What is the definition of Compliance?
 
Compliance is an outcome of conforming to a rule. That rule may arise from an external source such as a law or regulation, or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.
 
 

The issue for an organisation is how to conform to these rules? This is the key objective of a compliance function. This blog provides an overview of one of the elements that need to be considered when building an optimal compliance function.

Understanding what the relevant rules are – plain English Obligation Registers

Before we can consider conforming to a rule, we need to comprehend what the rules are and what they mean. For external compliance, this necessitates having an understanding of relevant laws and regulations and how they apply to our organisation. This is typically achieved through an Obligations Register that contains information such as:

  • Act or regulation
  • Sections of relevant legislation
  • Penalties for non-compliance
  • Frequency that obligation occurs
  • Obligation owners and interested parties
  • Risk rating
  • Compliance status

However, these Obligation Registers are often driven from the legislation and regulations with limited linkage to internal policies and procedures or day to day activities. Damage is done to the Compliance team by them, asking a raft of ‘compliance attestation’ questions to the business that merely ask “Are you compliant with this legislation”, with no value add as to what it means to the organisation in practice.

An alternative approach is to consider starting with what are the key obligations the organisation faces and then link that to both Legislation and Internal Policy and Procedures: For example, if Protection of Customer Data is the obligation, what does this practically mean for our staff in terms of their day to day activities.

We then link this interpretation to the various sources of our rules – Privacy legislation, PCI DSS, ISO 27000, Internal Policies and Procedures and so on. If we are unable to link all key components of the legislation to our plain English interpretations – then we have missed an obligation.

Any update to linked legislation, or policy and procedures can then trigger a review of the plain English obligation. Our approach to the Obligations register, therefore, is to add two new fields to the above list: Obligation Title, Our Interpretation.The other fields are modified to store multiple acts and sections along with an additional field to link to relevant policies and procedures. 

Updates to the Obligations register may be maintained internally which will require dedicated compliance or legal staff to remain aware of all relevant obligations and process them into the obligations content.

Alternatively, obligation updates may be automatically processed through a subscription service with a content provider. Protecht is currently working with LexisNexis to deliver industry specific content in Protecht.ERM.

A business intelligence engine can then be used to aggregate and visually display obligations by rating, outstanding reviews etc.

Compliance Dashboards Example

Protecht.ERM Obligations dashboard sample.

What happens after you understand what the general rules are?

Once the rules are understood, processes must be put in place to ensure the rules are met and that assurance is provided to senior management and the board. In a future article, we will explain how this can be achieved.

ASIC Report Whitepaper: A Regulatory Spotlight on Non-Financial Risk
Whitepaper

A Regulatory Spotlight on Non-Financial Risk

Download Now

Related Articles

feature image
Compliance Management Protecht News & Events Risk Management Risk Reporting Videos Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
Compliance Management Enterprise Risk Management Risk Analytics

Managing Risk with the Second Line of Defence Launchpad

The Second Line of Defence Launchpad within the Protecht.ERM system is an effective and interactive visualisation designed specifically for the Line...
Read more
feature image
Compliance Management Risk Management Risk Appetite Decision Making

Can I? Should I? Would I? Using compliance as a decision making tool

Compliance is the act of “conforming to rules”. Deciding to, or not to, conform to rules affects the decisions we make. Compliance is therefore an...
Read more