700 likes | 1k Views
Compliance : key component to a clean administration 22 May 2014. Compliance best practice. Generally Accepted Compliance Practice Framework (GACP) – Compliance Institute Southern Africa. King Report and Code on Corporate Governance, 2009 (King III) – Institute of Directors.
E N D
Compliance : key component to a clean administration22 May 2014
Compliance best practice Generally Accepted Compliance Practice Framework (GACP) – Compliance Institute Southern Africa King Report and Code on Corporate Governance, 2009 (King III) – Institute of Directors Significant Legislation that requires compliance function/activities
GACP: Core Principles & Standards • Governance • Compliance Policy • Responsibility of Management • Establishment of a Compliance Function • Status • Independence • Roles and Responsibilities • Head of Compliance
GACP: Core Principles & Standards • Fit and Proper • Resources • Appointment and Termination • Compliance Culture • Outsourcing • Independent Review • Materiality • Compliance Process
GACP: Applicability • Increasingly gaining recognition as the primary source of compliance best practice • Being used more frequently to guide the evaluation and assessment of organisations’ compliance structures, frameworks and activities by: • Regulators, • Internal audit functions, • External compliance practitioners, and • Organisations themselves
King III: Overview • King III is owned by the Institute of Directors in Southern Africa (IoD) and is the primary source of corporate governance best practice • Focuses on corporate governance as a whole (of which compliance is a part) so does not address compliance as extensively as GACP (which is specifically focused on compliance) • Is also another important source of compliance best practice and guidance for organisations across all industries and sectors • Released in September 2009 and became effective in March 2010
King III: Compliance Aspects • Chapter 6 of King III deals with “Compliance with laws, rules, codes and standards” • When considering the compliance chapter it is also important to understand how it inter-relates with other chapters • Each version of King has placed more emphasis on compliance as an essential element of good corporate governance. In King III, the compliance principles and recommendations have been significantly enhanced and it is recommended that organisations consider appointing a compliance officer/establishing a compliance function
King III: Applicability • Applies to “all entities regardless of the manner and form of incorporation or establishment and whether in the public, private sectors or non-profit sectors” • The terms ‘company’, ‘boards’ and ‘directors’ should be substituted with the relevant terms of those with functional responsibility for governance in entities other than companies as appropriate e.g. a Public Entity under PFMA should substitute ‘board’ with ‘accounting authority’
Applicability of Compliance Best Practice • Last few years has seen a significant shift in compliance being primarily a feature of the financial services industry to many other industries and sectors • GACP and King III are applicable across all sectors and industries • Despite having initially been developed based on the needs and experiences of the financial services industry, compliance best practice was developed based on generic and widely accepted principles and practice e.g.:
Applicability of Compliance Best Practice • Best practice around compliance structures, governance and oversight is based largely on general corporate governance principles that are also applicable to other risk management and assurance disciplines e.g. risk management functions and internal functions; and • The compliance risk management process is based on a general risk management approach of identify, assess, manage and monitor. This approach has been widely accepted and applied by many different types of organisations universally
Compliance & Ethics: Compliance Culture & Definition: Compliance Culture “The culture of shared values, beliefs, assumptions and behaviours existing within an organisation that characterises the organisation, especially in relation to compliance obligations.” - GACP • Compliance culture is critical to the success of overall compliance risk management programme
Compliance & Ethics: Compliance Culture • Compliance culture needs to be emphasised at all levels of the organisation– not only the top • Establishing and re-inforcing should include consideration of, inter alia: • Clear expectations of all levels of staff regarding their compliance responsibilities; • Training and awareness of compliance matters; • Appropriate disciplinary policies and procedures that are effectively, consistently and fairly applied; and • Compliance as an element of the performance measures and the remuneration/incentive/reward systems of all relevant levels of staff
Complex and Changing Regulatory Environment • Organisations are challenged with regulatory requirements that are increasing in volume and complexity • Between 1994 and 2012, South Africa introduced >1150 new Acts (including Amendment Acts but excluding subordinate legislation) • Regulatory oversight and enforcement is evolving and improving
Complex and Changing Regulatory Environment • Not unusual for organisations to identify anywhere between about 50 and a few hundred applicable regulatory requirements, depending on factors such as: • The industry within which they operate; • Their size; • The nature and complexity of their business operations, transactions and activities; and • The geographic spread of their business
Complex and Changing Regulatory Environment • Large volumes and complexity poses challenges for organisations: • Consequences of non-compliance • Cost of compliance e.g. • Implementing new processes and systems; • Training staff • Correctly interpreting and applying new requirements • Inconsistent application across industry/ies • Competitive challenges
Some Major Influences on Regulatory Development • Government Policy • International developments • Corporate failures • Questionable Market Conduct and Business Practices
Examples of Stakeholders whose Interests are protected by Regulation
Objectives of Regulation • Identify objectives of specific legislation whose interests it seeks to protect from preamble or within the legislation itself e.g. The preamble to the Occupational Health and Saftey Act states: “To provide for the health and safety of persons at work and for the health and safety of persons in connection with the use of plant and machinery; the protection of persons other than persons at work against hazards to health and safety arising out of or in connection with the activities of persons at work; to establish an advisory council for occupational health and safety; and to provide for matters connected therewith.”
