GRC Professional - February 2015 Edition | Page 14

Quick Tips How to protect yourself from personal liability: • • • • Griffin says that game has changed in the US, and as a result, we are living in a much more aggressive enforcement environment. “It really took off after the financial crisis. Following the criticism directed at the SEC for failing to notice problems, they started to take a much harder look at companies than they had in the past. They started to take another look at who in the companies were responsible for these breaches, and the compliance officer falls into that category.” More generally, he says the enforcement regime is tougher. “There are more investigations, more actions and higher penalties. As a consequence, the chances of a compliance officer who does not notify of a problem being caught up in a case is higher.” Australia This trend has not reached Australia and New Zealand yet, but that does not mean it will not in the future. Randal Dennings of law firm Clayton Utz says there is a danger of debate over mandatory self-reporting starting up again in Australia too. Mandatory self-reporting provisions would introduce greater personal risk for GRC staff and give rise to debates around personal liability. 12 GRC Professional • February 2015 It is hard enough for risk and compliance professionals to grow trust and to get people in the business to be transparent in their dealings with them. Investigate problems thoroughly and aggressively Do not rest until you have resolved a problem – follow up Document your investigations Report problems to the board or to senior managers “In times where government is considering or actually cutting back funding for regulators, while at the same time these regulators are being pressured to get better results, there is an increased risk that these sort of legislative-change debates might start to rear again.” He says such a debate would be counter-productive. “It is all about encouraging people to come forward and cooperate and self-report breaches. No reasonable compliance person would say there is no place for self-reporting to regulators, but where it becomes more complex is when you have a statutory-required obligation to come forward.” “In the UK, for example you have a statutory reporting obligation, independent of your obligations to your organisations.” “I think it is corrosive of a robust compliance culture within an organisation. When you are encouraging people to speak up, it would be an incredible disincentive within an Australian context if the consequences of speaking up would be mandatory reporting. People are not going to talk to you, if you have a statutory obligation to talk to the regulator about it.” The cases in the US and elsewhere have, understandably, heightened tensions in the profession. It is an unnecessary distraction in what are already very challenging conditions for many GRC professionals. While it is true that the best defence against any possible civil penalties is a robust and thoroughly-documented compliance program, often these things are out of the control of the compliance manager. Personal liability does loom as one of the biggest issues facing the profession ••• into the future.