With a rise in corporate fraud and pressure to comply with global regulatory requirements, building a robust compliance framework is a pre-requisite to effectively manage risk. The school of thought which views compliance as an expensive proposition, given the investment required in systems, processes, reporting mechanisms and people, may need to look at in a different light, as non-compliance costs more.
Why compliance programmes fail to reap desired benefits?
Despite investments being made in compliance, businesses are a victim of fraudulent conduct. One of the fundamental reasons can be attributed to the check-box outlook that companies adopt while designing and implementing their compliance framework and failure to monitor and evolve as they progress in their compliance journey.
Key to making compliance framework a success is to consider compliance as a “business enabler”, keep it “refreshed” and measure its effectiveness.
Key elements of a compliance programme
- Written policy on code of conduct, compliance policies and procedures
Includes company policies, procedures and codified standards, serving as a rulebook for employees to comply with. These policies and procedures must be well-written and clearly communicated at organisation as well as functional or department level to derive greater benefit.
- Commitment to third-party oversight. Managing third-party risks remains a formidable challenge given the sheer scale of vendors, suppliers, agents, etc. of any organisation and their subsequent magnitude of business transactions involved. Third-party compliance therefore, requires adequate investment in key areas; conducting due diligence, contract risk management and anti-bribery or code of ethics training to keep in check misconduct that may originate from this source
- Communication Communicate the compliance programme to all relevant stakeholders – employees, customers, third-party intermediaries and counterparties. Compliance requirements must be routinely and actively communicated to all employees. To dive a little deeper, seek feedback via surveys or other mechanisms to improve and address any gaps
- Training and education: Training must be an ongoing exercise and designed to include dilemma scenarios faced by employees, senior management, trainees, third parties etc. When situations faced in the field are included in training sessions, these become relatable and generate the required impact. Further, the format of such sessions should vary, include online as well as face-to-face trainings, the latter, at least once in the annual compliance calendar.
- Reporting mechanism: Put in place robust and appropriate mechanism to report misconduct, fraudulent conduct or unethical practices. The mechanism must safeguard anonymity and independence to encourage reporting wrongdoing and negate fear of retaliation while reporting concerns.
- Disciplinary policy: Communicate implications of malfeasant conduct and breach of conduct, policies or prescribed procedures. The penalties and disciplinary action must be communicated clearly, frequently, and at all levels of the organization, including Board of Directors.
Take a step back before implementing compliance framework
Before implementation, it is important to carefully plan and design the compliance roadmap to ensure compliance objectives are met. Some recommendations in this direction include:
- Know your risk universe: Draft a blueprint of compliance effort to align your compliance programme with the risk priorities of your organisation. As risks evolve with time, it is important to revise this assessment and accordingly stay relevant.
- Engagement of the Board: An effective board plays a strong role in setting the tone by reviewing the compliance effort. The Board provides guidance and oversight, and therefore must ask the right questions and seek information from senior management on design, implementation, progress and effectiveness of the programme.
- Allocating resources: Assess and allocate appropriate resources, both, monetary and human. The amount to be invested in compliance would vary depending on risk assessment, business size, operating industry, applicable jurisdiction etc. Seek participation of process owners, and heads of job functions in this exercise. This is critical for functions especially vulnerable to potential risks, like procurement.
- Impact measurement: Put in place valid metrics to measure success and efficacy of the compliance framework. Clearly document your efforts and collect meaningful data on individual elements to review and assess the programme. Gauge the impact of and value-added from the various components of your program and modify, as required.
In a nutshell, overall rationale behind a compliance programme is simple - it is the right thing to do. The outcome of an effective compliance programme is evident as it brings with it reduced levels of misconduct, successful regulatory inspections, improved employee morale and an overall culture of integrity, amongst others.
It is about time to re-examine and evolve your compliance programme from a tick box approach to a meaningful compliance effort.
The blog appeared in ET CFO.com