Bringing Compliance Risk Management in the Forefront of Corporate Responsibility

by Pallavi Singh*

Bringing Compliance Risk Management

Introduction

Compliance management has become an essential part of operating any organisation both Government and non-Government. Whether it is corporate compliances, regulatory compliances, data privacy or internal company conduct, compliance is not something that organisations can work around anymore. It requires not only staying abreast of compliance and legal obligations but knowing how to engrave it in the organisation’s culture to protect the interests of all stakeholders. In recent times, cybersecurity and human capital have been identified as the top risks for organisations globally.1

Legal compliance management is a comparatively newer field, advanced by more and more regulatory requirements coming into picture. It is a process of ensuring that the organisation adheres to legal and regulatory laws that apply to it, thereby minimising the “legal risk” of the organisation. Looking at a wider picture of things, it can be said to be a part of operational risk management as it looks down on all the departments of an organisation/entity and ultimately affects the overall operations of the overall entity.

While it is widely believed to affect human resources (HR), data privacy and filings, the scope of compliance is much larger such as in anti-bribery, code of conduct and much more nuanced such as export-import requirements and industry specific requirements. This includes adhering to regulatory laws, HR and labour requirements and safety requirements, etc. among others. As we know with change in the regulatory landscape, these requirements keep updating, which means the regulatory framework must be built in a manner that it is flexible to incorporate changes without much of a hassle. Continuous reviews and updates reflect changes in laws, regulations, business operations, and emerging risks in various departments and functions of the entity. Without a comprehensive compliance monitoring system (CMS), the company will not only fail to meet required legal requirements but fail to implement its internal codes of conduct resulting in departmental inquiries, fines, show-cause notices, legal battles, sanctions ultimately hampering the goodwill of the organisation.

If you think compliance is expensive: try non-compliance.

Organisations operating in highly regulated jurisdictions or highly regulated industries (such as aviation, drugs, banking) often have to pay hefty licensing fees, etc. but not complying is far more costly. In fact, a recent report published by Globalscape finds that the cost of non-compliance is 2.71 times higher than the cost of compliance.2

One such example is the 2021 cyberattacks around the world, where organisations experienced the worst years as the attacks crippled high-profile businesses due to inadequate information technology (IT) infrastructure as mandated by the MeitY (Ministry of Electronics and Information Technology, Government of India). Post this attack, organisations initiated to comply with privacy and security regulations. However, the attack left the stakeholders vulnerable to potentially catastrophic results of a data breach putting the organisations and individuals in harm’s way. In addition to the above, penalties and fines for non-compliance with these regulations are of critical nature that can cause severe monetary as well as goodwill damage to your organisation.

Comprehensive compliance monitoring system (CMS)

A CMS is an overall system that includes the organisations’ compliance policies, compliance processes, audits, and other monitoring programs. It consists of an integrated system of documents, compliance management tools3, internal controls, and functions for better functioning. Hence, a compliance program is built as per the needs of the organisation and differs on case-to-case basis.

A fine was imposed on JP Morgan for $125m because the employees exchanged information about securities business matters on personal texts and e-mails. An example of how compliance mismanagement can cost a company a fortune.

There are a few essential elements while building a compliance management system that must be ensured

  1. Management oversight: As the Board of Directors are the main custodians of the company, they must always have an oversight of the status of compliances. Moreover, the management is the responsible body pertaining to any irregularity found by the authorities, it is always in the best interest of the organisation to keep them in loop when it comes to any legal requirements and sanctions.4 For Indian entities, the Companies Act, 20135 (as amended) and allied rules will form a base to work on creating a wholesome management oversight to the operations.

  2. Compliance program: Compliance program must be created which will be a tailor-made process of identification, assessment and mitigation of non-compliances found in the organisation. This should be a detailed document pinning out every important aspect of the organisation. To create a compliance program, it is imperative that we first identify the correct compliance risks involved, through the following steps — risk identification, compliance risk rating and assessment.

