Published On: 27.06.2020Tags: 11.5 min read

COMPLIANCE and LEGAL (Part 1)

Summary

The compliance function is often faced with difficulties of work overload, associated with random delegation of duties by the management board (or their administration) and by other senior management, leading to constant  increase of the scope of work for compliance, at equal or sometimes even reduced staff and lack of other resources. At the same time, there are also gaps in understanding within the company about what are supposed to be duties and responsibilities of compliance function, and how our role differentiate from legal and other functions in practice. While compliance professionals rightfully understand their work as risk-based, cross process and as a mixture of advisory-controlling independent activity, others may think of it more linearly and narrow, legalistically and silo-based. We are talking about organizational silo, when certain area of expertise is limited to a specific, disconnected department with fixed, narrow boundaries, although it concerns the company as a whole and does not lead to integration and cooperation, which compliance function definitely should be. This article discusses these challenges in more details and presents proven practical approaches for facing them effectively. 

Key words

Compliance, legal, risk, corporate governance, internal control system, effective management

Compliance vs. Legal

In many cases, companies are facing issues concerning differentiation of roles and responsibilities between the compliance and legal function, consequently arranging the workload between them becomes difficulty. Solutions for this should be based on respecting the three lines of defence principles, risks based approach and effective management, but instead specific current situation, silo thinking, perceiving compliance as some variation of legal function, game of power and domination even, may lead the decisions around it. This eventually has negative impact on effective and transparent governance, causes bad risk management and inappropriate internal controls system, exposing the company to liability and losses.   

This kind of situation may be explained with the fact that especially in regulated financial industries, the compliance function is performed by experts, who have legal background. Consequently, the lawyers in the legal department may completely desert risk areas “covered” by the compliance, in a way that compliance function suddenly takes over all the legal support for the certain area, too. An attitude of other functions can be similar.

Unlike legal, the compliance function is one of the key functions in internal governance, as part of the internal control system and the second line of defence against risks. This key difference can be practically explained, as follows. While the same would apply for various compliance risk areas (like prevention of money laundering, fraud etc.), let us take privacy data protection for an example. If this is the area primarily assigned to the compliance function, your problem may be that all other functions tend to “hand over” all the issues connected to privacy over to compliance, including the legal support in ensuring concrete compliance requirements in day-to-day operations (which is the basic task of legal function and the business management). Also, all the professional and operational issues in relation to the privacy data protection tend to be handed over to compliance in isolation, even if there are not only questions of compliance, but of specific expert field or implementation in the specific field of operation. For example, the risk of privacy data breach in the sales process is fully a domain of managers and sales staff. They need to put in place and maintain the privacy requirements and controls in sales and prevent breaches. The compliance function helps them to identify and assess the risks of breaching privacy data, but the responsibility regarding specific knowledge of how the sales activities are carried out and therefore, where and which breaches of privacy data protection may occur in doing so, is in the hands of the process owners (the sales in this case). The compliance function will primarily ensure that significant changes in the legal environment are detected and will in this respect, for example, educate the sales staff so they will be able to identify specific privacy risks associated with their activities, and help the management to adopt and implement appropriate rules and measures. Also, compliance may recommends specific contractual provisions in general terms and conditions of sales for example, but the legal support for assuring data privacy in individual cases, should be provided by the legal department. As compliance needs to remain impartial and available to conduct compliance checks and audits of these processes. If compliance would take part in day-to-day operations too broadly, assuring compliance ‘on the filed’, it would not be able to control compliance of these processes, which it should be doing as a control function. This is based on the governance principles of the three lines of defence against risks. Where the first line represents management of business areas and functions, including the legal function and other supporting functions. The second line includes the risk management function, cyber security, quality management etc. and the compliance function. And the third line, represented by an internal audit. The superior body to these lines of defence in the internal governance system is the board, which all three lines of defence (should) report to directly and independently from each other.

The compliance function in this system of three lines of defence, unlike legal, operates within the second line:

(1) As an advisory point of contact, focused on supporting the organization to systematically ensure and manage the compliance with the requirements that apply to the organization, based on regulations, requirements or recommendations of a regulator etc. and

(2) As an internal control function, focused on identifying compliance issues, evaluating and managing compliance risks.

In case of privacy data protection described above, the compliance function’s activities should be focused on advising and assisting in:

  • Detecting, identifying the novelties of regulations (GDPR)
  • Organizing of internal processes of (i) identifying the gaps between the organization’s current state of compliance and the new requirements and (ii) preparing the action plan to close these gaps (concrete activities for compliance regarding the gaps identified; including description of the activities, definition of engaged persons and the execution deadline)
  • Preparing presentation materials for the management board , senior management and others
  • Preparing educational material and implementation of the education for the defined target groups of employees, contractors, etc.

*In the activities described, the role of the compliance function should be organizational, initial and controlling, while the role of the legal function is already known – support and participation in the implementing business operational activities.

Secondly, the compliance function should carry out the following controlling activities and activities of risk management, too:

  • Monitoring of the implementation of planned activities to comply with regulatory requirements (based on reporting regarding appointed areas of the first line of defence against risks, including the legal function) and reporting to the administration about the state of  compliance (readiness level for the new reg). For the compliance function to maintain its controlling nature, impartiality as well as timely availability for assuring control, it is not recommended for the function to be an operationally executing  these activities.
  • Conducting monitoring regarding compliance of actual processes and identifying and reporting, monitoring of the measures taken to mitigate risks or to assure compliance.

