There are at least 8 essential components of compliance risk management programs. Risk management aims to reduce the likelihood that an organization will not achieve its goals and objectives. Compliance is the obligation to adhere to laws, regulations, contract terms, internal policies, and other requirements. Compliance risk management refers to the organizational procedures, processes and culture that reduce the likelihood of non-compliance.
With more robust privacy, anti-bribery, anti-corruption, anti-money laundering, whistleblowing, and other laws; and increased focus on environmental, social and governance (ESG) indicators, the scope of organizational compliance today is deeper and more multi-faceted.
Different statutes, frameworks and standards address different compliance matters. For instance, the International Organization for Standardization (ISO) has ISO 2016:37001 Anti-bribery Management Systems. Many jurisdictions have anti-money laundering and anti-bribery and anti-corruption statutes. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has the Internal Control – Integrated Framework (2013) for operations, reporting and compliance; and Enterprise Risk Management – Integrating with Strategy and Performance (2017) for enterprise risk management.
While there are differences in statutes, frameworks, standards and their related guidance or application, there are 8 common threads:
1. Governance and leadership — Successful compliance programs require board and senior management commitment, financial and other support, and modelling of appropriate behaviours. The tone-at-top remains critical.
2. Culture and environment — Compliance is more than the individual or collective procedures or processes or internal controls. It is more than having the right words in the conflict of interest or ethics policies. The pervasive culture and operating environment must facilitate, encourage and be conducive to compliance. It is one thing to say what the procedures, policies or controls are, and another to foster the right attitude to compliance and doing the right thing even when no one is watching.
A big part of creating the right culture and environment is enforcing the compliance program. Enforcement involves taking proportionate disciplinary or other action in response to violations, encouraging self-reporting, facilitating whistleblowing without reprisals, highlighting conformance to policies, and other measures.
3. Policies and procedures — There is no point in declaring a commitment to compliance if there are no written policies and procedures clearly affecting the stated commitment.
4. Risk assessment — It is not enough to have the commitment to compliance or the policies and procedures if there is a spaghetti-against-the wall approach. Assess compliance risks; identify the likelihood or probability that non-compliance will occur and the impact on the organization if non-compliance occurs.
For instance, a construction company with little or no involvement with foreign officials may face a low– to non–existent risk of non-compliance with Canada’s Corruption of Foreign Public Officials Act.
But there may be a high risk of non-compliance with laws governing fall prevention, working at heights or in confined spaces and other occupational health and safety (OHS) requirements. Furthermore, the impact of OHS non-compliance may be high or catastrophic for the organization. Non-compliance could result in death or injury to workers, imprisonment of supervisors, or massive fines that could threaten the organization’s ability to continue as a going concern. An effective compliance program measures risks and directs resources accordingly.
Risk assessment should be continuous. New threats emerge, old threats may disappear. Compliance programs must adapt and be responsive to this.
5. Training and competence — Policies and procedures or a commitment to compliance are of no use if employees, front-line managers, suppliers, and others who must enforce or adhere to the policies and procedures, do not understand their obligations. While it is the organization that is, generally speaking, accountable for compliance, it relies on the competence of, and compliance by each individual. If there is no training and awareness program or guidance and support on grey areas and other issues, organizational compliance is at risk.
6. Communication, information, and reporting — Whether required by law, regulation, or good practice, organizations should communicate and report on compliance metrics. At minimum, report and communicate successes, non-compliance, achievements, costs and similar metrics to the board and senior management. External obligations may require disclosure to regulatory bodies, contract partners or others.
7. Monitoring and evaluation — Monitoring is the process of collecting and evaluating feedback. Monitoring involves identifying and investigating actual or suspected non-compliance, program effectiveness, cost-benefit measures, and, in some cases, simply paying attention! For example, many organizations have whistleblower hotlines and email accounts that no one checks for extended periods.
8. Continuous improvement — Ultimately, the point of continuous risk assessment, reporting, and monitoring, is to continuously improve the compliance program and ensure that it remains relevant to risks that the organization needs to mitigate.
Dissect any effective internal control or compliance program, and you will find the essential elements described above. For further information, read the COSO frameworks referenced above and new guidance from the Society of Corporate Compliance and Ethics & Health Care Compliance Association (SCCE & HCCA) issued in November 2020 and entitled Compliance Risk Management: Applying the COSO ERM Framework at www.coso.org/Documents.
Policies and procedures are essential to internal controls, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contain sample policies, procedures and other documents, plus authoritative commentary in the area of finance and accounting, to save you time and effort in establishing and updating your internal controls and policies. For compliance and risk management, in particular, see GV 1.11 – Confidentiality and Privacy; GV 4.01 – Monitoring Laws and Regulations; GV 4.07 – Anti-bribery and Anti-corruption; GV 6.04 – Internal Control Monitoring; and Chapter 7 – Anti-money Laundering. Not a subscriber? Request a free 30–day trial of Finance and Accounting PolicyPro here.