Compliance is Mandatory • The need for organisations to comply with legislation is not new • From a legal standpoint, organisations do not have a choice as to whether or not they should comply with the law • As recognised legal persons, compliance with all laws that apply to them is mandatory • Failure to comply renders the entity liable to any fines, penalties, civil liabilty and other of non-compliance • Using compliance functions (imposed by law or voluntarily) and frameworks to assist in addressing compliance risks is a relatively recent development
Compliance is Mandatory • Many organisations comply (or try to) with many laws even if they don’t have a compliance function and/or framework • Consider: Before your own organisation had a compliance function: • Did your organisation never meet any of it’s tax obligations in terms of the VAT Act and Income Tax Act? • Did your organisation not have any regard for the requirements of the Labour Relations Act and Basic Conditions of Employement Act in dealing with employees and their recognised representative organisations? • If you belong to a company, did your organisation not meet any of the Companies Act requirements?
Regulators: Overview • There are many different regulators covering a large variety of industries, sectors, professions and activities • Their specific role and objectives are derived from their legislated mandate. Individual roles may vary significantly • Regulators may be established as departments/functions/agencies of government or as independent bodies • For non-legislated regulatory requirements, the “regulator” could be the relevant industry body, association, organisation etc.
Engagement with Regulators • Many regulators would rather work constructively with regulated organisations to pre-empt and resolve challenges and problems in a manner that is in the best interests of all stakeholders • Organisations should maintain a professional and courteous relationship with relevant regulators • Develop trust through open and honest communication • Demonstrate co-operation. Assurances given to regulators should be backed by action
Non-Compliance: Enforcement & Sanctions Non-compliance may result in: • Fines, • Imprisonment, • Administrative penalties, • Other Administrative sanctions, • Loss of authorisation to operate e.g. a license suspension/ withdrawal. • Liability for losses suffered by affected parties
Non-Compliance: Enforcement & Sanctions • Regulator’s approach to applying or seeking the imposition of a penalty or sanction may be influenced by: • The extent of non-compliance and the specific results thereof, • Organisations track record in respect of compliance, and • Willingness and commitment to co-operate and resolve the matter in the interests of affected stakeholders and in accordance with the regulator’s mandate
Non-Compliance: Enforcement & Sanctions • Challenges for regulators: • Administrative sanctions and penalties may be subject to prescribed appeal processes or challenged through the courts • Some sanctions/measures are subject to lengthy and uncertain judicial processes e.g. criminal liability (fines & imprisonment) – Need to be referred to NPA for decision to prosecute, followed by trial and imposition of penalty by a court
Non-Compliance: Enforcement & Sanctions • Increasing statutory establishment of alternative dispute resolution and complaints handling bodies: • Ombuds, commissions, tribunals etc. • Quicker and cheaper means for affected parties to seek recourse and recover losses from regulated entities
Non-Compliance: Impact on Reputation • In addition to a regulators response to non-compliance organisations should also be concerned about the response of other relevant stakeholders such as investors, customers/clients, employees, community members etc.