The compliance function must perform both parts in balance: consulting – preventive as well as the controlling function. The controlling part of the function must not be neglected due to excessive burden of performing operational tasks for the first line, because then the company as such does not assure efficient operation of a significant part of the internal control system (which is prescribed in the financial sector by the EU regulation, including the compliance function). Consequently, the legal function must not hand its legal support in the first line over to compliance function, where the legal function itself has no internal-controlling tasks and responsibilities (as the compliance function has). The compliance function in this part does not replace or complement the legal function, but adds to the entire system of the internal governance in the field of risk management and internal controlling. It is different therefor in its nature and in basic mandate, compared to legal function.

Sometimes it helps to explain the reasons why the role and responsibilities of the compliance function are differently and wrongly understood by the management and other functions, which subsequently imposes too many tasks outside of compliance basic sphere of responsibility.

Below, you can find these reasons presented in more details and also some practical suggestions how to resolve them, as proven in practice.

The cause

The solution example

The compliance function is a new function, often still unrecognised, therefore its understanding by the various departments within the company can be very different. You might be also facing improper position or insufficient authority in the organizational structure.

  • Regularly communicate and educate, mostly using the cases that are specific and relevant for your company.
  • Be professional, but brief, concise and very concrete in your counselling; be part of a team, invest your energy in the knowledge of business objectives and plans, help find solutions, but remain principled in terms of compliance and business integrity, and you should be able to build genuine authority and reputation.
  • If your formal position within the company is not on a high enough level, this approach may help you to achieve it easier, but don’t forget to warn your management about it in the right moment (use arguments from the principles of good governance, efficiency and independence of the compliance function, which basically protects the company and the responsible persons in it).

Poorly defined compliance function in the internal documents (classification, management policies).

  • Propose amendments to internal documents, including the definition of the role of other areas and services in the compliance system (see e.g. ISO 19600 or EISEP template of compliance policy, any other resources – many are available online); present specific compliance risks areas and use concrete cases to illustrate the role of the compliance function and other departments or functions.

The lack of compliance risk assessments.

  • Use the structure and professional approach, help yourself with the existing methodologies and processes for risk assessments within the company, but adjust it to the nature of the compliance risks (which should be assessed more quantitative than qualitative); be inclusive, use the interviews and focus groups approach from all areas of the company in order to truly get to know them, listen to them and finally gain a very good understanding of the compliance risks throughout the company; and build your capacity to identify compliance issues and bad practices early.

The lack of the annual plan of operation or insufficiently specified and planned activities of the compliance function.

  • Plan specified tasks and activities of the compliance function, depending on the requirements of regulations, your internal policies, international standards, etc. and put emphasis on risky areas. Always plan time for unplanned ad-hoc activities in accordance with your past experience (like dealing with controlling procedures and requirements of the regulator, unexpected changes, significant internal investigations or activities associated with the identified breaches, the new legislation, the requirements of the Supervisory Board, etc.)

The desire to shift the liability is also a common reason.

  • Combination of rational and grounded solutions, described above and below, can be effective.

A key tools, especially in communication with the management board (CEO, senior management) when presenting argumentation of the role and differentiation of the compliance function, are:

Systematic and regular planning of compliance tasks and activities and

Management reporting by the compliance function, based on clear and comparable indicators (like: the scope of provided advice, necessary and achieved alignments, compliance checks and investigations, the training performed etc.). This way, management becomes gradually more aware of what you do and of the benefits.

Other critical resources and arguments for clearly perceived compliance function:

  1. The argument of the regulated function. Derived from the EBA (European Banking Authority) guidelines on the internal governance, Basel Guidelines (Compliance and the Compliance Function in Banks), guidelines of the banking and other financial sector regulators on the internal governance and the role of the compliance function.
  2. Your company’s own internal acts – definition in the Compliance Policy, Rules on the operation of the compliance function.
  3. Annual work plan of the compliance function (you may even have the business compliance strategy) based on the defined tasks and responsibilities and on the compliance risk assessment.
  4. Allocation plan of the existing compliance staff to all required activities and tasks, in the annual planning – using FTE = Full Time Equivalent (according to the max. available resources, calculated precisely according to the time, this is the one way to very transparently and mathematically demonstrate the scope of work that is possible to manage with existing staff).
  5. Evaluation and reporting about the suitability and sufficiency of all resources (staff, finances, IT, power of authority etc.) for performing the compliance function, given the regulatory requirements and compliance risks specific for the company. Compliance should present this to the management and offer proposals regarding potential gaps. This is also good tool to confront the board with a necessary decision about what should be the priorities in your company’s compliance program, what compliance  should or should not be doing according to them, given the limited resources (compliance should hereby clearly explain to the board, what the compliance function must be doing, according to the regulations and risks).
  6. Self-assessment of the compliance programme and eventually conducting an external, independent and professional assessment of the compliance programme (delivery of the Compliance Policy and Code of Conduct). This should be presented to the board, together with proposals based on the gaps (which may include e.g. better differentiation of functions, exclusion of certain activities from the compliance function or the inclusion of some other, supplementation of available resources, new or improved policies and processes, etc.)

Originally published in Association of Serbian Banks Magazine, June, 2020

About the author
Portrait photo of speaker Andrijana Bergant sitting in a chair in the garden

Andrijana Bergant

Andrijana Bergant, LLB., MBA, AICA, is a seasoned expert with over 15 years of experience in business compliance and ethics across industries and international markets. She is focusing on integrity leadership, strengthening ethical culture and business resilience, offering insights that deliver returns on integrity.

Book

Andrijana
to speak at your
conference

Copyright © 2024 Andrijana Bergant. All rights reserved.

Permission is granted to use, distribute, and reproduce this article in any medium, provided the source is properly cited and a link to the original article is included. Unauthorized use or duplication without proper citation is prohibited.