Today, more than ever, organisations are required to contend with increasingly dynamic and demanding external and internal environments by making good corporate governance accessible and fit for application through the adoption of governance practices suitable to the organisation and be able to sustain value creation (KING IV – Information and Technology Governance Course (itgovernance.co.za, accessed 26 – 06 – 2022)). Good corporate governance practices underpin compliance management in an organisation.
‘Compliance management consists of efforts organisations undertake to ensure that employees and others associated with the firm do not violate applicable rules, regulations or norms’ (Alexander S Gills – What is compliance? (www.techtarget.com, accessed 26 – 06 – 2022)). Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory requirements for compliance.
Compliance management is embodied, in part, in the fiduciary duty of directors, whose obligation to direct the management of corporations includes the responsibility to guard against illegal activities (Deloitte Duties of directors (2017) (www2.deloitte.com, accessed 26 – 06 – 2022)). The corporate law of compliance extends beyond fiduciary duties traditionally understood and includes substantive regulatory statutes, criminal laws, guidance from administrative agencies, codes of best practices, internal corporate rules, and other governing norms. The development of compliance management reflects a concern for eliminating inappropriate business practices and enhancing the efficiency of an organisation. The contemporary law of compliance is profoundly influenced by these developments.
Corporations faced with compliance problems are sometimes better described as supplicants seeking mercy from their regulators rather than as equal adversaries (Geoffrey P. Miller “The Compliance function: an overview” (www.law.nyu.edu, accessed 26 – 06 – 2022)). Organisations have a strong incentive to internalize the law enforcement function by instituting procedures to guard against violations and exposure to risk.
Compliance is a form of internal control and internal control suggests that a well-managed organisation is one in which assets and resources are effectively deployed to serve the purposes of the corporation (Audit Board “Internal Control Compliance: 7 Reasons to Maintain your Program” (www.auditboard.com, accessed 26 – 06 – 2022). Internal control consists of the following components:
(i) control environment,
(ii) risk assessment,
(iii) control activities,
(iv) information and communication, and monitoring activities.
The concept of internal control is embodied in the metaphor of the “Three Lines of Défense” (Arkansas Law Review, Vol. 62, pp. 431- 474, 2009). It stresses the gravity of breakdowns in the internal control function, defines the threat as external to the organization, and offers reassurance that if control functions are properly designed and maintained, the threat of a breakdown can be kept within tolerable limits.
The first line of defense is the operating units and the heads of the entities, sections or departments that carry out business daily activities. The operating units cannot be relied on fully as a bulwark against violations because of human factors.
The second line of Défense consists of persons or departments charged with carrying out monitoring and control activities, most importantly, the senior official responsible for preventing and/or detecting violations of legal norms (chief compliance officer (CRO) or general counsel); and the chief risk officer, whose job is to ensure that the risks undertaken by the line employees are consistent with the risk appetite established by the board of directors.
The third line of defense is supposed to catch problems that filter through the first two, which is internal audit. The internal audit department is responsible for checking on the entire organization, including senior managers, in order to ensure that policies and procedures are being observed and shortcomings in the organisation’s internal controls are identified and promptly fixed.
The compliance function must be independent of an audit function and has a dual line of reporting (Corporate Compliance Insights ‘Independence of the Compliance Function: A Critical Component of the Three Lines Model’ (www.corporatecomplianceinsights.com, accessed 27 – 06 – 2022)). The direct line of reporting is to the independent board committee and the indirect line is to the audit committee. ‘This entrenches the independence of the compliance function to act independently in the oversight of compliance’ (Zerafa Advocates ‘The Independence of The Compliance function’ (March 5, 2021) (www.zerafa.com.mt, accessed 27 – 06 – 2022)). Compliance is operational in nature; it goes beyond a policy, is functional, defining operations – anything operational is included in the charter, and it provides advice rooted in the law /integrity (Deloitte ‘Audit Committee Resource Guide’ (www2.deloitte.com, accessed 28 – 06 – 2022)).
Compliance programs, policies and contracts
The compliance function is implemented through compliance policies, programs and contracts Geoffrey P. Miller (op cit). A compliance policy is a document that details the operation and implementation of the compliance program, providing guidance around governance, organizational structure and processes for dealing with compliance issues (Manatt Phelps & Phillips LLP “The Eight Key Elements of effective compliance Programs” (www.lexology.com, accessed 27 – 06 – 2022)).
A compliance program is a detailed statement of how the organization intends to carry out the obligations that it has recognized in its compliance policy (Geoffrey P. Miller (op cit). It is a formal document that gives life to a compliance function. Adopting compliance policies and compliance program reduces board members’ potential liability. There are other reasons to adopt compliance programs, e.g. the law directly requires regulated industries to do so.
Corporations also establish or upgrade compliance programs as a result of regulatory enforcement actions to enhance compliance activities (Arkansas Law Review (op cit)). An organisation needs to commit to implementing reforms to internal governance, including reforms to processes of internal control, and implementing compliance programs in order to mitigate the severity of risk as a commitment to compliance. Operating a compliance program demonstrates sufficient cooperation and evidences a commitment to compliant behaviour. An organisation that implements a compliance program but then fails to administer it in an effective manner can suffer enhanced risk exposure. Failure to continuously address a deficiency in the organisation’s compliance programs leads to the subsequent commission of violations or exposure to risk. Organisations are encouraged to adopt robust compliance programs.
Elements of a robust compliance program
The mere creation of a compliance program will not ensure results. An organisation must exercise due diligence to prevent and detect inappropriate conduct (University of Illinois System ‘Elements of an Effective Compliance Program’ (www.ethics.uillinois.edu, accessed 28 – 06 – 2022)); and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the laws, rules and codes of good practice. An organisation must establish standards and procedures to prevent and detect violations to ensure that its governing authority understands the content and operation of the program and exercises reasonable oversight over its implementation. It is crucial to conduct effective training programs and establish incentives to comply and avoid consequences for noncompliance. Reasonable steps to respond to violations and to prevent repeat violations should be taken.
Elements of a robust compliance program are:
(a) internal policies, procedures, and controls;
(b) a compliance function;
(c) an employee training program; and
(d) an independent audit function.
Best practices and strategies for corporate compliance
To ensure an organization follows compliance laws or regulations, the following best practices are recommended (Alexander S Gills (op cit)):
- Determine compliance goals. Focus on the areas of compliance the organization needs to improve the most, such as a specific regulation, law or a violation that can lead to regulatory sanctions and/or financial loss.
- Know the regulatory environment. Laws and regulations may change over time. Having staff members — either as a part of a compliance department or otherwise – who keep up to date on new regulations relevant to the organisation’s industry is a good idea.
- Implement the internal controls tools. Internal control tools can automatically track data, aiding in compliance risk management.
- Hold compliance audits. An in-depth review of regulatory compliance areas ensures an organisation is following compliance regulations correctly and can help identify areas an organisation needs to improve.
- Review compliance regulations regularly. A regular review helps find weak points and gives an organisation a chance to improve and keep its compliance efforts up to date.
- Train employees for compliance policy. If employees cannot follow compliance policies, then the organisation cannot fully adhere to the policies. Employees should be trained and made aware of relevant policies and be held accountable when policies are not followed.
|Please note that our blog posts are informal commentaries on developments in the law at the time of publication and not legal advice.