2. Outline
Introduction
Risk-based Approach
Functions of a Compliance Department
Roles of the Board and Management
Internal and External Drivers
Risks and Consequences for Non-Compliance
Required Measures
Developing an Effective Programme
Integrating Compliance with ERM
FITC Compliance Risk Mgt Workshop - April 2013
3. What is Compliance?
According to the International Compliance Association, the term Compliance describes the
ability to act according to an order, set of rules or request. In business, it operates at two
levels:
Level 1: Compliance with the external rules that are imposed upon an organisation as a whole
Level 2: Compliance with internal systems of control that are imposed to achieve compliance with
the externally imposed rules
Investorwords.com describes it as “The state of being in accordance with the relevant
Federal or regional authorities and their requirements.”
In summary, Compliance describes the act of adhering to a pre-determined set of rules
whether they are internal policies and procedures or externally driven statutory or
regulatory guidelines and rules. Compliance also assures that best practices are upheld in
the organization
Compliance Risk is defined as the current and prospective risk to earnings or capital arising
from violations of or non-conformance with set rules and regulations, best practices,
internal policies, and ethical standards. Compliance Risk also arises where the laws
governing products or services offered by the organization are vague or untested
FITC Compliance Risk Mgt Workshop - April 2013
4. Risk-based Compliance Approach
Enables expedient deployment of resources to specific / required areas
Puts in place steps for identifying and assessing compliance risk exposures
Ensures the application of appropriate compliance measures for controlling related
risks
Benefits:
Tailored compliance strategies for effectively dealing with key compliance risks
Efficiency gains; improved compliance adherence outcomes
Reduced financial losses
Greater business support for compliance – risk management processes by business
FITC Compliance Risk Mgt Workshop - April 2013
5. Functions of a Compliance Department
Identification of Related Risks: recognize regulatory risk exposures in an
organisation and advise accordingly
Awareness: Establish and communicate the organization’s compliance policy
to ensure that it is observed
Monitoring and Detection: continuously review and report on the
effectiveness of controls put in place to assure effective Compliance Risk
Management
Prevention: ensure design and implementation of controls that would
protect an organisation from Compliance Risk exposures
Resolution: have strategies in place to ensure timely management and
redress of Compliance Risk exposures as they crystallize or are identified
Consultation: provide advice to the Board and Management of the
organization on new trends, risks identified and controls required
FITC Compliance Risk Mgt Workshop - April 2013
6. Roles and Responsibilities of the Board and Mgt in
Regulatory Compliance
The Board Management
Oversight function over all compliance • Ensures the execution and adherence
functions in the Bank to the Compliance Policy stipulations
Reviews Compliance reports • Ensures a centrally controlled
periodically at Board meetings to Compliance function led by a Chief
ensure that the organization complies Compliance Officer exists to manage
with all regulatory and internal compliance exposures organization
procedures
wide
Ensures that the provisions of the • Provides sufficient resources and
organization’s Compliance policy is ensures that compliance functions are
strictly adhered to properly carried out, staff are
adequately trained, and the periodic
audit on the compliance function and
framework conducted
FITC Compliance Risk Mgt Workshop - April 2013
7. What drives Compliance Exposure Internally and
Externally?
Internal Policies
These ensure that all staff comply with the organization’s internal rules and
regulations that govern its business model, corporate objectives, ethical
standards, Code of Corporate Governance and the Code of Professional
Conduct
The Chief Compliance Officer should monitor the development and
implementation of these policies and ensure consistency with regulatory and
legal stipulations; the Compliance Group in liaison with Management should
ensure that no regulatory guideline is violated or breached in the
implementation of its internal policies and procedures
Corporate Governance should be ensured in the development and
implementation of internal policies, and all Members of staff should comply
with all internal policies
FITC Compliance Risk Mgt Workshop - April 2013
8. What drives Compliance Exposure Internally and
Externally? (cont’d)
Laws and Regulatory Guidelines
The Compliance function advises and monitors adherence with all legal,
statutory, regulatory guidelines affecting the organization by ensuring
transparent practices fashioned along local / international regulatory
standards, and global best control practices are upheld
Compliance with the Code of Corporate Governance issued by key local
regulators (such as the Securities and Exchange Commission , the Central
Bank of Nigeria) and globally accepted standards such as Sarbanes Oxley
should be taken into consideration in drafting policies and procedures of the
organization
The Compliance function should ensure that all stakeholders are aware and
adhere to local and international regulatory requirements; it is important
that policies are drafted in line with relevant local regulations in all
jurisdictions where the organization is operational
FITC Compliance Risk Mgt Workshop - April 2013
9. What drives Compliance Exposure Internally and
Externally? (cont’d)
Laws and Regulatory Guidelines (cont’d)
The guidelines of the key regulators in the home country of the organizations
must be upheld at all times
Periodical review and update of all laws, policies and regulations affecting the
organization should be ensured
Compliance levels organization-wide should be ascertained, and staff notified
of new and revised policies and laws
FITC Compliance Risk Mgt Workshop - April 2013
10. What drives Compliance Exposure Internally and
Externally? (cont’d)
Rendition of Returns
All regulatory and statutory returns and reports should be rendered to
regulators and law enforcement agencies as and when due to improve the
