This is the fourth article in the series of “Learning from yourself as an expert already”. The first blog addressed Key Risk Indicators (KRI) and the second two addressed the Risk and Control Self Assessment (RCSA) process. This blog addresses Compliance Management and Compliance Risk Management.
The extent of personal compliance management depends heavily on the country in which you reside. Some countries have few rules and nature seems to take care of itself. Other countries have many laws and regulations over personal behavior from strictly enforced speed limits to drinking laws. As an Australian, I am more used to the latter, Australia, and New South Wales in particular, is often now referred to as the “Nanny State”! Regulatory compliance requirements are everywhere!
The starting point for compliance in your personal life is, therefore, to understand the laws and regulations that are applicable to you. These are often written in a way that is not easily understood and we have to interpret into plain English as to what it really means to us. Ignorance of the law, as we know, is no defence.
Once we understand the obligations on us from the various laws, we then need to decide whether we wish to comply with all or some of the laws or whether sometimes / always deliberately ignore them. This will often differ depending on the law. We may choose to exceed the speed limit deliberately and maybe cross the road on a “don’t walk” but may choose to always not drink and drive.This represents our appetite for compliance breaches.
Laws often represent minimum standards and minimum controls that society requires in order to manage the risk we bring to society to within the legislators / country’s / state’s risk appetite. A speed limit is there to manage the risk of accident from speeding and therefore represents a minimum control standard that society expects in order to meet society’s risk appetite. Where our personal risk appetite is equal to or lower than society’s we will legitimize the speed limit and wherever possible comply. Where our personal risk appetite is greater than society’s we will usually not legitimize the speed limit and we well might breach. Our concern up to a certain higher speed then becomes the risk of getting caught, not of having an accident. As speed continues to increase, you begin thinking about accident risk and this represents your personal risk appetite.
You can determine an individuals’ attitude to the levels above in a work situation by asking – “Why are you ensuring compliance with (say) the AML / CTF laws?” If they say “to ensure we comply with the AML/CTF laws” then their focus is on getting caught and fined etc. If they say (amongst other things) that it is “to stop terrorists killing innocent people”, then they legitimize the laws as a key control over the risk of money laundering through their organization. It is always motivational to a compliance person to demonstrate the societal impact of what they do and not just say “to ensure we comply with ….”
For those laws you wish to comply with, you then need to implement and follow processes that will allow and assist you to comply. You may use a cruise control or speed limiter as a matter of course to assist in compliance with the speed limit.
Who owns compliance? We often hear the front line business say “ask compliance, they look after that” when the front line is questioned on compliance matters. When I hear this, I often ask “so when you are driving your car and I ask you what the speed limit is, you will say – I don’t know, ask compliance in the back seat!” No! the driver is responsible for understanding the legal obligations and is responsible for ensuring compliance with them. In the same way, front line staff are responsible for knowing what compliance obligations there are on the business and also responsible for their management.
You then need to consider how much effort you will put in to manage compliance. Where the law is a “big one” with serious repercussions from breaching, you may work backwards from the breach and identify what could cause you to potentially breach and manage that risk. Going on a big night out, without planning how you will get home, is more likely to lead to drink driving as you are pressured through no other way to get home. This is managing compliance risks that could lead to non-compliance.
For smaller rated obligations you might do other things, such as a checklist (attestation). As an example, you may take a quick look at your car before driving off to check if the tail light is broken.
The above illustrates how we consider and manage external regulatory compliance risk in our personal lives. This should provide the blueprint for how you should set up and manage compliance and compliance risk in the business world.
Identify the external laws and regulations which apply to your organisation / business
Translate these regulations and laws into plain language “what obligation does this put on the business?”
Determine your appetite for non-compliance. Hopefully most organisations will have no appetite to not comply, but are willing to put more emphasis on the big ticket items.
Ensure that the business owns the compliance obligations and related compliance management and risk management.
Focus compliance education on “what impact this has on society” and not on “ensuring we comply”.
Build processes that meet your risk appetite. If you have no appetite to not comply, then build processes that allow you to comply.
Identify high importance obligations This is usually done based on the consequences (fines, loss of licence, regulatory action etc.) of not complying which is also usually commensurate on the size of impact on society if the related non-compliance incident were to occur.
Identify the risks that could lead to non-compliance and manage them as part of your enterprise risk management process through risk assessments, key risk indicators and the like.
For less important obligations, consider what other monitoring techniques you will apply such as attestations, mystery shopping, independent review etc. This will make up your compliance monitoring plan.
As with the other areas of risk management, we are often the best reference sites in our personal lives, to determine how it should be best done in our businesses.
1. KEY RISK INDICATORS: Operational Risk Management 1 – Learning from yourself as an expert already!
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).