While most organisations recognise the need for a compliance function, the complex nature of this essential structure renders many unsure of how to establish a comprehensive, dynamic and specific programme that addresses the basics and ensures the organisation remains compliant in all spheres.
Designing a programme or framework that identifies risks helps an organisation to prioritise these and informs the allocation of resources to mitigate these risks, in order of importance. This requires an in-depth knowledge of the regulatory environment, industry specifics as well an understanding of general compliance fundamentals that relate to all organisations.
“Many organisations leave this function to their legal department, but not all firms have a legal department, and in some cases – even in those who do – elements can be missed resulting in non-compliance with some aspects,” says Greg Chamberlin, Business Development: Compliance at LexisNexis South Africa.
Setting the tone at the top of the organisation is a starting point to establishing an effective compliance function says Chamberlin. Once the Board of Directors/C-suite management team are on board about embedding a culture of governance within the organisation, the framework for a compliance function can be established. This will facilitate the detection of non-compliant behaviour and establishment of appropriate mechanisms for compliance risk management.
The compliance function needs to be dynamic, comprehensive and able to be customised to the organisation’s specific requirements. Compliance risks that are specific to the industry that the organisation operates in, need to be identified – for example safety regulations in the manufacturing industry.
Moreover, the compliance function needs to speak to risks and regulations that surpass those pertaining to the specific industry in which the organisation operates. These include tax, human resources and general workplace legislation risks and regulations.
“A compliance function needs to ascertain the risks that apply to an organisation relating to the legal, regulatory, social and economic aspects of operations,” says Chamberlin. He gives the following pointers in this regard:
Legal and regulatory risks
Identify the industry specific, as well as the general operational regulations that apply to your organisation and ascertain the extent of the impact these have on day-to-day operations. These carry the risk of fines, penalties or even imprisonment for non-compliance.
The dynamic nature of the regulatory environment makes this aspect an onerous, yet vital facet of any compliance function. The complex and sometimes conflicting rules and regulations governing organisations, especially those who conduct international operations, can be confusing.
Financial implications and risks
Loss of public confidence or market share, economic downturns or penalties resulting from non-compliance will have a financial impact on an organisation. The compliance function needs to identify risks to future earnings.
Factors that may have an impact on business operation – such as risk of strikes or restricted supply of raw materials which could result in operational shut down – need to be identified.
Negative publicity or brand damage as a result of product failure – or even the implication of failure, as well as social media behaviour, can lead to the loss of confidence of an organisations customer base – as well as within the staff complement. Pressure to achieve transparency means that simply operating within the law is no longer considered to be good enough.
“Establishing the risks inherent to operation is a non-negotiable facet in the creation of a compliance function within an organisation and is vital in ensuring the that programme is effective,” says Chamberlin. “It is, however, probably the hardest part!”
Chamberlin says this involves not only checking boxes (which is what many companies see the compliance function as) but also finding out what those boxes are. “Establishing a compliance programme from scratch can be very daunting – and ensuring that it meets the varied needs of the organisation and is actionable and sustainable can be arduous. Organisations require a tool that takes the guess work out of this process and reduces the impact on human resources from a time point of view.”
The dynamic nature of the regulatory environment necessitates a compliance programme that can be updated based on changes within this sphere. Online tools such as Lexis® Assure manage that process with alerts notifying users of regulatory changes specific to the organisations operational industry and legal universe.
The next step, says Chamberlin, is understanding the impact of legislative changes, assessing the risk information that has been harvested and using those insights to implement the necessary changes within the organisation to ensure ongoing compliance. This can be especially challenging for organisations, especially for those who do not have a comprehensive compliance and legal division, or where the compliance function is set apart as a watch-dog function.
“Using a combination of Lexis Assure, which keeps users abreast of regulations and notifies them of changes through meaningful analyses using simple explanations that help to ascertain risk and entrench compliance, and Lexis Practical® Guidance, which provides an understanding of the law and how to implement it in practice, will take compliance from a “tick-the-box” function to one that is firmly embedded in the culture of an organisation,” says Chamberlin.
For further information visit: https://www.lexisnexis.co.za/governance-risk-and-compliance/grc-system