Compliance is the act of “conforming to rules”. Deciding to, or not to, conform to rules affects the decisions we make. Compliance is therefore an integral part of decision making.
The question is “What are the rules that we will apply in our business decisions?” These rules can come from two primary sources as described by the ISO 19600 Standard: “Compliance Management Systems”. This standard recognises two main types of compliance obligations:
• Compliance Requirements: Requirements that an organisation has to comply with. These normally arise from external regulatory requirements and contractual requirements.
• Compliance Commitments: Requirements that an organisation chooses to comply with. These are normally manifested through internal policies, practices, codes of conduct, etc.
A comprehensive compliance framework covers both. Each organisation, however, chooses the level of rules that it wishes to apply in operating its business and making decisions. Three primary levels of rules are generally recognised, which give rise to the following approaches to compliance:
• “Compliance” based compliance
• “Risk” based compliance
• “Ethics” based compliance
Some experts will argue that each of these are different concepts. We do not see it that way. They are different levels of the same concept and an extension of each other. The common theme is “RISK”.
Taking an example, for each of the levels above, let’s consider driving along a suburban road which has a speed limit of 80kph.
A compliance based approach asks the question “Can We?” This simply applies the external regulatory rule. If we are travelling at 80kph or below, "We Can". If we are considering travelling above 80kph, "We Cannot". If you breach this rule, you are not compliant and may suffer the consequence. This is often the motivator to apply the “Can We?” rule.
These regulatory compliance requirements reflect the risk appetite of society in which we operate.
The attitude of an organisation to this compliance level must be manifested in the organisation’s risk appetite. If we decide to abide by the risk appetite of society, full compliance would be expected and the organisation’s appetite would read along the lines of “We have no appetite or tolerance to not comply with all applicable external regulatory and contractual compliance requirements”.
If an organisation does have an appetite to not comply with some compliance requirements, this is a reflection that the organisation is not always willing to comply with society’s risk appetite. This approach bases decisions solely on whether the law allows. i.e. Letter of the law, not the spirit.
A risk based approach starts weighing up the risks and rewards to YOU of the speed at which you travel. This is the “Should We?” question. We are now bringing in the risks and rewards of travelling at certain speeds that affect YOU directly. It is a personal focus. This could include:
For travelling below 80kph
For travelling above 80kph
This approach would involve the development of internal rules which reflect the internal risk appetite of the organisation over and above (or below) the regulatory requirements. This may include:
This approach reflects the internal appetite of the organisation, usually narrowly focused on the risks and rewards to the shareholder. If the organisation has no appetite for non-compliance with external regulations, the internal appetite will always be the lower of the regulatory requirement or a more stringent internal one.
An ethics based approach is an extension of the risk based approach. It now adds consideration of the risks and rewards of all stakeholders including customers, shareholders, society, environment, regulators, members, suppliers and so on. This is a much wider view.
In the driving example, when deciding how fast we travel we now consider the risks and rewards to:
This is the “Would I?” test. Would I travel this fast with my baby in the car? In business, this adds a further layer of risk appetite based on the risks of all stakeholders. For a Financial Institution some “Would I?” questions might be “Would I sell this insurance to my Mother?”, “Would I sell this loan to my Father?”
It is now focusing on the full spirit and not just the letter of the law.
The Australian Royal Commission into the Financial Services Industry and the Australian Prudential Regulation Authority (APRA) prudential inquiry report into the Commonwealth Bank of Australia (CBA) are focused heavily on the Can I?, Should I? and Would I? decision making tests.
APRA, calls out only the “Can I?” and “Should I?” tests. The APRA “Should I” test is a combination of the “Should I?” and “Would I?” in this blog, meaning a properly implemented risk based approach to compliance will also include the ethical approach.
In the APRA Prudential Inquiry into the CBA report, APRA called out: “However, compliance functions globally have more recently been focused, not just on evaluating with business units whether an activity or product is allowed under regulation ("Can We?") but, critically, whether they should engage in such an activity or product in the first place ("Should We?").”
“In a large organisation such as CBA, trade-off decisions are made every day at all levels. When making such decisions, a balance is required between, on the one hand, financial discipline and shareholder value considerations (the ‘voice of finance’) and, on the other, considerations of risk management, including aspects of a conduct and reputational nature (the "voice of risk"), and of good customer outcomes (the "customer voice"). Importantly, these latter considerations include the "Should We?" reflection in decisions CBA makes, especially with regard to customers.”
“Recommendation 21: CBA leadership champion the ‘should we?’ question in all interactions with customers and key decisions relating to customers.”
The above reinforces the importance of recognising the three levels of compliance: Compliance based, Risk based and Ethics based, as this is what is starting to be talked about as the three approaches to compliance. However, there is a common theme across all of them, which is “Risk”.
Firstly, for the compliance based approach, risk appetite for compliance “requirement” breaches determines this approach. If there is no appetite for compliance breaches and that is it, this supports the compliance based approach as this is the only check for the decision - Is it within regulations?
Secondly, for the risk based approach, risk and reward assessment and the setting of internal risk appetite around financial risks is required. The checks for a decision are then: 1. Does it comply with regulations? and 2. Have the risks and rewards to the organisation (mainly shareholder) been taken into account?
Lastly, for ethical based compliance, the setting of more stringent risk appetites around the risks and rewards for ALL stakeholders leads to ethical compliance. The checks for a decision are then: 1. Does it comply with regulations?, 2. Have the risks and rewards to the organisation (mainly shareholder) been taken into account? and 3. Have the risks and rewards of all stakeholders (including Customer, Society etc.) been taken into account?
Compliance is already complex.
To add more complexity by differentiating each type of compliance adds even more complexity. “Risk based compliance” covers all of them. The only difference is the level of rules and the range of stakeholders, risks and rewards you wish to apply. This is dealt with by the Can I? Should I? Would I? tests.
Instead of spending time in debating the concept of the three different types of compliance, we should focus on, and apply correctly, risk based compliance as supported by the ISO 19600 standard in order to achieve the right outcomes for all stakeholders and as a result integrate ethics deeply within our business practices, decision making and compliance.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).