Purpose Risk management
If the compliance programme is not carefully calibrated to the risk the organisation faces , unnecessary and overly strict requirements can create myriad problems . These range from the obvious – additional bureaucracy and a less agile organisation leading to the loss of business or increased costs – to those that are less so , for example , poorly understood compliance requirements affecting the culture of the organisation or being ignored . The result could be the creation of exactly the kind of legal risk the programme should be designed to mitigate against .
A friction-based model The best compliance programmes are specifically tailored to the organisation ’ s risks , with requirements that have a calibrated degree of ‘ friction ’. That is , higher risk business activity encounters greater organisational friction and lower risk activity encounters less . At one end of the scale , the friction is insurmountable , for example , patently illegal conduct is not possible because of a range of prohibitions , barrier controls and approvals . At the other end of the scale , employees are empowered to do business with minimal or no friction at all .
Done well , this will result in a compliance programme which mitigates and manages compliance risk , is well understood and followed by staff , generates little adverse ‘ noise ’ within the organisation and does not get in the way of legitimate business activity .
Friction appears in many forms within an organisation . The level of friction will influence how challenging tasks are to complete . The best compliance programmes will identify the most appropriate friction-based restrictions for the risk being managed .
At the lower risk end of the scale , organisations can use a wide variety of tools to create friction , for example :
• rules-based systems of requirements that employees must follow , such as rules around expenses or gifts and entertainment
• automated barrier controls that prevent violations of compliance requirements , such as financial systems that require multiple authorisations to complete transactions of a certain value
• approvals from senior management or ‘ functional assurance ’ from specific functional teams
• ‘ passport to work ’ systems that specify certain requirements that employees must meet in order to log on to systems or enter secure premises , for example , the completion of mandatory training .
Rewarding compliance Many organisations already have provisions allowing them to take disciplinary action for non-compliance , but few reward whistleblowers or hold over remuneration for employees working on projects where compliance issues may take longer to surface . Often those responsible for special projects , such as corporate transactions , will move on once the project is complete , leaving operational teams to deal with any embedded compliance issues .
Where employees are remunerated on a success or commission basis , it is particularly important to understand the balance of incentives . Employees whose personal financial reward depends upon completing a sale or transaction may well find it harder to make an ethical or compliant decision that jeopardises that reward , particularly in circumstances where they have already invested a significant amount of time . Organisations should consider adding effective incentives for compliance , or reducing the proportion of reward which is contingent on success associated with risk-taking .
The hardest to implement but most valuable tool is culture . The culture of an organisation can provide agile , riskappropriate friction in almost every situation . If the culture is strong , employees will resist improper conduct even where the organisation has not had the foresight to assess and codify rules around that conduct . On the other hand , where a requirement is ineffective or unnecessary , they will understand how to properly challenge and change that requirement , without creating additional risk .
However , culture alone is not sufficient ; it only works if the people within that culture have a strong understanding of the compliance risks . For example , a speak-up culture is ineffective if people cannot accurately decide when to speak up – either failing to when it is needed , or doing so when it is not .
Effective implementation Movement towards a truly friction-based compliance programme requires senior leadership . Risk committees , directors , executives and compliance officers have a key role to play , with the ability to ask : ‘ What are the risks ? What are the controls or mitigations in place ? And is the friction that those controls create appropriate for the risk in question ?’
In doing so , they move away from dashboards , bowtie diagrams and statistics , to focus on understanding the actual control framework in plain English , allowing them to properly discharge their legal , employment and fiduciary duties .
govcompmag . com 43