Compliance – Often an overlooked risk
“At his best, man is the noblest of all animals; separated from law and justice he is the worst” – Aristotle
Regulatory compliance has often been at the bottom of the priority list of organisations in Namibia, but this has been slowly changing over the past couple of years. The reason for this has often been attributed to the lack of effective control and enforcement of the act by the relevant regulators. It is no secret that Namibian regulatory authorities have and are currently facing several difficulties enforcing the law, mainly due to lack of staff, lack of expertise and/or knowledge of the regulated industry, vague legislations leaving loopholes and lack of teeth in the act that would allow for effective and appropriate action by the regulator. Unfortunately coming out with legislation does not guarantee compliance and order in society. “One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation” – Thomas Reed.
Keeping an organisation compliant with ever-changing regulatory requirements both locally and internationally can be challenging. In Namibia itself there are over 600 legislative acts (though the applicability of the same depends on each industry). However, if one does not recognise the importance of establishing a compliance function and/or embedding a culture of compliance, then one is not managing their risks adequately. Risk Management is systemic and pivotal to any organisation’s management system and is applicable all sectors both at the primary (government) and secondary (institutions) levels of society.
The most important question all Chief Executives, Boards and their sub-committees should be asking themselves is – what compliance facts should I know and what questions should I be asking?
Here are few of the corporate myths surrounding compliance and typical requisite responses to them as highlighted by the Compliance Institute of South Africa:
Compliance department takes care of compliance
Every employee of an organisation must understand compliance (both from a broader company perspective and also from their relevant role/job’s perspective). Compliance will always remain the ultimate responsibility of the organisation’s management. The compliance department only assists management to discharge this fiduciary responsibility.
Compliance is time consuming and expensive
A compliance function without a monitoring programme is described as “an elephant without a trunk. It smells nothing and has a vastly diminished profile.”
There is no point in trying to be partly-compliant. The time and cost involved in doing it right the first time greatly outweighs the penalties and associated costs (including reputation) that would occur from non-compliance.
Companies want to transact with other companies that are compliant with relevant legislation and operate above board. This is also one of the reasons that good standing certificates are requests during tenders.
Compliance Officer must be a lawyer
There is a major difference between legal and regulatory compliance. Whilst a compliance officer should have a working knowledge of the legislation, it is more important to have the knowledge of compliance risk management methodology, the practical skills to apply the knowledge as well as relevant work experience. Understanding the business is also a key skill for the compliance officer.
Compliance is only for large entities and multi-nationals.
Irrespective of the size of the entity, compliance is required by all in order to limit exposure to potential penalties and other consequences. Regulatory compliance is necessary to safeguard companies from regulatory and reputational risk.
Though setting up a Compliance Framework and Plan takes some focussed effort, it usually is a one-time activity which sets up the base that would enable management and the Compliance Officer to carry out their activities.
A Compliance Risk Management Plan (CRMP) is the generally accepted starting point for a compliance function. It serves, inter alia, to prevent, detect, and correct any abuse of the company’s resources and to create a culture that promotes the understanding of and adherence to applicable laws and regulations that govern the organisation. The common steps involved in setting up a CRMP are:
- Listing and understanding the legislative universe applicable to the organisation and its industry of operation;
- Shortlisting the key legislations that would have a material impact on the organisation based on an open discussion with management (usually limited to top 5);
- Identifying the applicable clauses / sections within the shortlisted legislations that highlight the obligations of the company and the associated penalties of there is non-compliance; and
- Develop plans for each identified legislation and formulate compliance monitoring procedures that could be conducted to provide assurance on compliance going forward.
KPMG can assist organisations with drafting of the CRMP and provide a more holistic view of compliance with regulatory changes across the enterprise, in developing flexible and adaptable frameworks for managing changes that is wholly aligned to their current strategic initiatives. This framework intends to improve compliance and enhance risk management processes in the organisation.
For more information on the Compliance Policies and Frameworks, Compliance Awareness Trainings, CRMPs as well as monitoring and reporting service-offering:
Johannes Engelbrecht (Kennedy) (firstname.lastname@example.org) at KPMG Namibia in Windhoek. Kennedy is a Supervisor within KPMG’s Advisory Services, who has been part of various legislative compliance audits/reviews, risk-based operational internal audits, compliance and risk management services in Namibia.
Disclaimer: The content of this article is subject to the disclaimer which can be found at http://www.kpmg.com/na