    An important step towards this will be proper involvement of legal team to identify the applicable laws, rules, regulations, code of conduct (if applicable), guidelines and orders as passed by various courts and authorities. This way the organisation can make sure that all the bases are covered before going on identification of risks.

  3. Compliance audit/reviews: In highly regulated industries, compliance audits or timely reviews are a must. This process is the next step after enough time has gone by post implementation of compliance program, to assess how the program is doing. This will give us an idea of what are the legal risks the company is unable to mitigate and hence, bring forth the vulnerability.

  4. Compliance improvement plan: To mitigate and close the highest level of non-compliances in the organisation, compliance improvement plans (CIPs) can be of great help. This will help the organisation to be always on its toes and ahead of authorities regarding extremely elevated levels of risk, keeping the organisation safe to a larger extent.

A compliance management system is effective in protecting the stakeholders of the organisation — such as investors, consumers, suppliers, employees, third-party vendors and contractors, etc. Some of the day-to-day examples of compliance management systems are the creation of internal policies of the organisation like anti-bribery, non-discrimination, code of conduct, etc. which must also be in line with the legal and statutory requirements. Companies use internal policies and procedures as a check and balance not only against upcoming legal risks but also to help them in aligning the organisations’ vision and mission.

Key essentials of a compliance management system

Flexible to incorporate new legislation.

Must incorporate internal controls and procedures.

Pinpoints responsibilities.

User-friendly with regular trainings and workshops.

Inclusion of industry best practices.

Flow from top-down.

Undertake regular and timely audits.

Management oversight

In all organisations, ensuring legal and statutory compliance is the ultimate responsibility of the highest management. For corporates it will be the Board of Directors, in other organisations it will be the Chairperson and so on. In addition to this, if there is any show-cause notice or inquiry, they are in the name of the management, as they are answerable to the authorities and to the public at large.

This is mainly due to the higher risk involved in legal gregoryites that this top-down approach is adapted. However, the custodian of these compliances is either the compliance team or legal team (where compliance is not present separately). As on date, all large organisations have a well-established compliance team where compliance officer/compliance head has authority to check on organisation’s legal compliances and is accountable for corporate actions.

This Board of Directors is the decision-making body that governs the organisation. At this step, corporate governance comes into play. Corporate governance is a system of relations that determines the procedures for decision-making concerning the activity of a company and exercising control. Without building an effective corporate governance system, the company cannot achieve its set goals. In this context, the best approach is to execute corporate governance from a compliance standpoint.

Compliance program

Most of the organisations are now going for a compliance program, (which is recommended) considering the numerous laws applicable to an organisation in various areas. Having an effective compliance program can keep the company secure from penalties, fines, notices and civil or criminal enforcement action from authorities.

Hence, it is imperative that the legal requirements applicable to a business are kept at up to date for compliance programs to be effective. A good program would entail a 360-degree view of the organisation to cover all areas from product to process, from procurement to delivery, no fragment must be left out. Every process should be understood to the core, to create the incorporate the best possible practices to ascertain and mitigate risks arising out of non-compliance.

An effective compliance program is a good mix of checks and balances. Giant corporates are largely at risk of reputation damage even with the slightest of incident. With social media having so much power, it takes no time for a spark to turn into a wildfire and burn down shareholders’ wealth. At such points, it is important to swiftly respond to the detected compliance threats. A robust compliance management system can strengthen the overall organisation’s reputation. It demonstrates to clients, investors, partners, and regulatory bodies that the organisation is committed to ethical practices and legal compliance. This will ultimately lead to increased customer trust, better business relationships, and can have a competitive advantage.

For example — customer complaints coming in may indicate a compliance weakness pertaining to a specific department. In such a case, if the source is a “faulty product”, then it may become a reason for customer litigation and may hamper brand image. If this is not handled in a proper manner and corrective actions are not taken in due time it can lead to reputation damage.

