The Tribune

It may well be the misalignment between culture and strategy that poses the largest workforce-related risk management challenge. The abundance of global regulations, rules and guidance, as well as stakeholder expectations, puts companies at a greater risk of non-compliance than ever before. The merging of international regulations, as well as the expansion of businesses into new and affiliated industries, has increased the need to review compliance risks in a broader context.

In the first article of this two-part series, I discussed in brief how:

• The Top is the Guiding Light. This is where Boards and senior management provide direction, vision and leadership for employees to follow, while simultaneously giving directors executives their key responsibilities.

• Making Compliance Everybody’s Business from the time they join the company, right through their employment, and when transitioning to another opportunity.

In today’s article, I will provide two further tips for your institution to consider as a catalyst to ensuring compliance is compatible.

Compliance risk assessments

Two very well-known risk assessments are enterprise risk assessments and internal audit risk assessments. Strategic, operational, financial and compliance risks are identified through enterprise risk assessments. Financial statement risks, and other operational and compliance risks, tend to be included in a conventional internal audit risk assessment. Although both enterprise risk assessments and internal audit risk assessments do identify compliance risk, they are not typically designed to identify specific legal and compliance risks at a granular level. A compliance risk assessment, on the other hand, identifies, prioritises and assigns accountability for managing potential or existing legal or policy non-compliance, and ethical misconduct, that may result in fines or penalties, a damaged reputation, or inability to operate in crucial markets. Moreover, unlike the enterprise risk assessments that are owned by the chief risk officer and/or the chief financial officer, and the internal audit risk assessment that is owned by the chief audit executive, the compliance risk assessment is owned by the chief compliance officer.

A culture of ethics and compliance should be at the core of the compliance risk assessment. Its scope should also include all laws and regulations with which the company must comply wherever it conducts business, as well as critical company policies whether or not they are via Act, regulation, rule or guidelines.

Testing and monitor the compliance environment

An ineffective testing and monitoring programme can have an adverse effect on other elements of the compliance programme. Testing is essential for understanding what is working and what to be improved. Equally, the advantages of vigorous monitoring programmes are that they serve as early warning systems that permit compliance professionals to identify potential compliance issues earlier rather than later. It is imperative to appreciate that testing and monitoring work together, and one cannot be optimised without the other. For clarity, testing involves a risk-based process that gauges and reports on the operating effectiveness of compliance controls and/or adherence to stated policies and procedures. Conversely, monitoring entails the continuous review and analysis of key business metrics and risks, so as to identify potential compliance violations.

Conclusion

In this rapidly-changing environment, compliance and ethics need to become strategic partners for top executives so they can facilitate their companies’ transformations. To establish an enterprise anchored in an effective compliance programme, it is essential to create a strong guiding light (tone at the top). Then ensure every level of the company appreciates their role. Additionally, incorporate well-designed compliance risk assessments led and owned by the chief compliance officer. Finally, make certain the compliance programme is both tested and monitored.

NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caic