Latest Products

The cost of non-compliance

Monday 20 November 2017

As the denouement in the BBSW case continues to unravel, perhaps it was the comments of Brock Johnson, former NAB employee, that have proved most chilling.

According to the AFR, when Justice Beach inquired whether Johnson had read the Australian Financial Markets Association (AFMA) rules, he responded, "We had some training but no, I had not read the AFMA rules".

His simple statement represents an attitude risk and compliance professionals struggle to tackle within their organisations.

In a recent interview, to be published in the final Quarterly Edition of GRC Professional, Graham Caddies, Principal Consultant, Trainer and Auditor for Advance ProfitPlan (APP), said that, while sitting at the Conference, he heard several risk and compliance professionals talking about the challenge of getting that buy-in from the business.

Well, quite frankly, if they took off their compliance hats and started engaging with the people and being a part of the team, they would soon be there.

Unfortunately, for many risk and compliance professionals, getting that buy-in and having the business see compliance as part of their BAU remains a challenge, particularly in spaces where compliance is still seen a roadblock rather than an enabler that assists the business to do what it needs without incurring major penalties and fines.

In the Thomson Reuters’ Cost of Compliance survey for 2017, they divided the typical week of a compliance officer into the five separate tasks.
  • Tracking and analysing regulatory developments
  • Board reporting
  • Amending Policies and Procedures
  • Liaison with control functions
  • Other compliance tasks 

From the above figure, you can see that it is the other tasks that dominate the compliance professional’s time.
So what are these other compliance tasks? According to the Thomson Reuters’ report, these include:

  • Interaction with regulators
  • Maintenance and renewal of licenses and registrations for regulated business activities and individuals
  • Regulatory inspections and examinations
  • Regulatory reporting
  • Project management of regulatory implementation projects
  • Compliance monitoring
  • Compliance training
  • Past business reviews and assessing lessons learned from industry peers
  • Leading on implementing cultural change
  • Advising the business on regulatory change and requirements
  • Lobbying and influencing emerging regulatory change
  • Assessing regulatory solutions
  • Oversight of conduct risk issues which affect customers, including cyber resilience
  • Recruitment and retention of skilled compliance staff
  • Acting as money laundering reporting officer (MLRO) and data protection officer (DPO)
 With all this on their plate, compliance professionals who follow Caddies’ advice should automatically be in a positon to help the organisation see their responsibilities. Yes?

In her article, The Role Clarity and the Three Lines of Responsibility, published in the 2017 edition of the GRC Journal Volume 11, Annette Donselaar writes that:

Ideally, in an organisation with a mature compliance program, each staff member will assume responsibility for compliance as part of their normal role. In practice, however, compliance professionals often feel they, alone, carry the responsibility when implementing a compliance process.

That is where the challenge lies.
More relevant to Brock Johnson’s statement, Donselaar gives an example of one of the frustrating questions often posed by the business that does not appreciate its responsibilities:

But we communicated the policy and attended the training—isn’t that enough?

The question for compliance professionals, then, is how to move from this to a situation where compliance is appreciated as a business-wide responsibility?

How does a risk and compliance professional deliver news, either good or bad, as Dr Alicia Fortinberry addressed at the GRC2017 Conference, in such a way that it effects the right kind of change?

How do you develop and utilise those ‘soft skills’ to communicate effectively across the organisation?

How to you get the Brock Johnson’s of the world to stop and think of the outcomes of their behaviour from a consumer perspective? Or at the very least, ‘in line with the AFMA rules?’

To use the words of Deborah Latimer from Sector Seven Consulting, it is about ‘getting the want’ in the organisation.

Interestingly, Thomson Reuters’ Cost of Compliance 2017 report showed that 87% of their G-SIFI respondents think that the regulatory focus on culture and risk conduct will increase the personal liability of risk manager, while 73% of all firms see this increasing.

This suggests the high probability that many of these organisations are not seeing the opportunity but are viewing this as a cost centre.

The Benefit
The benefit here is that there will be a greater sense of the importance of compliance. Maybe the next time someone talks about the cost of compliance in business, they might be directed politely towards the exponentially-larger cost of non-compliance.  The difference is where the value of effective GRC sits.