact and likelihood, should be the product of this process. The penalties – financial, imprisonment, etc – and other business risks associated with key provisions of the legislation should be identified and captured on the compliance risk register as this triggers compliance action on the part of both management and the board.
Business Operational Compliance
Business is responsible for ensuring the implementation of compliance requirements identified by Legal / Compliance. Business units should have their own Business Operational Compliance Officer / Champion who undertakes the operational monitoring of the compliance of business processes to the legislative requirements. Key issues that may arise from compliance requirements should be identified and captured on the CRMP for monitoring and report-back to relevant structures and the board.
Internal Audit, as the assurance provider, is responsible for reviewing the adequacy and effectiveness of the functioning of controls
implemented by management to ensure compliance with legislative requirements.
In conducting a review of compliance within the organisation, Internal Audit should ask the following questions:
What are the pieces of legislation that should be reviewed?
What policies and processes have been / are being put in place to cater for compliance requirements?
What new systems are being put in place to support and monitor compliance?
From their review, Internal Auditors should be able to provide assurance on the level of compliance or otherwise within the organization, identify non-compliance issues and report this appropriately to the Compliance Officer, management and the board as well as make valuable recommendations that will improve processes and responsibilities around regulatory compliance.
An Internal Auditor is ideally well positioned to assess the adequacy and effectiveness of management’s controls over regulatory compliance; however, some organisations may decide to further upskill their internal auditors on specific compliance areas by requiring them to undergo particular relevant certification programmes.
With the current business landscape, where legislation emerges and changes continuously with increasing requirements to keep business on the right track, it is critical for every organisation to implement adequate and effective structures, to embed and ensure a culture of compliance.
Do you require the full version? Here is the article you may download . . . . Ensuring regulatory compliance
This article was written by Bukkie Adewuyi (Senior Manager: Risk Advisory at Deloitte & Touche Southern Africa). If you have any questions relating to regulatory compliance within your organisation, feel free to contact Bukkie at email@example.com