What makes a Compliance Framework effective?
As a compliance consultant, one of the first things I want to understand about a client is their compliance framework. While it can be a subjective concept, I love the term ‘framework’ - it could include a whole variety of documents, systems and controls, and can give room for interpretation. Some, however, may find it confusing. So, let’s take a brief tour of the key facets of an effective compliance framework.
There are various processes and documents involved, however today I’ll introduce just a few areas that I would describe as the ‘backbone’ of compliance. These are important areas to get right, as they could make or break how effective your business is in complying with its obligations.
Looking at the Business Risk Assessment
An easy way to understand a firm’s approach to compliance is through its Business Risk Assessment. In Guernsey, this Board-level document focuses on the firm’s financial crime risks in particular (rather than the wider regulatory risks), but compliance personnel would find it extremely helpful as a starting place in order to gain a detailed understanding of:
- The products and services provided by the firm;
- The firm’s target client base;
- The Board’s approach to risk management;
- Key compliance policies, procedures and controls.
An effective Business Risk Assessment will also provide a compliance officer/consultant with an idea of any areas which require additional controls or monitoring, which should help to inform the next piece of the framework - the Compliance Monitoring Programme (CMP).
The Compliance Monitoring Programme
The CMP is the central piece of the compliance framework, providing the mechanism for the monitoring and testing to be conducted by the compliance team. This must be tailored to the firm, and act as a reliable and effective piece of evidence that the firm is operating responsibly within its regulatory requirements. My approach to designing an appropriate CMP usually takes the following steps:
- Mapping - set out the key rules as relevant, documenting the methods used by the firm to comply with each area - i.e. the specific policies, procedures and controls in place;
- Assessment - review the above mapping and determine whether testing/monitoring is needed, and if so how frequently. Ensure all decisions are documented and justified;
- Test design - by grouping rules/requirements together in similar subject areas, we can make a streamlined set of tests to cover multiple rules at once. Understand the controls from the Mapping area to ensure the test instructions are clear and helpful;
- Scheduling - with the above mapping and assessment in mind, determine when in the year each test should be scheduled. Try to take account of times of other key deliverables (e.g. large regulatory returns) to avoid bottlenecks;
- Reporting - consider the format you want your reporting to be in - do you need to extract a summary from the CMP into your compliance report? Do you need the CMP to act as the report itself? Or is the CMP testing area clear enough for you to review and choose the areas to include in your report separately? Whatever your approach, it’s important there is a clear link from your Board report to the CMP findings.
Of course, everyone is different; I have adopted the above approach over many years of designing bespoke programmes for myself and others, learning about how my brain works most efficiently. Some people (like me!) are more visual than others so need clear prompts, colour coding etc, others may need more distinct and descriptive instructions, and some may need more automated workflows. However, the litmus test should always be - if someone outside of the compliance function (e.g. the Board, the Regulator) picked up the CMP with fresh eyes, would they be able to understand it? And is there enough detail to evidence the results and findings?
Board oversight and approval
A key element of a compliance framework is the oversight by the Board of Directors. Ideally, at the start of each year the compliance officer should review and report on the findings of the closing CMP, and determine whether any changes are necessary to the CMP outline for the coming period. A summary of the CMP and areas to be tested should be presented to the Board for approval - the Board should also be prepared to scrutinise and challenge the compliance officer in their testing methodology.
Together with the analysis within the Business Risk Assessment, the Board should understand the key controls in place which are monitored by the CMP. Any areas requiring improvement or mitigation should be added to the CMP, or dealt with in a relevant thematic review programme to support the compliance framework.
Independent audit of the compliance framework
It is becoming increasingly important to validate the effectiveness of a firm’s compliance framework, which can be difficult to achieve within the confines of a firm’s internal capacity. As part of the Board’s oversight and to provide guidance for in-house compliance teams, we can provide an independent audit of your compliance framework, from your CMP and Business Risk Assessment, to your policies and procedures.