organization’s rating by regulators and minimize sanctions and penalties
against the organisation
Maintaining a tracking system that would ensure timely and correct
rendition of returns is required
Business areas that breach the stipulated timelines should be appropriately
sanctioned to ensure that the discipline required is inculcated organization-
wide
FITC Compliance Risk Mgt Workshop - April 2013
11. What drives Compliance Exposure Internally and
Externally? (cont’d)
Relationship Management
The Compliance function ensures timely and satisfactory responses are
provided to regulatory enquiries in compliance with the laws and regulatory
requirements
It liaises with external regulators and law enforcement agencies on its
compliance responsibilities by maintaining an open, honest and transparent
relationship with these authorities
FITC Compliance Risk Mgt Workshop - April 2013
12. Risks and Consequences for Non-Compliance
Sanctions and penalties
Increased customer complaints
Costly errors made by the organization
Financial losses / Increased expenses
Poor rating by External Auditors, Regulators and Rating Agencies
Loss of licence
FITC Compliance Risk Mgt Workshop - April 2013
13. Required Compliance Measures
Advice – Agencies respond to direct requests for advice or proactively make
contact with people or businesses to inform them of their obligations
Guidance material – These materials made available on agency websites or
through pamphlets to explain requirements
Education campaigns – Agencies advertise to inform people and businesses
about laws to persuade them to comply; these campaigns usually explain the
reasons why regulations are in place or the negative impacts of non-
compliance
Warnings or cautions – A person or business is warned or cautioned that
they have not complied with regulatory requirements and that they may be
penalised for this
FITC Compliance Risk Mgt Workshop - April 2013
14. Required Compliance Measures (cont’d)
Monitoring measures (data collection, auditing and inspection) – Data
collection from people and businesses for regulatory compliance purposes;
Auditing / spot checks of the regulatory compliance records of people and
businesses; Inspection of the activities of people or business to check
compliance with the regulations
Publication of names of offenders – Review details of people or businesses
that have breached regulations
Enforceable undertakings – After a requirement is breached, some agencies
accept undertakings from non-compliers to do certain things to remedy
breaches; penalties exist for failure to comply
FITC Compliance Risk Mgt Workshop - April 2013
15. Required Compliance Measures (cont’d)
Improvement notices – An agency requires a person or business to comply
with a requirement within a specified time frame with a failure to do so
resulting in a penalty
Prohibition notices – An agency requires a person or business to stop an
activity where a regulatory breach has occurred; the activity can continue
when the breach has been remedied
Penalty notices – An ‘on the spot fine’ is given for a breach of a regulatory
requirement; the person or business is required to pay or elect to challenge it
in court
Civil pecuniary penalties – A right created under legislation for a person or
business to claim compensation from another party for a regulatory breach
FITC Compliance Risk Mgt Workshop - April 2013
16. Required Compliance Measures (cont’d)
Injunctions – A court order that stops a person or business from continuing
to do a particular thing after a regulatory breach
Negative licences – The person is restricted from undertaking an activity that
otherwise requires no authorisation
Action against licences/accreditation/certification – The authorisation of a
person or business to undertake an activity is restricted or withdrawn after a
failure to comply with the conditions of the authorisation
Criminal prosecution – Legal proceedings are brought by the agency against
a person or business because the law has been broken; a decision to
prosecute is made when it is considered to be in the public interest; a range
of very serious penalties can be given to a person found guilty of a criminal
offence including large fines and imprisonment
FITC Compliance Risk Mgt Workshop - April 2013
17. Developing an Effective Compliance Programme
• Describe the meaning of compliance for your organisation and its response to
its relevant demands
• Know what drives your compliance exposure both locally and abroad;
internally and externally
• Identify the risks and consequences of non-compliance on the continued
existence of your organization
• Appreciate and demonstrate in simple understandable ways, the
relationship between corporate governance, risk management and
compliance (GRC)
FITC Compliance Risk Mgt Workshop - April 2013
18. Developing an Effective Compliance Programme
(cont’d)
• Ensure delineation of the roles and responsibilities of the Board of Directors
and Management in managing Compliance Risk
• Understand the implications of regulatory guidelines for corporate
accountability and ethical behaviour
• Develop an effective fit-for-purpose compliance
• Ensure full integration of the organization’s ERM in optimising relevant
structures and procedures for both compliance and proactive risk
management
FITC Compliance Risk Mgt Workshop - April 2013
19. Integrating Compliance with ERM
Largely driven by IT Compliance strategies
Ensure that ERM systems have modules for monitoring compliance with
internal and external policies
IT Governance strategies should take into consideration procedures that
drive and monitor Compliance risks organization-wide
IT should drive the integration of Governance, ERM and Compliance for
optimal output and value add from these three key elements of business
management to the success of the organization
Assures proactive and holistic risk management
FITC Compliance Risk Mgt Workshop - April 2013
20. Integrating Compliance with ERM
for Proactive Risk Management
FITC Compliance Risk Mgt Workshop - April 2013
21. “The fact was that I was not a master of my actions, because
I was not so insane as to attempt to bend events to conform
to my policies. On the contrary, I bent my policies to accord
with the unforeseen shape of events” – Napoleon Bonaparte
“YOU CANNOT ALLOW ANY OF YOUR PEOPLE TO
AVOID THE BRUTAL FACTS. IF THEY START LIVING
IN A DREAM WORLD, IT’S GOING TO BE BAD.” -
GENERAL JAMES “MAD DOG” MATTISS