Follow Us:

Building a culture of compliance

Anthony Crasto |

Through tightened requirements around risk management, internal financial controls and compliance related disclosures, Companies Act, 2013 has brought significant rigour for laying the foundation for a culture of compliance in companies in India. This has imposed specific responsibilities on the board of directors and CEO/CFOs and has laid down provisions for penalties and prosecutions for non-compliances with various provisions.

Thus, scrutiny around risk and compliance is rapidly increasing as regulators are now looking to ensure that companies are putting policies and procedures in place to effectively respond to and mitigate risks. It is time that we change the lens that is used to view compliance from a “check-in the box” requirement to a “way of working”. More than just a set of policies and procedures, effective compliance management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organisation.

Nearly all companies provide some level of training to their employees, but a culture of compliance goes beyond once-a-year mandatory training programme. Establishing such requires continuous learning, resources and time to influence widespread change. It embeds compliance into everyday workflow and sets the foundation and expectations for individual behaviour across an organisation.

As regulatory demands continue to increase by the day, companies need to have the resources and technology frameworks in place to build compliance practices into their everyday operations. This is not just an item on the agenda any more, but it has an agenda of its own.

An effective way to achieve this is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared amongst all employees. To truly unlock the value that can be achieved by establishing a driven culture, managements should take a step back and evaluate. Following are the four key areas which will form pillars of a risk intelligent compliance framework:

Compliance culture, ethics and principles:

Policies, procedures, rules and controls will always be required to help provide guidance to the business on what is expected to manage compliance. However, they cannot cover every scenario and eventuality. A focus on compliance driven culture and principles may help in managing the unforeseen compliance risks.

The right team:

To foster a compliance driven culture, organisations need more than just people who can interpret laws, write rules and policies and conduct audits for compliance to these rules and policies. Organisations need people who can partner with the business teams and translate rules into what the business needs to do and help the business to change.

Integrated compliance programmes:

It is time that the compliance functions move away from their historic approach of operating in silos to an integrated way of working to drive synergies through simplification and harmonisation of compliance processes. This will result in a clearer identity enabling better business relationships, improved credibility and greater clarity in value.

Effective use of analytics and technology:

Having a “good enough” compliance programme is simply not good enough. Rather, organisations should continuously strive for “great”. A mature technology and data analytics driven approach to help identify and prevent compliance issues much before they occur and perform real-time monitoring of high risk areas are resulting in increased benefits in creating successful compliance programmes.

In addition to focusing on compliance frameworks and internal controls, it is imperative for boards and management to also evaluate the effectiveness of their business risk management processes. The current business environment is shifting with technology and regulatory changes disrupting business models and geography boundaries. Boards and management need to understand these signals of changes and their impact on business operations. They need to implement formal risk management systems to implement mitigation measures with an aim to ensure continuity of business.

The risk profile of existing business operations are also undergoing significant changes with cyber security, social media, brand and reputation, regulatory, efficient business solutions, risks gaining more and more importance. When it comes to managing risk and compliances, there is a difference between doing the minimum and doing the right thing, to effectively address the requirements.

Companies that choose to do the right thing will unlock value through increase in their level of compliances to the universe of regulations, reduced risks and reporting surprises, and sustained business performance over the long term.