This is what you should know about Regulatory Compliance
Introduction
Talking about compliance is specifically referring to regulatory compliance, that is, the procedures and best practices adopted by organizations to ensure that all their stakeholders, from partners and executives to employees and third parties with whom they have a relationship (suppliers, community, etc.), comply with the different laws, regulations, and decrees to which they are subject as an entity, as well as the policies and codes of conduct and ethics established internally.
According to the World Compliance Association (WCA), an international association whose objective is to promote, recognize, and evaluate compliance activities in organizations, compliance serves for the identification and classification of operational and legal risks faced by entities, in addition to allowing the establishment of internal mechanisms for prevention, management, control, and reaction to these risks.
And although it is not something new, compliance is becoming increasingly important for organizations due, among other reasons, to the regulatory context in which they operate, which is generally complex, demanding, and constantly evolving.
Therefore, it is necessary to adequately manage the risks associated with compliance, as this avoids infractions or inappropriate conduct that could result in fines, sanctions, financial losses, reputational damage, and loss of trust from the stakeholders with whom the organization interacts.
In this sense, it is essential to have a Compliance department that ensures compliance with all personnel's laws, regulations, decrees, and internal codes, thus guaranteeing operation under ethical and integrity principles.
In this e-book from Academia Pirani, you will learn more about compliance or regulatory compliance: what are the main functions of this department in an organization, how to manage regulatory compliance, what an ethics and transparency program is, and how to generate a compliance culture within organizations.
Functions of the Regulatory Compliance area
To ensure compliance with legal obligations and avoid incurring infractions and the materialization of risks that could affect operations, and continuity, and have criminal, economic, and reputational consequences, organizations increasingly integrate into their structure a department responsible for promoting and monitoring that integrity is always maintained and that laws, regulations, decrees, policies, and internal codes of conduct are correctly followed.
Generally, this department is led by a compliance officer, who, among other things, is characterized by:
It is important to note that the Compliance / Regulatory Compliance area must have sufficient autonomy to continuously perform its functions objectively, impartially, and independently of senior management. Therefore, it must have the necessary resources, both human, financial, and technological, to perform its work properly.
What are the functions of this area and the compliance officer?
The Compliance / Regulatory Compliance area, as part of the comprehensive risk management system, is responsible for the following functions in an organization:
1. Risk identification: Identify the risks of non-compliance to which the company is exposed and advise on these risks.
2. Prevention: Design and implement effective controls to prevent the materialization of risks due to non-compliance.
3. Detection: Monitor and report on the effectiveness of the implemented controls, whether they are functioning effectively or not, and if necessary, adjust or change them.
4. Provide advice and training to employees and executives on the laws, regulations, policies, and codes of conduct that apply to the organization.
5. Interaction with regulatory bodies and supervisors: Ensure that the relationship and communication with regulatory bodies are appropriate and that compliance with the acquired obligations is ensured.
In addition to these functions, it is important that the compliance officer:
- Knows all areas that are part of the organization and the processes and procedures that are carried out.
- Is familiar with and up-to-date on all regulations and requirements that the organization is obligated to comply with. Regulatory changes are very frequent in different countries and industries.
- Conducts due diligence on third parties that have a relationship with the organization, such as suppliers and distributors, to avoid surprises that may jeopardize the organization's compliance.
- Develops and presents the regulatory compliance plan, which among other elements must include: protocols for action, the organizational code of ethics, the ethical hotline or internal reporting channel, and training programs in compliance-related topics.
- Promotes a culture of compliance at all times and acts with ethics and integrity.
Compliance Management System
As with the different risks to which an organization is exposed, whether they are financial, information security, or AML risks, among others, compliance-related risks must be constantly managed under a methodology.
ISO 37301, published in April 2021 and which is certifiable, provides a guide and recommended best practices for the establishment, development, implementation, evaluation, and maintenance of a Compliance Management System that allows for ensuring compliance with the regulations and internal codes that are mandatory for each organization.
This standard adopts the PDCA (Plan-Do-Check-Act) Model to facilitate compliance management. Therefore, when implementing this management system in companies, it is important to take into account each of these activities:
Additionally, adequate management of the risks associated with compliance must consider these fundamental stages:
- Risk identification: taking into account the organization's context and the different laws and regulations it must comply with, the compliance officer must recognize and understand the inherent risks of non-compliance.
- Risk assessment/measurement: the identified regulatory risks must be evaluated both in terms of their probability of occurrence and their impact. This assessment can be done considering regulatory, and internal indicators or, if applicable, those established by the organization's parent company.
- Risk control/mitigation: it is necessary to implement efficient controls that help prevent the materialization of identified risks or, in case they occur, serve to mitigate their impacts.
- Monitoring: this stage is fundamental to periodically understand how the risks are behaving, what is the level of exposure to them, and whether the controls are effective or need to be adjusted or changed.
Each of these stages is key to risk management, as is constant and assertive communication with all personnel in the organization, executives, operational positions, and of course, with the various control bodies.
How can compliance risk management be made simpler?
Technology is a great ally for managing all types of risks in organizations, including those related to regulatory compliance. Some advantages of having a technological tool for compliance management are:
These and other advantages can be achieved with the Pirani Compliance Management System, a tool with which your company can easily manage these risks and guarantee compliance with all external and internal obligations that apply to it, thus avoiding possible fines, sanctions, and damage to this image and reputation.
With Pirani, you can create all the regulations that are important for the company, as well as the regulatory risks and the controls and action plans that will help mitigate them. In addition, you can generate the reports you need from all the management carried out in just a few steps.
