Leveraging on Compliance Risk Management to Create Value

Leveraging on Compliance Risk Management to Create Value

Eneni OduwoleApril 10, 2013

FITC Compliance Risk Mgt Workshop - April 2013

Outline

Introduction

Risk-based Approach

Functions of a Compliance Department

Roles of the Board and Management

Internal and External Drivers

Risks and Consequences for Non-Compliance

Required Measures

Developing an Effective Programme

Integrating Compliance with ERM


What is Compliance?

According to the International Compliance Association, the term Compliance describes the ability to act according to an order, set of rules or request. In business, it operates at two levels: Level 1: Compliance with the external rules that are imposed upon an organisation as a whole Level 2: Compliance with internal systems of control that are imposed to achieve compliance with

the externally imposed rules

Investorwords.com describes it as “The state of being in accordance with the relevant Federal or regional authorities and their requirements.”

In summary, Compliance describes the act of adhering to a pre-determined set of rules whether they are internal policies and procedures or externally driven statutory or regulatory guidelines and rules. Compliance also assures that best practices are upheld in the organization

Compliance Risk is defined as the current and prospective risk to earnings or capital arising from violations of or non-conformance with set rules and regulations, best practices, internal policies, and ethical standards. Compliance Risk also arises where the laws governing products or services offered by the organization are vague or untested


Risk-based Compliance Approach

Enables expedient deployment of resources to specific / required areas

Puts in place steps for identifying and assessing compliance risk exposures

Ensures the application of appropriate compliance measures for controlling related risks

Benefits: Tailored compliance strategies for effectively dealing with key compliance risks Efficiency gains; improved compliance adherence outcomes Reduced financial losses Greater business support for compliance – risk management processes by business


Functions of a Compliance Department

Identification of Related Risks: recognize regulatory risk exposures in an organisation and advise accordingly

Awareness: Establish and communicate the organization’s compliance policy to ensure that it is observed

Monitoring and Detection: continuously review and report on the effectiveness of controls put in place to assure effective Compliance Risk Management

Prevention: ensure design and implementation of controls that would protect an organisation from Compliance Risk exposures

Resolution: have strategies in place to ensure timely management and redress of Compliance Risk exposures as they crystallize or are identified

Consultation: provide advice to the Board and Management of the organization on new trends, risks identified and controls required


Roles and Responsibilities of the Board and Mgt in Regulatory Compliance

The Board Oversight function over all compliance

functions in the Bank

Reviews Compliance reports periodically at Board meetings to ensure that the organization complies with all regulatory and internal procedures

Ensures that the provisions of the organization’s Compliance policy is strictly adhered to

Management • Ensures the execution and adherence

to the Compliance Policy stipulations

• Ensures a centrally controlled Compliance function led by a Chief Compliance Officer exists to manage compliance exposures organization wide

• Provides sufficient resources and ensures that compliance functions are properly carried out, staff are adequately trained, and the periodic audit on the compliance function and framework conducted


What drives Compliance Exposure Internally and Externally?

Internal Policies These ensure that all staff comply with the organization’s internal rules and

regulations that govern its business model, corporate objectives, ethical standards, Code of Corporate Governance and the Code of Professional Conduct

The Chief Compliance Officer should monitor the development and implementation of these policies and ensure consistency with regulatory and legal stipulations; the Compliance Group in liaison with Management should ensure that no regulatory guideline is violated or breached in the implementation of its internal policies and procedures

Corporate Governance should be ensured in the development and implementation of internal policies, and all Members of staff should comply with all internal policies


What drives Compliance Exposure Internally and Externally? (cont’d)

Laws and Regulatory Guidelines The Compliance function advises and monitors adherence with all legal,

statutory, regulatory guidelines affecting the organization by ensuring transparent practices fashioned along local / international regulatory standards, and global best control practices are upheld

Compliance with the Code of Corporate Governance issued by key local regulators (such as the Securities and Exchange Commission , the Central Bank of Nigeria) and globally accepted standards such as Sarbanes Oxley should be taken into consideration in drafting policies and procedures of the organization

The Compliance function should ensure that all stakeholders are aware and adhere to local and international regulatory requirements; it is important that policies are drafted in line with relevant local regulations in all jurisdictions where the organization is operational



Laws and Regulatory Guidelines (cont’d) The guidelines of the key regulators in the home country of the organizations

must be upheld at all times

Periodical review and update of all laws, policies and regulations affecting the organization should be ensured

Compliance levels organization-wide should be ascertained, and staff notified of new and revised policies and laws



Rendition of Returns All regulatory and statutory returns and reports should be rendered to

regulators and law enforcement agencies as and when due to improve the organization’s rating by regulators and minimize sanctions and penalties against the organisation