No organisation knows all the risks on the face of it. Certain steps are required to be taken to identify such risks. Hence, risk identification must be done. Risk identification is based on multiple factors, like — type of organisation, size of organisation, industry it operates in, ancillary business/activities, ownership, etc. Like in large enterprises, risk identification is more entity-specific while for smaller entities it is more done on an individual basis and industry concerns across the sector. Once the risk is identified, it must be rated to understand the magnitude of the risk across areas for example — critical, high, medium, and low. These ratings are assigned to each risk which will form a crucial part in moving ahead. This system is called risk rating. Some of the most critical would involve hefty penalties, imprisonment of the Board of Directors, multiple customer litigations, multiple court cases on the company, goodwill loss, etc.

Now, we go ahead with risk assessment with only the important risk points like critical and high risk, leaving aside the low-risk areas. Risk assessment is analysing the risk, taking into account multiple other factors specific to the situation. At this point, the core of the non-compliance isfound and understood. Like what kind of non-compliance is it — is it due to non-obtainment of certain licences or registration or is it due to failure in proper reporting system where the organisation has not filed a certain return in a timely manner and so on. This assessment can be done and NCs can be further divided into the following areas:

  1. Non-obtainment or non-renewal of a licence or registration in a timely manner.

  2. Non-filing of challan or return as per the law.

  3. Non-payment or incorrect assessment and payment of taxes to Central, State or local authorities.

This entire analysis will not only bring forth the legal, ethical, and regulatory risk-based landscape but also will help the management prioritise areas that need immediate attention and allocate resources effectively.

Compliance audits

Another major component of keeping risk at bay is the continuous compliance audits of the compliance program to measure its effectiveness. These audits can be conducted in a time-bound manner (6 months or annually, depending upon the requirement) to take an independent review that determines the gaps in the working of the program. These audits are better if taken up internally, especially in the initial years of foundation, as this would not only keep the members involved but also be a learning opportunity for the team. Moreover, due to the audit being internal in nature, the team will be more open to innovative ideas without the fear of repercussions. Such an audit would include tracking statutory compliances, internal policies, external legal requirements, and voluntary requirements adopted by the organisation e.g., International Organisation for Standardisation (ISO) Certification, Indian Green Building Council (IGBC) Certification, etc.

For highly regulated industries like pharmaceuticals, food manufacturing, distillery, aviation, banking, real estate, oil and petroleum, etc. these audits/reviews must be forever ongoing due to the following reasons:

  1. To keep a check on the status of previous NCs observed and how are the mitigations progressing.

  2. To keep the system updated due to numerous numbers of laws and amendments flowing in on daily basis.

This kind of monitoring not only ensures better stakeholder trust but also saves costs and time thereby reducing risks associated with non-compliance. In addition to this, the system will also be able to identify vulnerabilities faster and make smarter decisions to correct them without any hindrance to the regular operations of the company.

To achieve full efficiency in the longer run, organisations go for external surveillance audits to keep an eye on their controls, monitor procedures, and make observations that detail lapses over a period of time. A surveillance audit is one of the ways of assessing how compliance-ready an organisation is and helps companies gain a sense of structure and confidence.

Compliance improvement plan

CIPs or compliance improvement plans are used mostly by tax officers to assess the exact amount of tax impact with and without compliance.6 Here, we have tried to derive a similar system that can be used by the organisations to assess the impact of non-compliances from the time such NC has either been identified or can become a potential threat in the future.

Since, we have already covered several steps from risk identification to compliance audit, CIP would entail a step forward post assessment of such risk. There would be multiple NCs identified during multiple assessments and audits. To go ahead with an improvement plan, it is imperative to maintain track of the same. Hence, the next step shall be risk documentation. The CIP requires proper documentation of the identified compliances to plan better. Hence, a developed structure of record keeping is required. In an ideal condition, this documentation should be standardised across the organisation irrespective of the number of units and jurisdiction. However, depending upon the change in operations, there can be a slight change in the manner of documentation. However, it must be noted that, since it will be used for future references as well, the understanding of the purpose and regular updation on the document or the risk register must be maintained.

Unique risk number

Status of risk

Risk rating

Impact

Treatment plan

Review date

Responsible entity

Every risk to be given a unique number

(Open/closed, current/potential).