Business Ethics and Transparency Program
As part of Compliance in an organization, it is also necessary to have a Business Ethics and Transparency Program (PTEE), which should serve to ensure that different stakeholders, such as employees, shareholders, and contractors, act diligently in managing the risks of corruption and transnational bribery.
These two risks have become issues that affect both governments and public institutions as well as companies. Corruption is defined as the "possibility that the interests of an entity may be diverted by action or omission or that public assets may be affected to obtain a particular benefit."
Transnational bribery refers to the possibility that a legal person, through one or more of its employees, contractors, managers, or associates, gives, offers, or promises a foreign public official sum of money, valuable objects, or any other benefit or utility in exchange for the official performing, omitting or delaying any action related to their duties and in connection with an international business or transaction.
To prevent the materialization of these two risks, it is recommended to develop a PTEE, which, among other advantages, serves to protect the organization from situations that impact its image, reputation, and trust among its stakeholders.
What should a PTEE have?
According to Pablo Camacho, an expert in comprehensive risk management, a Business Ethics and Transparency Program must comply with the regulation of the control entities in each country, but also incorporate best practices that adapt to the needs of each company.
In this regard, it is essential to know the company's activity and its ordinary course of business, as well as to know what products and services it offers, to whom, and through what channels. Having clarity about this facilitates the evaluation of the risks to which the company is exposed and the definition of effective action plans.
On the other hand, the PTEE must adapt to the structure of corporate governance because, as Pablo assures, "the less impact the implementation of this program generates, the greater the benefit for the company."
The PTEE should include employees, suppliers, and all those who can act on behalf of the company (counterparties, legal advisors, etc.).
Other elements to consider within the PTEE are:
- Financial knowledge, that is, verifying investment means, the use of bank accounts and accounting accounts, as well as understanding financial flows in the development of the organization's activities and business.
- Frequent mapping of business relationships, which includes reviewing established relationships with state entities, individuals, political parties, and politically exposed persons (PEPs), as well as relevant links with customers, suppliers, and other representatives
- Management manual that responds to the needs of the company and incorporates the guidelines and procedures established to prevent corrupt conduct. In general, this manual should promote ethical and transparent behavior in the organization.
- Transparent accounting and financial procedures, for example, all transactions should have general or specific authorization from the responsible person; record transactions according to applicable accounting standards and periodically compare asset records with actual assets.
- Communication channels, especially having an ethics hotline for reporting or denouncing inappropriate conduct. This hotline should guarantee the anonymity of whistleblowers, the proper flow of information, and provide incentives for effective use by everyone in the company.
- Training plans to disseminate and make known the anti corruption policies and codes of conduct to all managers and employees. It is a topic that involves the entire organization, so everyone should be informed and know how to act in case of corruption or bribery.
Culture of regulatory compliance
The culture of risk management is often one of the main difficulties faced by risk management areas in organizations, among other reasons because there is a general lack of awareness about the importance of adequate risk management for business continuity and that this process must be part of all areas: each person in their role can contribute to the identification and control of risks.
In line with this, there is often a lack of a culture of regulatory compliance because most employees do not know or are not clear about the rules, regulations, and codes of conduct that they must comply with in the performance of their duties, and therefore may incur non-compliance that represents risks for the organization.
What can be done to change this and generate a culture of compliance in organizations?
Pablo Camacho, an expert in integrated risk management, shares the following recommendations and best practices for developing and strengthening a culture of regulatory compliance:
1. Compliance training programs
It is important to have a clear training plan that defines the topics to be covered, the target audience, who is responsible for delivering the training, and the frequency of the training (monthly, quarterly, bi-annually, etc.).
Evaluations should also be conducted to determine if the topics covered were effectively learned and internalized by personnel. This helps identify areas where reinforcement is needed to ensure adequate regulatory compliance.
2. Constant communication with all areas
To reinforce the importance of complying with regulations and the organization's code of conduct. This can be done through newsletters, short videos, practical infographics, and other formats. The language must use is simple, easy to understand, approachable, with everyday examples and that does not allow for misinterpretation.
3. Real commitment from senior management
For there to be a true culture of compliance in the organization, it is necessary to have the support and commitment of senior management. They are the first to set an example and give due importance to the Compliance area and all the functions it carries out to ensure proper compliance with all regulations, rules, and other obligations that apply to the company.
If senior management is committed, it is easier to permeate through all other areas and make the culture of compliance part of the organization's identity.
Conclusions
Compliance is increasingly important for organizations because, regardless of the sector or country in which they operate, they must comply with different laws, regulations, and rules to operate under ethical and transparent principles. Therefore, it is important to:
- Have a Compliance are responsible for identifying, evaluating, controlling, and monitoring the different risks that may arise from not complying with external and internal obligations of the organization.
- Have a program of business ethics and transparency that not only complies with regulations but also meets the company's needs and includes all stakeholders. Within this program, it is essential to have an ethics hotline for reporting suspicious and unethical behavior.
- Develop ongoing training and education programs to ensure that all personnel is aware of different regulations and the internal code of ethics. This creates awareness and promotes a culture of regulatory compliance.
- Leverage technological tools to more easily manage compliance risks and involve all employees.
Bibliographic reference
- Webinar Pirani: Gestión del Cumplimiento Normativo con Pablo Camacho
- World Compliance Association: Acerca del Compliance
- Especial Pirani: Norma ISO 37301 de sistemas de gestión de cumplimiento
- Captio: La importancia de una política de transparencia empresarial sólida
- Cinco Días El País: Apuntes prácticos para elaborar una estrategia empresarial de compliance
- Garberi Penal: ¿Qué es el Compliance Officer?
- Blog Pirani: Principales funciones de un compliance officer
- Blog Pirani: Ventajas de usar la tecnología para el cumplimiento normativo