A marriage between compliance and culture: building on solid foundations

In seeking to create greater awareness on financial crime related obligations, Ganado Advocates is launching “The Financial Crime Series”. This series of short articles seeks to highlight the various aspects which organisations are to take into account when establishing and maintaining a robust financial crime framework.

The first article within this series relates to the importance of embracing a compliance culture within the organization, how such compliance culture can be achieved, and the responsibilities which the board of directors has in ensuring that this is maintained. Given the clear overlap which there is between financial crime and compliance function, this article will also delve into certain compliance related matters, as part of the financial crime framework.

Reputational damage and administrative penalties are almost guaranteed when organisations do not embrace a compliance culture. Adopting a compliance culture will help in ensuring that the organisation is compliant at all times, leading to a lower risk of penalties, reputational damage and a strong relationship with the regulators.

Compliance is not only about having documented policies and procedures but is also about ensuring that employees are undertaking their functions in a compliant manner. Who is responsible to ensure this happens? And how can one build a strong compliance culture?

Directors’ Responsibilities

From a legal perspective, directors are responsible to promote the well-being of a company. They are responsible for its general governance as well as its proper administration, management and the general supervision of its affairs. Directors retain responsibility for good governance and supervision even when they have outsourced certain functions to third parties or delegated duties to other persons within the organisation. Therefore, whilst the board delegates compliance related matters to the compliance officer, in terms of law, the board still retains ultimate responsibility for compliance with the applicable laws.

Compliance culture

It is up to the directors to ensure that a healthy compliance culture is maintained within an organisation. This is not only done by setting the right frameworks and policies in place but by leading through example. The board is therefore responsible to establish the right ethics, values, principles and practices with which senior management and other operating units are to comply with, be the first to comply with such values, principles and practices, and ensure that these are being adhered to on an ongoing basis by all senior management and employees. For organisations which do not implement and monitor these practices, failure is almost guaranteed.

So, how does this pan out in practice?

A compliance framework

A robust compliance framework should be a priority for every organisation, irrespective of its nature, size and complexity. Adopting a compliance framework which is proportionate to the size, nature and complexity of the business, is key to ensuring that the organisation is being complaint in an effective and efficient manner.

Setting the tone

The directors should set the tone for the rest of the organisation by leading by example as their attitude will permeate to the rest of the organisation. It is difficult for employees to implement compliance measures in the day-to-day operations of the organisation, if directors and senior management do not observe measures themselves or do little to monitor implementation.

Getting the right people on board

Directors should channel recruitment efforts into targeting individuals who have the right mindset, the necessary competence and sufficient time to dedicate to the undertaking of the role. Members responsible for the different aspects of financial crime should be knowledgeable in the area and should seek to continue mastering their skills on the subject matter on an ongoing basis.

Policies, procedures and internal controls

Establishing policies which set, at a high-level, the manner in which the organisation is to comply with the relevant legislative/regulatory requirements is a first step. These should be substantiated by detailed procedures which the employees are to implement on a day-to-day basis as part of their daily jobs. Internal controls are also key in ensuring effective ongoing compliance with the policies and procedures. On an ongoing basis, directors must also ensure that policies, procedures and internal controls should be updated to remain in line with latest legal and regulatory developments and any changes in direction of business or operations of the organisation. Establishing and approving a compliance monitoring plan which is to be implemented by the compliance officer on an ongoing basis is key in ensuring that this oversight function is undertaken on an ongoing basis.

Compliance: not just an add-on

Regulatory compliance and financial crime compliance should be in-built in the processes of the organisation rather than just an add-on to operating units.  The carrying out of the compliance function should not be restricted to a compliance officer or a compliance team, but must be extended to all the individuals forming part of the organisation who must be aware of and implement these processes in a manner which is compliant with the laws , regulations, policies and procedures of the organisation.

Communication

Values, principle, practices, policies and procedures and the importance of adherence to same, must be communicated to all employees and constant reminders must be integrated through training, promotions, compensation and/or rewards.

Training

Having state-of-the-art policies and procedures on paper without these being implemented by the employees is a recipe for failure. Training on the applicable laws, regulations and more importantly on the internal policies, procedures and internal controls should be provided to all employees on an ongoing basis in order that employees are fully aware of the manner in which the organisation is to operate and comply with the applicable rules.

Second line of defense oversight

Monitoring compliance with the internal policies and procedures through the second line of defense is key in ensuring effective compliance by employees. Without a robust compliance function reviewing the first line of defense, internal controls would be deemed to be weak and ineffective.

Independent Directors

The presence of independent directors on the board will help in ensuring that the executive directors are challenged on their executive functions and how operating units under their supervision are operating. This does not mean that the executive directors should fall short of questioning the robustness of the internal controls. Directors (whether executive or otherwise) have the same responsibilities in terms of law and therefore all directors should take an active role in ensuring that the company’s financial crime and compliance framework are fit for purpose.

Board Oversight

Directors should not restrict their involvement on the board to simply approving the reports and documents tabled at the board meeting. Directors should challenge and question the contents of the report. Reports to the board (from third party service providers and from employees within the organisation) should be provided on a regular basis in order to ensure proper monitoring of the activities undertaken. Reports on the implementation of the compliance monitoring plan should be circulated to the board on an ongoing basis, thereby ensuring that proper oversight is being undertaken on compliance related matters.

The most effective way of instilling a healthy compliance culture, is to view compliance as an added value to a business rather than a burden. A lack of compliance culture, especially in regulated industries will result in legal and regulatory consequences. Seeing that an organisation’s culture shapes the way it is viewed by the public, it can also result in reputational damage to a business and may therefore affect it commercially, this underpins the importance of placing compliance (including financial crime compliance) high on the agenda.