(Critical, high, low, medium).

Penalty/fine as per the law and the stakeholders impacted.

Whether the treatment plan is in place. (Yes/No).

Upcoming review date for the risk.

Which entity, department or person is responsible for delivering the results/treatments. The division or area and the position details of who will be responsible for overseeing the risk including the risk owner, risk manager, and a contact officer. A risk owner is a senior staff member with overall accountability for the risk. A risk manager is a staff member with operational responsibility for managing the risk. The risk manager may also be the risk owner. The risk contact officer is the first point of contact and can be risk owner/manager.

As we can see above, a risk register would act as a repository for all current and past risks of the company. It is typically a database that contains important, searchable metadata for each risk, definition of such risk, likelihood and consequence ratings, and the entity and department which is under such risk.7 A risk register can be maintained by the organisations would look something like the one above.

This template would become a permanent record supporting the decisions made and actions taken on the assessed non-compliances. Next step in the CIP would be closing the open NCs i.e. risk mitigation — a proposed mitigation plan and strategy should be made with supporting documentation and specific action items keeping the Board of Directors, legal team and the compliance team in loop so that no major update and protocol is missed while creating a mitigation plan. It must be ensured that while mitigating one NC we are not entering in another, bigger or multiple NCs.

The International Institute of Internal Auditors has used the model of “3 lines of defense” to determine the role of compliance and risk management in the corporate governance system of any organisation.8 As per this model, there are 3 lines of defense against the compliance risk that any company can use. The first line of defense is business units and risk owners that take primary management measures. The second line of defense is risk management units that support and monitor the first line which is the compliance unit itself. The third line of defense is an internal audit that provides independent and objective confirmation of the proper functioning of the first and second lines of defense.

Now, as we saw risk can be of varied magnitudes, for critical and high-risk points, the next step would entail risk treatment. A risk treatment plan is customised to reflect the true nature and severity of the risk. CIPs must opt for a well-balanced treatments method which includes both facilitative and corrective actions to maximise the output.9 This is a one step farther to gap assessment which most organisations either do on their own or hire a service firm to do it for them. A balanced method helps to understand the core reason for such a risk. For example, if the compliance requirement was not known to the team concerned who must be doing it in the first place, then knowledge enhancement is the best possible treatment.

Hence, depending upon the reason for such risk cropping up, the treatment should be tailor-made.

Monitoring and evaluation of the outcome post completion is of utmost importance. Wherever the pain point was identified, intentional efforts must be made to fill the gap then and to ensure non-repetition of such incident. Keeping a track of progress and final reporting timeframes can become a performance indicator which will also keep the employees motivated.

Evaluating outcomes

An organisation can have multiple ways to evaluate the outcomes of the entire exercise. However, there are 3 diverse methods of doing so—

Qualitative assessment

This evaluation method is based on tracking the outcome basis the core compliance obligations like registrations, filings, reporting, and statutory payments. This can also be further assessed by keeping a track of show-cause notices received, penalties levied complaints received in various departments. However, this method would not entail any assessment and understanding of the outcome in figures.

This method is more suited or smaller to medium organisations which cannot spare a huge amount on complex calculations and teams. Such a method can also work for non-listed entities and organisations functioning in lowly regulated areas like an in-house compliance of a service industry or an organisation working purely in supply chain.

For assessment under this indicator, a baseline level of performance can be established keeping in mind the average performance of the organisation or a competitor (also called benchmarking) and then tracking changes and improvements over time.

Quantitative assessment

Unlike qualitative assessment, a quantitative assessment would entail a more mathematical approach of assessment of the figures affected due to non-compliance identified including potential threats. This would use a calculation based method of assessing future penalties, loss of goodwill, loss of shareholder wealth, loss due to higher attrition in the organisation and the potential loss due to impending or upcoming litigations.

This method is suited for large multinational organisations which work hugely in monitory and foreign transactions such as trading entities and organisation working highly regulated and industry having complex tax requirements (organisations working in multiple jurisdictions in petroleum and oil industry).

