The study covered banks, insurers, and securities firms in 17 countries and was undertaken through face-to-face interviews with the senior compliance executives of 73 internationally-active and major domestic institutions.
Respondents expressed concern about the increasing complexity of the regulatory environment which they said was severely exacerbated when operating across borders and across businesses.
It would appear compliance functions can find themselves stuck between management’s belief that the function plays a pivotal role in managing reputational risk and a rising expectation bar on the part of regulators and other stakeholders.
Given this, compliance functions could be forgiven for attempting to rein in the scope of their responsibilities. Instead the study showed the role of the compliance function is perceptibly expanding along a spectrum ranging from a ‘police officer’ to a trusted adviser, to business management.
Defining compliance risk
‘Compliance risk’ in its broadest sense encompasses anything from tax through health and safety to conduct of business rules. Non-compliance in any area could damage an organisation’s reputation with stakeholders.
Management needs to gain a holistic view of the organisation’s risks within the context of prevailing regulations and put in place policies and internal control processes and procedures.
A clear delineation of its responsibilities within the overall control framework is essential for the compliance function. For example, it’s important to clarify who monitors transactions on a daily basis, who then checks this process is working effectively and who ultimately determines whether it operates well in the context of overall compliance activities?
Clearly, an understanding of what differentiates the compliance function from other functions is also important. Its role needs to be both ‘real-time’ and forward- looking.
Compliance risk management
Managing all compliance risks to an equivalent extent would be unnecessary, costly and inefficient. 41 per cent of study respondents indicated their organisations are increasingly adopting a risk-based approach to compliance risk management.
However, there was limited evidence of organisations undertaking a comprehensive assessment of the compliance risks they face in order to implement effective risk-based processes. Furthermore, this appro-ach requires initial risk assessment and iterative reassessment. Here the study revealed several potential causes for concern.
The compliance function’s access and/or reporting to the board was not always direct or frequent, even though changing regulations, together with changing stakeholder expectations, suggest the compliance risk profile should be kept constantly under review by both management and the board.
In parallel, compliance officers often showed limited awareness of the needs of the broader range of external stakeholders. For example, very few respondents felt the compliance function’s goals should incorporate protecting customers’ interests or building client confidence in the organisation.
Compliance officers were not always involved in monitoring regulatory developments and assessing their impact on the business, nor extensively involved in interfacing with the regulator.
Reduce the risk
A risk-based approach recognises that breaches are not totally avoidable in complex regulatory environment(s) but the essential point is to reduce the chances of such incidents occurring and to mitigate their impact when they do. The study revealed that many organisations are focusing on taking steps to ingrain and/or strengthen their compliance culture.
To do this, some organisations are relying heavily on global compliance policies to promote common appreciation of their internal compliance requirements. However, such policies can seriously downplay the intricacies of local regulatory requirements.
Recognising this, other organisations are now rationalising their approach, keeping global generic policies in only a few selected areas and encouraging significant tailoring to local rules.
The approach of the compliance function here though has to be balanced against local societal and business receptivity to the compliance culture. In certain business areas, or geographic locations, the compliance function needs greater emphasis on ‘policing’ rather than ‘counselling’.
Compliant behaviour
A compliance culture is good but compliant behaviour is better. These are not necessarily the same thing. People may want to do the right thing but be hindered by practices and processes not designed to be inherently compliant.
A patchwork of legacy systems, and business processes and internal controls geared towards outdated ways of doing business, cannot achieve optimal compliance results.
The growing role of the compliance function as a trusted adviser in new business ventures suggests increased recognition of the benefits of being compliant from the outset. The extent of the compliance function’s involvement ranged from a veto possibility to just being informed.
Concerns were sometimes raised about the pragmatism the compliance function displayed. Also, the study showed only 30 per cent of respondents were systematically involved in IT systems development or upgrades, raising the question of how many projects have to go back to the drawing board when they are found to be non-compliant.
Understanding the value
The majority of respondents stressed the difficulties of measuring the potential damage of events that didn’t happen. Comp-liance officers realise that not quantifying the value could relegate the compliance function from management’s priority list.
Among international institutions, increasing consideration is being given to the means by which to measure the value. Some organisations have been using generic performance indicators for some time but are looking to improve their granularity.
The report highlights certain measures currently being used but this is an area where more work is needed.
The role of the compliance officers and functions is likely to continue to evolve in the coming years. Compliance functions can play a critical and unique role in helping management ensure the safety and soundness of operations.
However, determining the responsibilities of the compliance function will remain a question of balance: weighing the ‘police officer’ and ‘counsellor’ roles against the organisation’s increasing ability to operate compliantly.
John Tattersall is chairman of PricewaterhouseCoopers Financial Services Regulatory practice
Wendy Reed is senior manager at PricewaterhouseCoopers Financial Services Regulatory practice