The changing role of compliance
ME PoV Summer 2018 issue
Organizations today are challenged to address a confluence of regulatory and business changes that are putting new demands on compliance. The pace of regulatory change, convergence in global regulation, and competition from new market entrants–that is driving increased consumer and technology demands–have created a complex environment for compliance leaders across all industries. With compliance now at a tipping point, the role of the Chief Compliance Officer (CCO) in the Middle East has gained more prominence and is evolving rapidly.
Adding to the challenge is the risk of reputational damage and significant financial penalties that frequently accompany compliance failures. Compliance costs and inherent risks have dictated significant changes in product offerings and business operations for some organizations and many are now viewing compliance more as an investment than a cost. Organizations are realizing that business and operational value, such as better quality data and an improved customer experience, can be derived from anticipating risks and meeting regulatory requirements, making compliance an increasingly integrated part of the business investment strategy.
The fact is that the world of regulatory compliance is always evolving, with requirements constantly multiplying.
To ensure adherence to increasingly stringent rules imposed across multiple jurisdictions, banks and financial services companies need to continually calibrate their compliance management function.
The role of the CCO
A Chief Compliance Officer (CCO) sits at the center of a compliance framework that demands the ability to work across functions and provides an opportunity to look at the breadth of risks facing their organization. Compliance should ideally be integrated across the business and be positioned to contribute to business decisions and adapt to the changing business and regulatory environment. With greater integration compliance leaders can take immediate steps to enhance compliance effectiveness, efficiency, and sustainability.
Compliance officers have been tasked with an increasing number of responsibilities and have exceeded expectations in many areas.
Some of the common challenges CCOs face today include:
- Compliance landscaping
Organizations that operate across a country or in multiple countries may not have an inventory of all the obligations they are supposed to comply with. Regulations change as companies grow, there is a plethora of obligations to comply with that get missed on occasion. There is a large number of federal, local, or global compliance obligations related to Corporate, Secretarial, HR, Fiscal, IT, HSE and Industry laws that make it difficult for organizations to comply with all of them consistently for a sustained period. Compliance obligations include one-time, event-based, ongoing, licenses, filings and statutory dues that need to be tracked and acted upon in a timely manner.
- Inconsistency in understanding/ interpretation of compliance requirements
Many laws/regulations are complex to understand and may have multiple interpretations. In the absence of expert advice, organizations may make incorrect decisions that can result in heavy fines/penalties. For instance, the recently launched VAT regulations in the UAE may be interpreted in different ways and can lead to non-compliance, due to lack of understanding or interpretation.
- Compliance ownership
Ambiguity with respect to the ownership of certain compliance obligations is a very common challenge faced by all sectors and can expose organizations to the risk of non-compliance due to lack of ownership. Many times, due to not having a centralized responsibility tracker, some compliance obligations get missed as a result of the lack of ownership or accountability. Leading organizations that are running effective compliance programs define responsibilities and Key Performance Indicators that help control such risks.
- Compliance reporting
With multiple locations and multiple compliance requirements, it becomes increasingly difficult for organizations to monitor compliance and report to top management on a day-to-day basis using manual processes, which may lead to incorrect decision-making.
- Continuous monitoring
Most organizations think of compliance as a one-time activity, whereas in today’s environment, where laws and regulations are changing every day, and organizations are expanding operations in new geographies or diversifying business in other different industries, the compliance landscape becomes very dynamic in nature. Therefore, organizations need to develop a model that is agile enough to respond to these changes.
In today’s age of accelerating regulation and scrutiny, leading organizations understand that the human and financial capital required to build a strong corporate governance infrastructure can be turned into long-term investment that can create value and contribute to the bottom line.
Development and automation of a compliance framework significantly speeds up the internal processes across businesses and locations by providing senior management with a one-stop view of the organization’s compliance status through comprehensive compliance dashboards and reports.
A framework for compliance encompasses multiple components that drive prevention, detection and response across the three lines of defense. In a compliance framework, the business process owners are the first line of defense, compliance and centralized risk management functions are the second line of defense, and internal audit is the third line.
Each line of defense plays an important role in the organization’s overall compliance framework and governance.
The three lines of defense model aids organizations in promoting compliance agility, identifying emerging risks, and clarifying the compliance program’s strengths and weaknesses.
Key industry concerns
- Are there any benchmark standards to be referred to while designing the compliance program?
One of the leading and most commonly adopted standards in Compliance is ISO 19600:2014 Compliance Management Systems. ISO 19600 is an international standard that has incorporated a high-level structure developed by ISO to improve alignment among its International Standards for management systems. In addition to its generic guidance on a compliance management system, this International Standard also provides a framework to assist in the implementation of specific compliance related requirements in any management system.
Organizations that have not adopted management system standards or a compliance management framework can easily adopt this International Standard as a stand-alone guidance within their organization.
This International Standard is suitable to enhance the compliance-related requirements in other management systems and to assist an organization in improving the overall management of all its compliance obligations.
- How to ensure 100 percent comprehensiveness?
The organization should systematically identify its compliance obligations and their implications for its activities, products and services. The organization should take these obligations into account when establishing, developing, implementing, evaluating, maintaining and improving its compliance management system.
The organization should document its compliance obligations in a manner that is appropriate to its size, complexity, structure and operations. The compliance landscape is dynamic. It is critical to continuously monitor the impact of any compliance obligations triggering changes in the internal/external environment in order to keep the inventory comprehensive and updated at all times.
- Are there any sources in the region that we can refer to while building the repository?
It is difficult to get all the updates under one umbrella and so it is important for every organization to maintain its own tracker of sources of compliance obligations that are relevant to their industry and business. Some examples of these sources can be monitoring the websites of regulators, being on the mailing lists of relevant regulators and membership to professional groups.
While there is no one-size-fits-all approach to a compliance structure, organizations that fully understand their organizational regulatory requirements, including emerging regulatory changes and challenges, history, people, technology, control coverage and risks are well positioned to assess if changes to the program infrastructure would be required to keep pace with the dynamic environment.
by Hossam Samy, Principal, and Disha Rustagi, Manager, Risk Advisory, Deloitte Middle East