It is often only when something goes wrong that the focus turns to compliance. Why did this happen? What went wrong? Recent corporate governance failures in Australia are a timely reminder of the need for vigilance when it comes to compliance.
It would be fair to say that in some organisations there is passive resistance to compliance. This resistance can arise for a variety of reasons. For example, compliance is often associated with bureaucracy and some people find the associated tasks like filling out forms and record-keeping tedious, and see it as adding little or no value. There is often also a perception that compliance is just a box-ticking activity rather than adding any tangible value. In some cases, there is active resistance to compliance. People may see compliance as a barrier to them achieving their outcomes and so actively disregard compliance requirements.
Let’s be very clear. Organisations that ignore compliance do it at their own risk. The future of compliance is about changing the paradigm. It is about moving from a static and negative view of compliance to a dynamic and value-adding view of compliance – a positive compliance culture if you will.
So how do organisations create or restore a positive compliance culture? It all starts with the “why?” Why is compliance important to our organisation? I would suggest that there are at least four core values that are important for an organisation to embrace. A positive compliance culture is essential in bringing these values to life in the day-to-day and long-term operation of the organisation.
- Integrity is about doing the right thing – even when people can’t see what we are doing. This means complying with relevant legal and regulatory requirements, professional standards etc. These types of obligations are not optional. Compliance also extends to encompass ethical and moral responsibilities – in many cases there is no law or regulation that requires we do or don’t do something – but the way we conduct ourselves as an organisation reflects the value we place on integrity.
- Compliance will build trust among an orgaisation’s stakeholders. When our stakeholders know that this is an organisation that acts within the law, abides by the relevant standards, and always endeavours to act with integrity, they are more likely to invest their trust in the organisation. Every organisation has an implicit social and/or political licence to operate. If trust fails, that licence disappears – sometimes forever. The value of trust cannot be underestimated.
- Non-compliance carries significant risk. These risks include legal action, fines, penalties, operational disruptions and damage to reputation. Apart from being a product of our integrity, compliance significantly mitigates, and in many cases eliminates, the risks related to compliance. A positive risk culture goes hand in hand with a positive compliance culture. Once cannot be fully achieved without the other.
- Sustaining success in the longer term is in a large part determined by an organisation’s approach to compliance. For example, non-compliance can lead to significant financial penalties, which can threaten the financial sustainability of an organisation. Similarly, non-compliance can degrade operational effectiveness where operations are compromised or interrupted because of failure to comply with regulations and standards that protect from things such as cyber threats. On the positive side, compliance is positively viewed by stakeholders and potential customers and creates a foundation for growth and expansion.
So, if we understand the “why?” how do we make a positive compliance culture a reality? At a high level, there are three essential elements.
1. The “tone at the top” is going to set the compliance agenda for the organisation. We need leaders that lead by example – who model the highest standards of integrity, which includes taking a proactive approach to compliance. This means that they will actively seek compliance in all decisions and actions. But more than that, they will regularly communicate the importance of compliance.
2. The right tools are necessary to do a job properly. So, what do we have to do? Here are some key things we need to do to:
- Record the compliance obligations to which we are subject and assign business ownership
- Identify the controls within our controls framework that operate on those obligations
- Using a risk-based approach, determine which compliance obligations will be monitored and how
- Have a mechanism for staff to self-report non-compliance as and when it is identified
- Have a mechanism for business areas to report non-compliance as and when it is identified
- Have a process to review non-compliance in real time
- Establish assurance mechanisms to provide the organisation with comfort about compliance performance
- Have the means to provide tailored on-demand and/or scheduled reporting to relevant stakeholders
This is not a job for spreadsheets and pdfs. Technology can provide tools to perform these eight tasks efficiently and effectively.
3. We do not collect compliance information for the sake of collecting the information. We collect it because we use that information to inform actions – we act on it. These actions will include:
- Adding or editing controls
- Providing information and training to staff
- Decisively acting where intentional non-compliance has occurred, including at senior levels of the organisation
- Initiating corrective action
- Reporting non-compliance to relevant stakeholders
- Reporting per mandatory reporting obligations
- Informing compliance and other assurance programs
In summary, the future of compliance will be characterised by a more proactive approach to it by those organisations that want to succeed. Compliance will be one of the practical ways in which organisations will demonstrate their integrity, build trust, mitigate risk and create a sustainable future for themselves. This proactive approach will include creating a positive “tone at the top” when it comes to compliance. Leaders will lead by example and clear expectations will be set for everyone in the organisation. Tools will be deployed that efficiently and effectively support organisations in documenting, understanding, managing, and reporting on their compliance obligations. Compliance data will be a valuable input to inform decisions and actions. The future of compliance is here. Organisations that fail to embrace it do so at their own risk.
This article was written by Zane Edwards, Global Director of GRC at Torque Software. Zane is a chartered accountant and has 20 years experience in Government and Private sector GRC management. Not only is he passionate about the digital transformation of governance, but he is also a skilled and influential communicator with extensive national and international experience in a variety of channels, including conferences, radio, television, and video.