The gold standard for the success of a compliance management system is a clear allocation of responsibilities within the business. Having management and staff understand their responsibilities across the organisation will mean they better understand the organisation’s policies and operational procedures.
In large companies (such as the banks), the “Three Lines of Defence” model is used but this model can also be implemented in SMEs. The Three Lines are:
1. Business
Business includes senior management, employees and contractors and they are responsible for “complying”. That is, they need to “do” and “own” compliance as part of their embedded business strategy, structure and operations.
2. Compliance Team
This is often the designated Compliance Manager, but it could be the person in charge of operations in a smaller business. This person is responsible for the compliance program and can be anyone who has subject matter expertise who can ensure compliance is done properly.
3. Audit
This is the internal and external audit function or anyone who is an independent expert who checks on the effectiveness of controls in place to address compliance risks.
In our experience, SMEs will often find the concept of the business owning compliance a foreign concept.
Most staff and management expect the designated compliance manager to “own” compliance but by making it clear that the business owns it then they will take responsibility. That is, they will take responsibility for develop the policy, procedures, controls, conduct training and have oversight.
The compliance officer or manager would work with the business as a subject matter expert in the process, actively engaging in the design, development and problem solving, as well as alerting management to the standards that are required to be met (legislative and regulatory requirements should be subject to review and sign-off of legal officers and/or the compliance team).
The compliance team will also monitor implementation to ensure the risk have been addressed, and will work with the business to implement changes to the program as required. The audit team will review the effectiveness of the controls at regular intervals.
If you would like to implement an effective compliance management system, then ACY Advisory can help!