Last week, the Practical Law In-house Consultation board met to discuss some of the pain points that are currently exercising them and their colleagues in the compliance space. The discussion led to some valuable takeaways that are summarised in this post.
All the attendees agreed that companies are struggling to keep on top of an ever-increasing compliance burden. One organisation, keen to avoid a false sense of security, is undertaking an exercise to map the strategic, business process and business operational risks it faces against the control and assurance activities it undertakes in each line of defence. Their key question is: how much reliance can they place on their controls and the assurance activities they undertake?
A company’s controls are only as good as the people that implement them. It’s important to avoid relying on just one individual (who may move on) and build resilience into the framework, by ensuring engagement and sharing of information and experiences across the organisation. Compliance requires an integrated approach across the business. It is not just a case of rolling out policies and processes, but making sure business colleagues are given the tools and techniques they need to help them avoid rushing into situations that may create compliance risks.
Resourcing the team and being seen
In contrast to the increasing complexity of the world they face, compliance teams are typically small and frequently under-resourced. Doing more with less has become an expectation in many organisations. Managers need to be aware of, and responsive to, the effect that dealing with challenging workloads has on the mental health of those working in the compliance team.
Visibility of the compliance team is important, particularly as a diverse range of compliance topics are often lumped together. Soft skills, particularly relationship building and the art of persuasion, are key to ensuring that you get the time in executive committees or board meetings to deliver important messages about what is happening in the compliance world. Senior executives are often unaware of the amount of compliance work required to keep an organisation on the right track, so regular dialogue is essential in ensuring that it receives due attention and resources.
A generalist rather than a specialist
Senior leaders need to provide a strategic, helicopter view for the business and explain how regulation may impact it. They need to step beyond simply being an expert in one specific area and instead perform a broader leadership role that bridges the gaps between different regimes, translating all this complexity through an ethical lens, to communicate in the language of the organisation’s own values.
In particular, there is a need to look for the intersection between the different regimes and identify any potential conflicts that may arise. For example, between:
- Data protection.
- Anti-bribery and corruption.
- Modern slavery.
Avoid focusing all your attention on the latest hot topic or your specialist area and make sure that it is not allowed to take precedence over all other areas. Time spent on a topic should be proportionate to the relative risk to your organisation and fines for breaches of regulations (such as the UK GDPR) are not the only thing to be concerned about. While fines are often vast, potential reputational damage is often a far bigger consideration.
The international element
Remember that global regulators talk to each other. For example, regulators in Brazil, Russia and India are looking at the data protection regime in Europe and using it to cherry-pick for their own purposes.
Keeping on top of developments across different jurisdictions is a particular challenge for small teams working in global organisations when a uniform, global approach to compliance is a basic requirement and nuancing that policy for different regions might be beyond reach. For example, one participant highlighted the problems of navigating the differences between the modern slavery regimes in the UK, US and Australia.
Lack of in-person meetings during the COVID-19 pandemic has hampered compliance efforts. Often when you deliver face-to-face training it is the brief conversations with participants after the sessions that are the most revealing.
Webinars and meetings via Zoom or Teams are more formal. People are anxious about asking difficult questions via email or chat for fear of looking guilty. Staying silent is often the easier option. The good news though, is that board members are sensitive to the increased compliance risks the pandemic has created and the need to find creative ways to overcome this disruption.