Compliance Frameworks: Getting Clarity on Appropriate Structure and Depth
In our work with various types of financial services organisations, we are often surprised by the lack of sophistication of compliance frameworks in place for large and sophisticated players that face considerable compliance risk exposures (financial and reputational). Also surprising, are the onerous expectations placed upon small and niche players by auditors and other external stakeholders.
In this commentary, we explore:
1. The key elements of a compliance framework
2. Options available to organisations in designing a compliance framework that is fit for purpose for their business
3. Minimum regulatory obligations imposed by APRA and ASIC in this regard
4. Options available within governance, risk and compliance (GRC) systems to automate and digitalise compliance processes and procedures
Key Elements of a Compliance Framework
A compliance framework is comprised of the policies, plans, processes, procedures, registers, calendars, resources, training programs and systems used to manage the identification of and adherence to the relevant compliance obligations with which the organisation must comply.
There are a number of ways in which to document the elements of a compliance framework, and organisations should select an approach that is fit for purpose for the size, nature and complexity of their business operations, that is able to be maintained as current with the resources available for compliance management, and will deliver effective risk-based outcomes in respect of compliance with key compliance obligations.
What is a Compliance Policy?
A compliance policy or compliance framework document is a policy statement outlining the elements of the compliance framework implemented by the organisation and the approach adopted to ensuring compliance with all relevant compliance obligations.
A compliance policy typically includes:
· Roles and responsibilities for compliance management, including those of the Board, committees, management, the compliance function and all staff.
· The key pieces of legislation that govern the relevant compliance obligations.
· Systems or approaches used to manage oversight of adherence to compliance obligations, including compliance attestations.
· Processes for internal and external testing and review of adherence to compliance obligations.
What is a Compliance Plan?
A compliance plan is a more detailed document setting out the content of a compliance policy, as described above, but also includes a series of tables summarising the key compliance obligations in each of the relevant pieces of legislation with which the organisation must comply.
The tables in a compliance plan also typically include the following specifications:
· Risk of non-compliance.
· Obligation owner.
· Associated controls.
· Review / attestation frequency.
Responsible Entities (REs) of registered investment schemes are required to comply with RG 132: Funds management: Compliance and oversight (RG 132), which includes specific obligations in respect of the need to document and implement a compliance plan, have an annual external audit of adherence to the compliance plan, maintain a compliance committee of specified composition, provide the compliance plan audit report to the compliance committee for review, and submit annual lodgements to ASIC in respect of the compliance plan audit.
Under section 601HA of the Corporations Act, the compliance plan must set out adequate measures that the RE will apply when operating the registered scheme to ensure compliance with the Corporations Act and the scheme’s constitution.
When assessing the adequacy of compliance plans of REs, ASIC considers whether (per RG 132.17):
(a) the compliance controls in the compliance plan are aligned with the RE’s values, objectives and strategy, taking into account the nature, scale and complexity of the particular registered scheme;
(b) the compliance controls reflect the actual procedures, processes and practices of the RE and the registered scheme;
(c) there is a clear and demonstrated nexus between the compliance obligations and compliance controls;
(d) the compliance controls are set out with enough certainty to allow the RE, ASIC and the auditor of the compliance plan to assess whether the RE has complied with the compliance plan;
(e) the compliance plan is written in a clear manner so that it is usable by its target audience;
(f) the compliance plan provides for identified functional roles for carrying out a particular compliance control and the monitoring of that compliance control;
(g) the frequency and quantity of compliance controls, and their monitoring, are sufficient to effectively manage the compliance risks;
(h) compliance with the compliance controls is monitored, the processes for monitoring performance of the compliance controls are described with sufficient details and certainty to ensure whether they will be or have been complied with, and any non-compliance is reported to the compliance committee, the board or ASIC as required; and
(i) the compliance plan is maintained so that the compliance controls, and the performance of those compliance controls, are adequate in light of any changes to the registered scheme, the RE or the environment in which they both operate.
What is a Compliance Register?
A compliance register or obligations register can support the implementation of a high-level compliance policy with a granular listing of all compliance obligations that are relevant to the organisation. These registers are typically far more detailed than the summary tables included in a compliance plan.
As per compliance plans, compliance registers also typically include the following specifications, albeit in respect of a more granular listing of all relevant compliance obligations:
· Risk of non-compliance.
· Obligation owner.
· Associated controls.
· Review / attestation frequency.
What is a Compliance Calendar?
A compliance calendar is a listing of key compliance tasks that must be completed on a routine basis by the organisation by specific dates during the calendar year.
In some cases, compliance calendars are designed to be limited to the regulatory reporting and lodgement obligations that apply to the organisation. In other cases, compliance calendars are designed to include all internally and externally driven compliance activities during the calendar year. These activities may include all staff compliance attestations, external representative or service provider compliance reports, professional indemnity insurance renewal submissions, internal policy requirements with time-based specifications, etc.
Under paragraph 43 of CPS 220 Risk Management, an APRA-regulated insurer or authorised deposit-taking institution must have a designated compliance function that assists senior management of the institution in effectively managing compliance risks.
The compliance function must be adequately staffed by appropriately trained and competent persons who have sufficient authority to perform their role effectively, and have a reporting line independent from business lines.
No equivalent requirements have been prescribed under SPS 220 Risk Management for superannuation funds, which is quite surprising, given the scale and risk associated with many superannuation funds. Nonetheless, most superannuation trustees implement compliance functions and frameworks that are appropriate to manage the compliance risk exposures facing their businesses, as one of many types of risks that must be resourced and managed across the operations of the fund.
