Better compliance, better enterprises: Four imperatives for implementers

Obligations that an enterprise has no choice over but to ensure compliance are termed as compliance requirement, for example, one resulting from new laws and regulations

Image: Shutterstock

In recent years, our perception of compliance has undergone a sea change. The traditional and narrow outlook that compliance is limited to statutory filings, required to run a business, has widened considerably. Compliance practices are now a cross-functional responsibility. They need to be integrated in the policies and procedures of various functions like HR, quality, risk, facilities, finance, delivery, sales, marketing, procurement, security and more.

Further, laws and regulations in different countries at the national, state and local levels have made compliance more complicated. Therefore, a culture must be instilled in an enterprise to ensure minimum statutory compliance and compliance to other commitments such as social, industry, client consumer etc. This calls for a systematic approach towards compliance management.

Non-compliance with statutory filings can lead to heavy penalties and even loss of licence to do business. Non-compliance with background check requirements, data privacy laws, standard requirements, lack of understanding of productivity commitments, lack of health and safety-related licences or expired licences, internal control failures, non-compliant vulnerable systems, are some examples that lead to huge penalties, criminal prosecution, loss of trust, loss of brand value and adverse impact on business relationships. Compliance implementers must therefore be vigilant and consider these four areas in their plans:

1. Understand compliance obligations: The primary element to manage compliance is to understand your compliance obligation in the light of your strategic goals and objectives. Compliance obligations stem from: Laws and regulations, industry or generic standards, internal policies, processes and procedures and contracts executed with clients and other stakeholders.

It is important to understand that obligations are either requirements or commitments. Obligations that an enterprise has no control over are termed as compliance requirements, for example, one resulting from new laws and regulations. While obligations that an enterprise may choose to abide by—for example certain industry standards or best practices—are termed as compliance commitments.

Here, a mechanism to ensure compliance obligations are kept up-to-date must be established. An enterprise may choose to restrict the scope of compliance management to compliance requirement but for a higher assurance, it may include compliance commitments, too.

2. Assess risks: Once compliance obligations are established, a compliance risk assessment exercise should be undertaken to identify risks, causes, the areas they impact and the consequences thereof. A risk analysis to have better understanding of the risks should follow. Such an analysis should consider the factors affecting the consequences and likelihood of these consequences occurring as well as the controls in place. Looking at the level of risk arrived at from the analysis exercise, a compliance risk evaluation should be done to take appropriate decisions on treatment. This exercise is to prioritise the treatment, it should be used as a tool to accept compliance risks. Compliance risks analysed as low should also be monitored and subjected to corrective action.

3. Address all compliance risks: An enterprise should ensure an effective action plan to address all compliance risks with clear ownership, responsibility, accountability and closure timelines. This can be driven with ease, if the enterprise ensures a documented compliance policy, objectives, processes and procedures. Further, compliance responsibilities must be clearly identified, assigned and established as part of the job descriptions at different levels.

To ensure risks are addressed effectively, the management should ensure that all employees with compliance obligation are competent. Periodic training and awareness must be carried out and any other medium to communicate assigned responsibilities should be explored. A continuous communication mechanism is required to ensure all employees understand compliance and contribute to it by reporting risks and discharging their responsibilities effectively.

4. Evaluate performance: A mechanism to measure and monitor the performance of the compliance practices and its impact on strategic goals and objectives must be developed. Developing compliance performance indicators is one of the tools. It can be as simple as the number of employees trained on compliance practices to mature indicators such as risks of non-compliance and trends. Feedbacks from clients, stakeholders, suppliers, vendors, employees and government agencies are a good source of data to ascertain compliance performance. Governance mechanisms in the form of management reviews, internal audits and periodic compliance reporting give great insights on the performance of compliance practices.

The role of compliance implementers has evolved just as radically and rapidly as has compliance itself.  Clearly, compliance management is an evolving activity and requires a closer attention from implementers.

- By Rajeev Thykatt, Group Leader, Risk Management, Infosys BPO

The thoughts and opinions shared here are of the author.