Non-Compliance: Impact on Reputation • Information is spread quickly in todays digital age • Reputational impact may in some instances have far greater consequences for the organisation than the penalties, fines or other consequences that could be imposed • Reputation may be impacted by actual or perceived non-compliance
Structure of the Compliance Function may Differ Across Organisations GACP “The structure, nature and extent of the compliance function should be appropriate to the organisation’s business, considering the nature, scale and complexity of the business with regard to: • Product and service offerings; • Structure and diversity of the organisation’s operations; and • Risks associated with the different product and service offerings.” King III “Each company should consider the suitable structure and size of its compliance function, considering what is appropriate for the adequate management of the compliance risk of the particular company and having regard to the legislative requirements that apply to the compliance function. The structure of the compliance function, its role and its position in terms of reporting lines, should reflect the company‘s decision on how compliance is integrated with its ethics and risk management.”
Independence “Principle and standards 6 : Independence” of the GACP states: “Principle: The compliance function should be sufficiently independent of business activities to be able to discharge its responsibilities objectively. Explanation: The required independence includes the ability to operate and communicate in an unhindered manner. This level of independence must be clearly specified and formalised in the compliance policy and/or charter.”
Independence • Compliance functions should be able to carry out their responsibilities without undue influence, fear of interference or recrimination • Top management should ensure the independence of the compliance function
Independence: Governance Structures • Compliance responsibilities of governance structures should be formally established and recorded in their respective mandates • Compliance function should have direct access to top management, governance structures and executive management
Independence: Reporting Lines Irrespective of actual reporting lines, the compliance function should have direct access to and demonstrable support from the CEO and top management (board or equivalent) Governance Structure e.g. Audit/ Risk Committee Management e.g. CEO/ CFO etc. Functional Operational Recommended reporting lines Compliance Function
Conflicts of Interest • Real and perceived conflicts of interest should be avoided wherever possible • Where they cannot be avoided, they should be identified, disclosed and managed
Conflicts of Interest Common causes of conflict of interest for compliance functions: • Reporting Lines • E.g. When need to report/provide assurance on compliance matters that are responsibility of their own reporting line • May be addressed by dual reporting lines but may not always remove the conflict effectively (see activity) • Conflicting/Dual Roles • Ideally, compliance staff should not have any other responsibilities • When they do, conflicts of interest must be avoided, consider: • Will they monitor their own work? • Will they assess/judge decisions made by themselves? • Remuneration Policies • Remuneration/ incentives of compliance staff should not be directly related to the performance of the business area for which they have compliance responsibilities • When linked to performance of of business as a whole, less likely to cause conflict
Independence & Advice • The “advice” role of the compliance function does not impair independence, provided that: • Compliance staff member providing the advice is not the decision-maker or implementer i.e. only makes recommendation • Compliance function needs to maintain close working relationship with other areas of the business and not be seen as “outsiders” • Some organisations with larger compliance functions separate roles within the team e.g. Regulatory Analysis, Risk Management and Monitoring
Resources & Competencies • An effective compliance function requires adequate resources to fulfil its function • Responsibility of top management supported by management • The resourcing of the compliance function should consider: • Human resources; • Financial resources; and • Operational capacity
Reviewing Effectiveness of the Compliance Function • Top management should ensure that the compliance function is subject to regular independent review • Review objectives: • Function is operating effectively and as intended • Facilitate the continual improvement • Reviews can be carried out by internal audit, an independent compliance officer or other suitably qualified professionals
Reviewing Effectiveness of the Compliance Function • Reviews should include all key compliance processes and areas of activity • Should consider both the adequacy and the effectiveness • Deficiencies identified should be addressed in a timely manner • Also consider informal self assessment based reviews • Consider extending scope of reviews to include all aspects of compliance management across the organisation and not necessarily limit the reviews to the “compliance function” to recognise the key responsibilities of others in managing compliance risks e.g. management