What is the definition of Compliance?

Compliance is an outcome of conforming to a rule. That rule may arise from an external source such as a law or regulation, or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.

The issue for an organisation is how to conform to these rules? This is the key objective of a compliance function. This blog provides an overview of one of the components of compliance that need to be considered when building an optimal compliance function.

Understanding what the relevant rules are – plain English Obligation Registers

Before we can consider conforming to a rule, we need to comprehend what the rules are and what they mean. For external compliance, this necessitates having an understanding of relevant laws and regulations and how they apply to our organisation. This is typically achieved through an Obligations Register that contains information such as:

  • Act or regulation
  • Sections of relevant legislation
  • Penalties for non-compliance
  • Frequency that obligation occurs
  • Obligation owners and interested parties
  • Risk rating
  • Compliance status

However, these Obligation Registers are often driven from the legislation and regulations with limited linkage to internal policies and procedures or day to day activities. Damage is done to the Compliance team by them, asking a raft of ‘compliance attestation’ questions to the business that merely ask “Are you compliant with this legislation”, with no value add as to what it means to the organisation in practice.

An alternative approach is to consider starting with what are the key obligations the organisation faces and then link that to both Legislation and Internal Policy and Procedures: For example, if Protection of Customer Data is the obligation, what does this practically mean for our staff in terms of their day to day activities.

We then link this interpretation to the various sources of our rules – Privacy legislation, PCI DSS, ISO 27000, Internal Policies and Procedures and so on. If we are unable to link all key components of the legislation to our plain English interpretations – then we have missed an obligation.

Any update to linked legislation, or policy and procedures can then trigger a review of the plain English obligation. Our approach to the Obligations register, therefore, is to add two new fields to the above list: Obligation Title, Our Interpretation. The other fields are modified to store multiple acts and sections along with an additional field to link to relevant policies and procedures. 

Updates to the Obligations register may be maintained internally which will require dedicated compliance or legal staff to remain aware of all relevant obligations and process them into the obligations content.

Alternatively, obligation updates may be automatically processed through a subscription service with a content provider. Protecht is currently working with LexisNexis to deliver industry specific content in Protecht.ERM.

A business intelligence engine can then be used to aggregate and visually display obligations by rating, outstanding reviews etc.

Compliance Dashboards Example

Protecht.ERM Obligations dashboard sample.

What happens after you understand what the general rules are?

Once the rules are understood, processes must be put in place to ensure the rules are met and that assurance is provided to senior management and the board.

In our next article, What is a compliance framework and what are its components, we will explain how this can be achieved.

Related Articles

feature image
Compliance Management

New FDIC rules will help banks manage crypto risks

In April, the FDIC issued Financial Institution Letter 16-2022 on crypto-related activities to the banks that it supervises. The letter advises...
Read more
feature image
Compliance Management

Barclays SEC breach shows no bank is immune to compliance failure

A few months ago, Barclays Bank announced that it had discovered a compliance breach from 2019. The bank sells structured notes, pre-packaged...
Read more
feature image
Compliance Management

Is Google's multi-million fine a wake-up call for data protection?

Google is the latest tech giant to be fined for violations of GDPR provisions. The €10 mn ($11 mn) fine was issued by the Spanish data protection...
Read more