Your company’s compliance programme may not be the easiest topic to bring up at an executive management meeting, but it probably is one of the most important.
What makes for a good compliance programme?
This topic was raised at a Krogerus Compliance Officer Roundtable that gathered a cross-section of business executives in Finland. Here is a summary of some ideas you may wish to keep in mind.
A compliance programme is a set of internal policy decisions that aims to assure a company is following all rules and regulations applicable to its business operations.
Compliance as a business function first took hold in the United States in response to several corporate scandals in the 1970s and 1980s. Over the years, it has slowly spread to Finnish shores, and has recently gained real traction.
While it is not uncommon for in-house legal counsel in Finland to take care of compliance matters, companies are increasingly hiring a compliance officer. A few Finnish companies are also considering whether to create a compliance function that is independent from the legal department.
The cornerstone of a good compliance programme is articulating the risk appetite of the company and balancing it against the risk tolerance.
The risk appetite reflects the amount of risk the company is willing to take and, respectively, the risk tolerance describes the risk capacity the company is capable to carry in pursuit of its business objectives. Risk management cannot be about avoiding all potential risks, but it should be used as a mechanism helping to prioritise identified risks.
A compliance programme is meant to support your business strategy. Therefore, risk assessment and measuring the risk appetite and risk tolerance is an integral part of the strategic planning. Once this balancing exercise has been done, the compliance programme can be tailored to meet the strategic needs and requirements of your business.
A good compliance programme identifies the inherent risks and establishes appropriate mechanisms to control them, while it acknowledges the residual risks.
The contents of the inherent risk is influenced by the company’s regulatory environment, volume and scope of activity, including products, customers and distribution channels, as well as history of compliance problems.
The residual risk is a risk that remains after controls are taken into account. Handling the residual risks means either accepting it as a part of the agreed risk appetite or reducing it by starting over the risk analysis and adding certain control mechanisms.
The key factor for establishing an independent compliance function is to clearly define its tasks, which can be challenging.
The tasks of the compliance function are defined based on the risk assessment. Therefore, the tasks should concentrate on the regulatory regimes where non-compliance would harm the business most or those areas where non-compliance is most likely to happen.
For a compliance function to be independent, it is paramount that access to the board or a sub-organ focused on risk management is secured. Also, the compliance function should be clearly fenced from the risk audit of the company.
Although the increasing amount of regulation gives rise to certain concern, there are positive sides to a well-functioning compliance. High integrity and focus on ethical values increases the pride personnel feel for their company, which, in turn, increases the commitment and efficiency.
Once risk-oriented thinking becomes established in the company’s business operations, personnel takes ownership and responsibility for compliance and ‘doing the right thing’. Feeling an important piece in the puzzle promotes the objectives of a compliance programme.
But, most importantly, there cannot be any commitment by personnel if the management commitment goes missing. The significance of the tone from the top can also be supported by empirical evidence. Therefore, setting the right corporate culture really matters.
So, while implementing a compliance programme is not easy, if done well, the rewards are multi-fold.