Under paragraphs 23- 33 and 41-58 of RG 104: AFS licensing: Meeting the general obligations (RG 104), ASIC requires regulated entities to have measures for ensuring compliance with relevant obligations. The expression ‘measures’ or ‘compliance measures’ refers to your processes, procedures or arrangements for ensuring that, as far as reasonably practicable, you comply with your obligations as a licensee, including the general obligations.
ASIC expects licensees to:
(a) document your measures in some form;
(b) fully implement them and monitor and report on their use; and
(c) regularly review the effectiveness of your measures and ensure they are up-to-date.
The appropriate extent of measures will be affected by the nature, scale and complexity of your business. Documentation helps you demonstrate whether or not you are complying with the general obligations.
When you document your measures, ASIC expects this will include details of who is responsible, the timeframes involved and associated record keeping and reporting. In respect of accountability, ASIC expects that licensees allocate a director or senior manage that has responsibility for overseeing your compliance measures.
However, it is not enough just to document your measures. You also need to fully implement them. This means you need to put them into practice and integrate them into the day-to-day conduct of your business. For measures to work effectively in practice, you need people at all levels of your business, including your senior management, to understand them and be committed to their success. Integrating your measures into the culture of your business helps ensure they are effective on an ongoing basis.
You also need to monitor and report on your compliance, including reporting relevant breaches to ASIC under s912D. ASIC expects that you will keep records of your monitoring and reporting, including records of reports on compliance and breach notifications, and be able demonstrate how you are able to monitor your compliance and appropriately address any compliance breaches.
Regularly reviewing your measures will help to ensure they remain effective. In some cases, it may be sensible for you to consider external review. Where compliance issues have arisen (such as major breaches or repeated compliance failures), external compliance review is particularly appropriate.
You need to review your measures when there are changes to your obligations, your business or the environment in which you operate. ASIC expects that you will have a process for identifying changes that may impact on the effectiveness of your measures.
As noted above, REs have a range of additional compliance obligations relating to compliance management, per RG 132.
Integration of Compliance Measures with Risk Management Framework
ASIC’s observation is that it is common for some licensees’ compliance measures to be integrated into their risk management systems. Compliance measures can be one of several controls you can use to address or mitigate risks to your business (including the risk of non-compliance with your obligations under the Corporations Act). This approach is expressly facilitated under paragraph 49 of RG 104.
Automation Options – GRC Systems
Some organisations choose to manage their compliance obligations via a manual approach, with spreadsheets, emails and word-based reporting templates. Others choose to leverage a GRC system to automate the associated processes and body of reports.
Interestingly, the use of a GRC system solution to date does not always appear to be correlated with scale and complexity, but can be influenced by a range of other factors such as budget constraints, risk and compliance resourcing, management philosophy and strategic priorities.
It is also important to note that the choice between implementation of a GRC system solution or not does not necessarily correlate with the quality of risk and compliance outcomes, as it is often the way in which the selected approach (i.e. system based or manual) is implemented that influences the risk and compliance culture and drives the outcomes in practice.
Nevertheless, a number of institutions are currently looking to replace and uplift their existing GRC system solutions, while others are in the process of implementing a GRC system solution for the first time, having relied on manual spreadsheet approaches in the past.
Breadth of System Functionality
When evaluating the pros and cons of implementing a GRC system, and comparing the alternative offerings available in the market, there is a lot to consider in terms of breadth of functionality, including that in respect of compliance specifically. Some of the key modules available within various systems include:
· Obligations registers.
· Compliance control registers, attestation tracking tools and control effectiveness reports.
· Breach, incident and near miss registers.
· Complaints registers.
· Occupational health and safety registers.
· Policy document repositories.
· Conflict of interest registers.
· Outsourcing / procurement registers.
Enterprise Risk Management
· Risk registers (inherent / residual) and risk profile maps.
· Risk control registers, attestation tracking tools and control effectiveness reports.
· Risk appetite and tolerance tracking tools and reports.
Reporting / Analytics
· Dashboard / overview reporting aligned to various user profiles.
· Summary / detail reporting per function (e.g. risk reporting).
· Reports that are suitable to provide direct to executive / committees / board without alteration.
Automated Feeds of Compliance Obligations
An important consideration in evaluating the benefits of utilising a GRC system solution and selecting a preferred provider is the availability of an automated feed of updates to compliance obligations for the relevant organisational structure and operating sector(s).
There is a substantive amount of effort and resourcing commitment involved in the development and maintenance of compliance obligations registers, particularly in the current environment of escalating compliance requirements.
As such, the availability of standardised and pre-vetted registers of compliance obligations that can be reviewed for application in the circumstances of the relevant entity, and updated via review of automated feeds, can be incredibly beneficial. This can allow the organisation to progress with other strategic, risk and compliance priorities, while having comfort that the basic infrastructure of systems to manage business-as-usual legislative and regulatory compliance are in place and operating effectively.
Developing robust and effective compliance frameworks, functions and systems can often be put to the bottom of the pile with the unending to-do-list in the governance, risk and emerging compliance space.
Based on our observations, we think it is worth the effort and investment. Otherwise, you’ll always find yourself chasing your tail.
Hall Advisory specialises in governance, risk, compliance and strategic advisory services across the financial services sector.
In respect of compliance frameworks, we can assist you with:
· Independent review of the adequacy and effectiveness of your current compliance framework.
· Uplift of your compliance framework to meet regulatory and business requirements, in a fit for purpose manner.
· Development and implementation of compliance policies, plans, registers and calendars.
· Assessment of your organisation’s compliance culture.
· Development and facilitation of compliance training programs.
· Selection and implementation of GRC systems.
Contact us for a confidential, no-obligation consultation to talk about how we can support you on your compliance journey.
Disclaimer: Hall Advisory has selected ReadiNow as its preferred GRC system and acts as an authorised reseller of the ReadiNow solution.