Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

What is the definition of Compliance?

Compliance is an outcome of conforming to a rule. That rule may arise from an external source such as a law or regulation, or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.

The issue for an organisation is how to conform to these rules? This is the key objective of a compliance function. This blog provides an overview of one of the components of compliance that need to be considered when building an optimal compliance function.

Understanding what the relevant rules are – plain English Obligation Registers

Before we can consider conforming to a rule, we need to comprehend what the rules are and what they mean. For external compliance, this necessitates having an understanding of relevant laws and regulations and how they apply to our organisation. This is typically achieved through an Obligations Register that contains information such as:

  • Act or regulation
  • Sections of relevant legislation
  • Penalties for non-compliance
  • Frequency that obligation occurs
  • Obligation owners and interested parties
  • Risk rating
  • Compliance status

However, these Obligation Registers are often driven from the legislation and regulations with limited linkage to internal policies and procedures or day to day activities. Damage is done to the Compliance team by them, asking a raft of ‘compliance attestation’ questions to the business that merely ask “Are you compliant with this legislation”, with no value add as to what it means to the organisation in practice.

An alternative approach is to consider starting with what are the key obligations the organisation faces and then link that to both Legislation and Internal Policy and Procedures: For example, if Protection of Customer Data is the obligation, what does this practically mean for our staff in terms of their day to day activities.

We then link this interpretation to the various sources of our rules – Privacy legislation, PCI DSS, ISO 27000, Internal Policies and Procedures and so on. If we are unable to link all key components of the legislation to our plain English interpretations – then we have missed an obligation.

Any update to linked legislation, or policy and procedures can then trigger a review of the plain English obligation. Our approach to the Obligations register, therefore, is to add two new fields to the above list: Obligation Title, Our Interpretation. The other fields are modified to store multiple acts and sections along with an additional field to link to relevant policies and procedures. 

Updates to the Obligations register may be maintained internally which will require dedicated compliance or legal staff to remain aware of all relevant obligations and process them into the obligations content.

Alternatively, obligation updates may be automatically processed through a subscription service with a content provider. Protecht is currently working with LexisNexis to deliver industry specific content in Protecht.ERM.

A business intelligence engine can then be used to aggregate and visually display obligations by rating, outstanding reviews etc.

Compliance Dashboards Example

Protecht.ERM Obligations dashboard sample.

What happens after you understand what the general rules are?

Once the rules are understood, processes must be put in place to ensure the rules are met and that assurance is provided to senior management and the board.

In our next article, What is a compliance framework and what are its components, we will explain how this can be achieved.

Related Articles

feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more
feature image
Compliance Management, Protecht News & Events, Risk Management, Risk Reporting, Videos, Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
Compliance Management, Enterprise Risk Management, Risk Analytics

Managing Risk with the Second Line of Defence Launchpad

The Second Line of Defence Launchpad within the Protecht.ERM system is an effective and interactive visualisation designed specifically for the Line...
Read more