Fused method assessment

As the name suggests, a fused method is a more balanced blend of both approaches — qualitative and quantitative method depending upon the organisation’s requirement. This kind of method is best suited for all large organisations as it gives a flexibility in deciding the factors the organisation wants to consider for qualitative and factors it wants to consider for quantitative assessment.

As organisations and corporates are largely driven by numbers, this method will show how non-compliance is affecting the overall figures in an organisation. Through this method, an organisation can assess the figures affecting the profits/turnover.

Assessing a cost of non-compliance

While assessing the cost of non-compliance, there are multiple factors that come into play as has been mentioned in the quantitative assessment. The cost of non-compliance is widely linked to the kinds of compliances applicable to the organisation. For example, the cost of compliance is higher in labour intensive activities due to the increased cost of labour management. Similar is the case of highly regulated industries. Other costs would include:

  1. Huge fines.

  2. Impact on working capital and profitability.

  3. Business disruptions.

  4. Reputation loss.

If you (highest management of the organisation) are working on fighting a non-compliance you are not working on things that you are meant to.

Creating an impactful compliance tool

Technology plays a critical role in enhancing compliance and operational risk management for organisations. Having a compliance monitoring tool is a wonderful way to keep track of the compliance status of the organisation. To minimise errors, the best way is to leverage automation and self-create or onboard an automated system from a vendor. These tools can automatically monitor regulatory changes, update compliance requirements, and send alerts to relevant department owners. There are multiple options available in the market in all costs and varied features. These tools mostly are similar in nature and have their own pros and cons. Some tools have the option of developing comprehensive treatment strategies as well, however, these are priced at a higher range.10 Hence, depending upon the requirement, you must be very vigilant in choosing the tool best suited for your requirements for an effective CIP.

These compliance monitoring tools act as a centralised information repository for all your applicable compliances that facilitate identifying and assessing risk and tracking the status. However, before this tool can become live in any organisation, it requires huge mental labour from all relevant stakeholders, as the tool is required to be customised at each level. It is suggested that organisations spend sufficient time in this initial implementation so that the tool can work well in future and become an asset, instead of a liability.

One of the common and essential features in all these tools is the responsibility matrix. The laws and all other legal/statutory/internal requirements are mapped in the tool to the responsible person at each level of the organisation. This brings in the involvement of departments like operations, quality, safety, marketing, liaison, legal, and planning among others. It must be kept in mind that most of these departments operating the tool at diverse levels are not lawyers and have had little to no exposure to legal language. Hence, it is very important that the compliance requirement is clearly laid down and in easy terms for these people to work on. In addition to it, proper training is a must. Training must involve both the aspects — tool training (understanding and operating the tool) and content training (understanding the content mentioned in the tool).

A key reason for the failure of these compliance tools available in Indian market is that they are not deemed user-friendly by the organisation.

Most of these tools are built by lawyers with the help of industry experts. This is both a pro and a con for these tools when it comes to user interface. The pro being the content. Both lawyers and industry experts are good interpreters and primaries in their field, which ensures quality content in most cases. But here is the problem — the people operating the tool may or may not be either of the two, neither lawyers nor industry experts. When the tool contains jargons not used by laymen, which makes it tougher for the other departments to understand the content and simultaneously use the tool. (Phrases like “notwithstanding”, “proviso to”, etc. must not form a part of the compliance tool). Some of the people who are working on these tools may be ground level employees who have recently entered the job market. It will be unfair for tool makers and content creators of the tool to expect these people to understand the nuances of law and have industry expertise from the first day.

Another concern that in-house teams face is the compliances in these tools that runs in thousands of numbers without any clear segregation of risk matrix. It is important to do a thorough check on applicability of laws and each legal requirement and create a customised checklist. Assessing the non-applicability of laws and specific provisions becomes equally important, so as to not increase the compliance burden on the organisation and the person reporting the compliance as most of these people are ground level employees and are working in extreme job pressures.

All the legal requirements must be boiled down in the form of a “to-do” list for such person and provided to him as a supporting document to assist him in his regular working.

