Talking about compliance is specifically referring to regulatory compliance, that is, the procedures and best practices adopted by organizations to ensure that all their stakeholders, from partners and executives to employees and third parties with whom they have a relationship (suppliers, community, etc.), comply with the different laws, regulations, and decrees to which they are subject as an entity, as well as the policies and codes of conduct and ethics established internally.
According to the World Compliance Association (WCA), an international association whose objective is to promote, recognize, and evaluate compliance activities in organizations, compliance serves for the identification and classification of operational and legal risks faced by entities, in addition to allowing the establishment of internal mechanisms for prevention, management, control, and reaction to these risks.
And although it is not something new, compliance is becoming increasingly important for organizations due, among other reasons, to the regulatory context in which they operate, which is generally complex, demanding, and constantly evolving.
Therefore, it is necessary to adequately manage the risks associated with compliance, as this avoids infractions or inappropriate conduct that could result in fines, sanctions, financial losses, reputational damage, and loss of trust from the stakeholders with whom the organization interacts.
In this sense, it is essential to have a Compliance department that ensures compliance with all personnel's laws, regulations, decrees, and internal codes, thus guaranteeing operation under ethical and integrity principles.
In this e-book from Academia Pirani, you will learn more about compliance or regulatory compliance: what are the main functions of this department in an organization, how to manage regulatory compliance, what an ethics and transparency program is, and how to generate a compliance culture within organizations.
To ensure compliance with legal obligations and avoid incurring infractions and the materialization of risks that could affect operations, and continuity, and have criminal, economic, and reputational consequences, organizations increasingly integrate into their structure a department responsible for promoting and monitoring that integrity is always maintained and that laws, regulations, decrees, policies, and internal codes of conduct are correctly followed.
Generally, this department is led by a compliance officer, who, among other things, is characterized by:
It is important to note that the Compliance / Regulatory Compliance area must have sufficient autonomy to continuously perform its functions objectively, impartially, and independently of senior management. Therefore, it must have the necessary resources, both human, financial, and technological, to perform its work properly.
The Compliance / Regulatory Compliance area, as part of the comprehensive risk management system, is responsible for the following functions in an organization:
1. Risk identification: Identify the risks of non-compliance to which the company is exposed and advise on these risks.
2. Prevention: Design and implement effective controls to prevent the materialization of risks due to non-compliance.
3. Detection: Monitor and report on the effectiveness of the implemented controls, whether they are functioning effectively or not, and if necessary, adjust or change them.
4. Provide advice and training to employees and executives on the laws, regulations, policies, and codes of conduct that apply to the organization.
5. Interaction with regulatory bodies and supervisors: Ensure that the relationship and communication with regulatory bodies are appropriate and that compliance with the acquired obligations is ensured.
In addition to these functions, it is important that the compliance officer:
As with the different risks to which an organization is exposed, whether they are financial, information security, or AML risks, among others, compliance-related risks must be constantly managed under a methodology.
ISO 37301, published in April 2021 and which is certifiable, provides a guide and recommended best practices for the establishment, development, implementation, evaluation, and maintenance of a Compliance Management System that allows for ensuring compliance with the regulations and internal codes that are mandatory for each organization.
This standard adopts the PDCA (Plan-Do-Check-Act) Model to facilitate compliance management. Therefore, when implementing this management system in companies, it is important to take into account each of these activities:
Additionally, adequate management of the risks associated with compliance must consider these fundamental stages:
Each of these stages is key to risk management, as is constant and assertive communication with all personnel in the organization, executives, operational positions, and of course, with the various control bodies.
Technology is a great ally for managing all types of risks in organizations, including those related to regulatory compliance. Some advantages of having a technological tool for compliance management are:
These and other advantages can be achieved with the Pirani Compliance Management System, a tool with which your company can easily manage these risks and guarantee compliance with all external and internal obligations that apply to it, thus avoiding possible fines, sanctions, and damage to this image and reputation.
With Pirani, you can create all the regulations that are important for the company, as well as the regulatory risks and the controls and action plans that will help mitigate them. In addition, you can generate the reports you need from all the management carried out in just a few steps.
What are you waiting for to try our Compliance tool?
As part of Compliance in an organization, it is also necessary to have a Business Ethics and Transparency Program (PTEE), which should serve to ensure that different stakeholders, such as employees, shareholders, and contractors, act diligently in managing the risks of corruption and transnational bribery.
These two risks have become issues that affect both governments and public institutions as well as companies. Corruption is defined as the "possibility that the interests of an entity may be diverted by action or omission or that public assets may be affected to obtain a particular benefit."
Transnational bribery refers to the possibility that a legal person, through one or more of its employees, contractors, managers, or associates, gives, offers, or promises a foreign public official sum of money, valuable objects, or any other benefit or utility in exchange for the official performing, omitting or delaying any action related to their duties and in connection with an international business or transaction.
To prevent the materialization of these two risks, it is recommended to develop a PTEE, which, among other advantages, serves to protect the organization from situations that impact its image, reputation, and trust among its stakeholders.
According to Pablo Camacho, an expert in comprehensive risk management, a Business Ethics and Transparency Program must comply with the regulation of the control entities in each country, but also incorporate best practices that adapt to the needs of each company.
In this regard, it is essential to know the company's activity and its ordinary course of business, as well as to know what products and services it offers, to whom, and through what channels. Having clarity about this facilitates the evaluation of the risks to which the company is exposed and the definition of effective action plans.
On the other hand, the PTEE must adapt to the structure of corporate governance because, as Pablo assures, "the less impact the implementation of this program generates, the greater the benefit for the company."
The PTEE should include employees, suppliers, and all those who can act on behalf of the company (counterparties, legal advisors, etc.).
Other elements to consider within the PTEE are:
The culture of risk management is often one of the main difficulties faced by risk management areas in organizations, among other reasons because there is a general lack of awareness about the importance of adequate risk management for business continuity and that this process must be part of all areas: each person in their role can contribute to the identification and control of risks.
In line with this, there is often a lack of a culture of regulatory compliance because most employees do not know or are not clear about the rules, regulations, and codes of conduct that they must comply with in the performance of their duties, and therefore may incur non-compliance that represents risks for the organization.
What can be done to change this and generate a culture of compliance in organizations?
Pablo Camacho, an expert in integrated risk management, shares the following recommendations and best practices for developing and strengthening a culture of regulatory compliance:
It is important to have a clear training plan that defines the topics to be covered, the target audience, who is responsible for delivering the training, and the frequency of the training (monthly, quarterly, bi-annually, etc.).
Evaluations should also be conducted to determine if the topics covered were effectively learned and internalized by personnel. This helps identify areas where reinforcement is needed to ensure adequate regulatory compliance.
To reinforce the importance of complying with regulations and the organization's code of conduct. This can be done through newsletters, short videos, practical infographics, and other formats. The language must use is simple, easy to understand, approachable, with everyday examples and that does not allow for misinterpretation.
For there to be a true culture of compliance in the organization, it is necessary to have the support and commitment of senior management. They are the first to set an example and give due importance to the Compliance area and all the functions it carries out to ensure proper compliance with all regulations, rules, and other obligations that apply to the company.
If senior management is committed, it is easier to permeate through all other areas and make the culture of compliance part of the organization's identity.
Compliance is increasingly important for organizations because, regardless of the sector or country in which they operate, they must comply with different laws, regulations, and rules to operate under ethical and transparent principles. Therefore, it is important to: