As I pen this article the world is grappling with an unprecedented global event, COVID-19, affecting each and every one of us, personally as well as the global economies. In this evolving economic environment, the Regulatory Universe in New Zealand through the extensive regulatory work currently underway in the Financial Services sector is having to be nimble and agile in its response to current deadlines with areas such as FAP licensing and FSLAA which have now been delayed for at least 6 months. Business Continuity Plans and Disaster Recovery Operations are now in overdrive and as we look towards economic recovery on the other side of this global event we need to reflect on our risk models and plans to assess areas of improvement, having taken away learnings from this experience.
Previous articles in this series include “Ensuring Regulatory Compliance Talent Outlook 2020” and “Regulatory Compliance Roles and Responsibilities (Part 1)” where I explored how embedding compliance with all key legislation in the organisation as a function of certain critical activities stems from collaborations across key governance functions such as Legal, Compliance, Risk Management, and Internal Audit which all form part of the “three lines of defence”. I also think that the forward-thinking businesses are not considering this as a legislative compulsory requirement but how this benefits both people in their business and their customers. We will now in this final part in the series unpack and identify particular areas in the three lines of defence namely Legal/Compliance | Risk Management | Business Operational Compliance | Internal Audit.
Legal / Compliance – When an organisation reviews its Legal and Compliance functions they will decide on it as an integrated function or operating as two separate units. Several factors are taken into account usually through consideration for the complexity, size, and structure of the organisation. The role of a Compliance Officer does not necessarily need to have a legal background, whilst this would be a prerequisite for a Legal Officer, he/she will also handle litigation. Although, legal training is advantageous when it comes to interpreting statutes and contracts related to regulatory compliance and to navigate through the forever changing regulatory requirements and making this palatable in a commercial sense.
The responsibility of the Legal/Compliance function is to stimulate and train the board and management on legislation pertinent to the organisation. The Legal and/or Compliance function should undertake to compile and maintain a regulatory universe for the organisation at all times and the facilitation of risk prioritisation of all pieces of regulation. This should be achieved by working together with the Risk Management team and using the organisation’s risk management framework. Regular Compliance reporting is essential in this role.
Risk Management – The Risk Management function should support the Compliance Office with the risk rating of the relevant regulation once the requirements of regulation become operational in the organisation. The compliance risk register will show both the inherent and residual ratings of each piece of regulation, based on impact and the likelihood. The business should have its own Operational Compliance Officer who works closely with the Legal/Compliance Officer, and their role is to commence the operational monitoring of compliance of the business processes to the legislative requirements utilising the information pack as reviewed by the Legal/Compliance function. Again, depending on the size and maturity of the organisation, the roles of the Legal/Compliance Officer can be combined with that of the Operational Compliance Officer.
Business Operational Compliance – Once the Legal/Compliance function has then effectively identified and interpreted compliance requirements and facilitated the risk ratings on the Compliance Register the business is responsible for ensuring the implementation of such compliance. The business should be able to then provide Internal Audit with the regulatory universe of the organisation for the commencement of a compliance audit.
Internal Audit – Internal Audit, as the assurance provider, is responsible for reviewing the adequacy and effectiveness of the functioning of controls implemented by management to ensure compliance with regulatory requirements. An Internal Audit function when conducting a review of compliance within the organisation, generally spans Regulation, Policy, Procedures and Systems/Processes.
Following the audit review the Internal Auditors should be able to validate and provide input on impacted areas of the organisation with respect to their processes, systems, and policies; existing controls and additional controls; risk exposure and importantly who the responsible and affected parties are to continue through to the monitoring plan and the business units compliance.
The contents of this article and previous parts to this series are a high-level interpretation of the integrated role of the functions and I hope that I have given some insight into the level of specialism that a career in Risk & Compliance can offer even those with transferable skills from areas such as legal; external audit/accounting to those with direct product knowledge. Whilst the world grapples with COVID-19 I believe that upon us getting back to Business As Usual the Risk & Compliance function in our organisations will be an even greater growth area as boards will wish to further expand the Regulatory universe.
As mentioned earlier on in this article, should you be looking for career guidance; an international talent looking to embark on a new life in New Zealand or just wanting some insights as to your next step in your New Zealand career, we at Tyler Wren can offer insight into developing your Risk & Compliance career. Please do get in touch gbloxham@tylerwren.co.nz or 09 974 9072.