Maintaining a tracking system that would ensure timely and correct rendition of returns is required

Business areas that breach the stipulated timelines should be appropriately sanctioned to ensure that the discipline required is inculcated organization-wide



Relationship Management The Compliance function ensures timely and satisfactory responses are

provided to regulatory enquiries in compliance with the laws and regulatory requirements

It liaises with external regulators and law enforcement agencies on its compliance responsibilities by maintaining an open, honest and transparent relationship with these authorities


Risks and Consequences for Non-Compliance

Sanctions and penalties

Increased customer complaints

Costly errors made by the organization

Financial losses / Increased expenses

Poor rating by External Auditors, Regulators and Rating Agencies

Loss of licence


Required Compliance Measures

Advice – Agencies respond to direct requests for advice or proactively make contact with people or businesses to inform them of their obligations

Guidance material – These materials made available on agency websites or through pamphlets to explain requirements

Education campaigns – Agencies advertise to inform people and businesses about laws to persuade them to comply; these campaigns usually explain the reasons why regulations are in place or the negative impacts of non-compliance

Warnings or cautions – A person or business is warned or cautioned that they have not complied with regulatory requirements and that they may be penalised for this


Required Compliance Measures (cont’d)

Monitoring measures (data collection, auditing and inspection) – Data collection from people and businesses for regulatory compliance purposes; Auditing / spot checks of the regulatory compliance records of people and businesses; Inspection of the activities of people or business to check compliance with the regulations

Publication of names of offenders – Review details of people or businesses that have breached regulations

Enforceable undertakings – After a requirement is breached, some agencies accept undertakings from non-compliers to do certain things to remedy breaches; penalties exist for failure to comply



Improvement notices – An agency requires a person or business to comply with a requirement within a specified time frame with a failure to do so resulting in a penalty

Prohibition notices – An agency requires a person or business to stop an activity where a regulatory breach has occurred; the activity can continue when the breach has been remedied

Penalty notices – An ‘on the spot fine’ is given for a breach of a regulatory requirement; the person or business is required to pay or elect to challenge it in court

Civil pecuniary penalties – A right created under legislation for a person or business to claim compensation from another party for a regulatory breach



Injunctions – A court order that stops a person or business from continuing to do a particular thing after a regulatory breach

Negative licences – The person is restricted from undertaking an activity that otherwise requires no authorisation

Action against licences/accreditation/certification – The authorisation of a person or business to undertake an activity is restricted or withdrawn after a failure to comply with the conditions of the authorisation

Criminal prosecution – Legal proceedings are brought by the agency against a person or business because the law has been broken; a decision to prosecute is made when it is considered to be in the public interest; a range of very serious penalties can be given to a person found guilty of a criminal offence including large fines and imprisonment


Developing an Effective Compliance Programme

• Describe the meaning of compliance for your organisation and its response to its relevant demands

• Know what drives your compliance exposure both locally and abroad; internally and externally

• Identify the risks and consequences of non-compliance on the continued existence of your organization

• Appreciate and demonstrate in simple understandable ways, the relationship between corporate governance, risk management and compliance (GRC)


Developing an Effective Compliance Programme (cont’d)

• Ensure delineation of the roles and responsibilities of the Board of Directors and Management in managing Compliance Risk

• Understand the implications of regulatory guidelines for corporate accountability and ethical behaviour

• Develop an effective fit-for-purpose compliance

• Ensure full integration of the organization’s ERM in optimising relevant structures and procedures for both compliance and proactive risk management


Integrating Compliance with ERM

Largely driven by IT Compliance strategies

Ensure that ERM systems have modules for monitoring compliance with internal and external policies

IT Governance strategies should take into consideration procedures that drive and monitor Compliance risks organization-wide

IT should drive the integration of Governance, ERM and Compliance for optimal output and value add from these three key elements of business management to the success of the organization

Assures proactive and holistic risk management


Integrating Compliance with ERM for Proactive Risk Management

“YOU CANNOT ALLOW ANY OF YOUR PEOPLE TO AVOID THE BRUTAL FACTS. IF THEY START LIVING IN A DREAM WORLD, IT’S GOING TO BE BAD.” -

GENERAL JAMES “MAD DOG” MATTISS

“The fact was that I was not a master of my actions, because I was not so insane as to attempt to bend events to conform to my policies. On the contrary, I bent my policies to accord with the unforeseen shape of events” – Napoleon Bonaparte


References

www.grc-resource.com www.betterregulation.nsw.gov.au

Thank You...Contact Details

[email protected]@yahoo.co.uk