You are here
The state of risk and compliance post-Royal Commission
The outcomes of the Royal Commission Inquiry into Misconduct in the Banking, Superannuation and Financial Services Industry has resulted in greater investment into risk and compliance, to ensure the function evolves with the times.
Samantha Carroll, Practice Director of Governance, Compliance and Regulation at Ash St. Legal & Advisory believes every company is dealing with its own situation but in general, she has seen “compliance take a seat further up in the table than it did 2-3 years ago, and they [skilled risk and compliance professionals] have a lot more influence and power”.
She shares her take on the current state of compliance in Australia below.
How can industry meet legislative expectations and consumer outcomes?
I think the only answer is to work smarter, as “more resources” is not necessarily the answer in every case.
What I mean by “smarter” is that compliance professionals are going to have to work more efficiently and more effectively through a range of activities to optimise available resources. Some of the activities I would suggest may need to be considered would be:
- Rationalise the current approach to managing compliance and weed out any unnecessary activities being performed by compliance that aren’t adding value or achieving better compliance or performance by the business. Compliance functions can have a tendency to focus on form over substance. While form is important, there are opportunities to look for better ways to achieve compliant outcomes. A particular area that comes to mind is the evaluation of compliance obligations through the use of a compliance obligations register. In my view, there is an opportunity to rethink this approach with a greater focus on compliance risks rather than a line-by-line assessment of each obligation.
- Consider the role technology can play in more effective and efficient work practices within the compliance function and its own activities but also business activities. For example, compliance functions could look at things like compliance incidents’ management, which can take up a lot of time if it is a manual process. Compliance activities performed by the business should also be reviewed to determine what efficiencies could be gained from the use of technology. Technology-assisted compliance activities are increasingly being called ‘compliance by design’.
- Assess the role outsourcing could play in the management of compliance. For example, if an organisation has a shortage of experts, it could think about what it can access externally to fill any internal gaps it may have or to use its resources more efficiently. Outsourcing compliance activities could include using external experts to do some of the development work for compliance controls or framework documentation, getting service providers to perform monitoring or utilising external training provider services.
The uptake of technology for compliance programs
There is definitely an increase in interest, but I think it’s still an area that is still maturing.
Some examples I have come across where RegTech is being used includes organisations using platforms to manage risk and compliance frameworks, chat-bots to assist with advice on answering questions around compliance requirements, and data analytics for monitoring.
On the business side of things, technology is being used to improve compliance in customer identification and on-boarding and any other activities that streamline the provision of services or products to customers.
Advice for risk and compliance professionals
There are five key points to consider:
- Firstly, to ensure there is clear understanding at the board and executive level on the types of compliance risks being faced by the organisation, and how those risks are being managed.
- Secondly, ensure you are escalating reporting on compliance in sufficient detail because lack of detail has been an issue that has been identified in recent reviews. Getting the right detail at a governance level is important to ensure the board and the executive management clearly understand the compliance risks/issues and what needs to be done to address those risks/issues, including any barriers or challenges that may be faced when doing so.
- Work closely with your risk management personnel to ensure compliance is embedded appropriately into risk management practices and the three lines of defence model – but that the three lines of defence is not the only focus for compliance management.
- Develop strong foundational documentation that sets out the compliance framework in a way that is specific to the organisation, and that’s also well-structured and purposeful.
- Finally, ensure that reporting on compliance incorporates meaningful measurement and metrics that focus not only on effectiveness but also on the performance of the compliance management system.
Samantha Carroll is Practice Director of Governance, Compliance and Regulation at Ash St. Legal & Advisory.