In smaller to medium organisations, the number of employees may be lesser, so while framing the tool, it should be kept in mind that the number of compliances given to them is lesser in number so that the person doing it is not overwhelmed. The aim of this tool is to assist the team in keeping the compliances on track, it should not be so that it becomes a burden on the teams. Proper training for employees not only helps in managing the tool better but also creates an understanding of legal requirements which is not generally what employees are trained for.

For manufacturing and other labour-intensive industries, it is important that the labour-related compliances are duly mapped as they make up for a huge part of payment and social compliances in this industry. In such organisations the number of contractors is also generally huge, hence, mapping of third-party compliances becomes an important part for large corporates who can later come under the garb of investigation for non-monitoring of third-party compliances and become liable as a principal employer.

Whenever deciding to go for a compliance monitoring or management tool — either developing in- house or onboarding a vendor, keep in mind the pros and cons to find yourself the best solution in the market.

Conclusion

However, it must be noted that policies and procedures are mere papers if we do not foster the culture of compliance. Organisations must strive to build a culture where compliance is valued.

Most of the issues crop up mainly due to the following reasons — weak administrative frameworks, ineffective organisational and management arrangements, poorly designed administration processes, rigid human resource management policies, and inadequate information technology (IT) systems and data holdings. Hence, capacity development must be looked at as something imperative to strengthen the compliance program and to effectively implement the CIP.

A compliance management system is an invaluable asset for any organisation. It not only ensures legal and regulatory compliance but also drives operational excellence, fosters trust and credibility, and supports strategic decision-making. Through a robust compliance management system, operational risks related to prevention of accidents, product quality issues, supply chain disruptions, data security breaches, environmental violations, tax irregularities, etc. can be avoided. It also helps in avoiding costly disruptions to production, delays in deliveries, and damage to the company’s reputation. Operational risk management is closely tied to regulatory compliance as it involves implementing measures to meet legal requirements and industry standards.

An integrated approach and a digitised compliance department would ensure that critical processes are on auto-pilot mode, thereby lowering the risk of non-compliance and improving the financial and overall health of the organisation.

“It takes less time to do a right thing than to explain why you did it wrong.”

-Henry Wadsworth Longfellow


*Corporate Lawyer specialising in Corporate Compliances and Due Diligence, (Ex-EY, Ex-Godrej). Author can be reached at: pallavi.s.gaharwar@gmail.com.

1. AON, Global Risk Management Survey <https://www.aon.com/en/insights/reports/global-risk-management-survey> (Report 2023-2024).

2. Globescape, Believe It or Not, Compliance Saves Money, <https://www.globalscape.com/resources/whitepapers/data-protection-regulations-study#:~:text=Believe%20it%20or%20Not%2C%20Compliance%20Saves%20Money&text=In%20fact%2C%20this%20recent%20report,ultimately%20yield%20a%20pricier%20penalty>. (Please check)

3. How to create an automated tool, covered in later section in depth at p. 8 of 11.

4. Holly J. Gregory, Sidley Austin LLP, “Board Oversight: Key Focus Areas for 2022”, Harvard Law School Forum on Corporate Governance (5-1-2022).

5. Companies Act, 2013.

6. IMF, eLibrary, “Compliance Risk Management: Developing Compliance Improvement Plans” in Technical Notes and Manuals, Vol. 2022 Issue 001 (2022) (imf.org).

7. IMF, eLibrary, “Compliance Risk Management: Developing Compliance Improvement Plans” in Technical Notes and Manuals, Vol. 2022 Issue 001 (2022) (imf.org).

8. Institute of Internal Auditors, The IIA’S Three Lines Model: An Update of the Three Lines of Defense, <https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf>.

9. IMF, eLibrary, “Compliance Risk Management: Developing Compliance Improvement Plans” in Technical Notes and Manuals, Vol. 2022 Issue 001 (2022) (imf.org).

10. This assessment is done through collection of first-hand data on tools available in Indian jurisdiction for risk assessment.

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *