Why And How To Develop A Compliance Risk Management Framework

1. What is compliance risk management? 

Compliance risk management is the process of identifying, analysing and mitigating the potentially damaging effects of your company failing to comply not only with the law but with industry standards, policies and procedures. 

It includes the processes that you put in place to prevent non-compliance and, therefore, avoid financial sanctions, loss of business and reputational damage by guiding the organisation to maintain acceptable levels of risk in its operations. 

Compliance risk management and regulatory risk management are separate but linked. Regulatory risk relates to anticipating changes to legislation that will affect the business, whilst compliance risk strictly deals with current regulations. However, compliance risk does require organisations to prepare for future risk factors, too. 

2. What is a compliance risk management framework?

Your compliance risk management framework contains the standards, internal controls, business processes and procedures that all company stakeholders must follow in order to maintain compliance within the organisation. 

The framework embeds compliance into an organisation’s day-to-day operations, centralising the compliance efforts to include all elements relating to conduct, culture and ethics and improving oversight and risk control. Many companies base their frameworks on recognised structures and standards, including the COSO EMR framework and ISO 31000 framework.

Whatever framework you use for your inspiration, it should communicate a process that takes you from setting objectives to identifying risks, mitigating them and monitoring the efforts to ensure they work. 

3. Benefits of a compliance risk management framework

There are many benefits of creating a strong compliance risk management framework. They include: 

4. How to develop a compliance risk management framework

4.1 Understand regulatory compliance requirements

The first step to mitigating risk for the compliance function is to understand the particular compliance risks that affect your business. For example, if your entity in the EU has more than 50 employees, then you must comply with the EU Whistleblowing Directive as transposed into national law in the countries in which you have a presence. You are obligated to implement internal reporting channels for stakeholders to use when making reports of misconduct. You must also ensure an unbiased, competent party conducts investigations in a timely manner and that there is no retaliation against the reporting person. 

These are all compliance factors that you must feed through your framework to establish a process whereby you communicate and monitor the requirements to ensure they are implemented and observed. 

4.2 Define compliance strategies and goals

When you develop your framework, you should pay close attention to defining the strategies and goals you want it to feed into. 

This could be as simple as minimising the financial penalties that the company receives, but there are likely to be other important goals as well. You might want to reduce the number of internal investigations that take place, improve the compliance awareness of your employees or any number of other goals. 

You can categorise these into short-, medium- and long-term goals to help inform your strategy.

4.3 Identify your operational risks

Once you understand the regulations that relate to your business and have assessed your goals, you need to analyse the risks that are associated with them. Based on this, you can create a compliance risk assessment matrix to rank them in order of their severity. 

Consider the severity of each compliance risk, understanding the impact it would have on your business if it were to materialise. Also, take into account the probability of each risk; the likelihood that it will happen. 

Your most pressing risk factors are those that are imminent and will create the most detrimental impact. These should be your priority. Risks that are unlikely to happen and that would not affect the organisation too much can be placed at the bottom of your list. 

4.4 Review existing controls, policies and procedures

Your compliance framework doesn’t have to completely eradicate your previous compliance efforts. It could be that many of the controls, policies and procedures are working well for your risk profile. This is why you should take the time to review them, deciding whether they are effective and are still fit for purpose, given new legislation and technological advances. 

For example, you may have a policy for data processing within your company that was created with the assumption that all workers would be office-based and using company equipment. Given the growth of remote working and the increased number of employees using personal devices to work at home, you might need to update the controls in place to remain compliant with GDPR, for example. 

4.5 Determine how to reduce or mitigate risk levels

Once you know your most pressing compliance risks, you can put in place procedures to mitigate them most effectively. 

There are many ways to reduce the level of risk when it comes to compliance. One is to use automated compliance tools to improve the workflow of mitigating risk. For example, if your organisation regularly deals with inside information, MAR requires you to create insider lists. You also have to make every effort to ensure insiders acknowledge their addition to the list and fill in their details. 

In this case, you could use a tool, such as InsiderLog, to send automated reminders to all insiders until they fulfil this obligation. This helps you comply with the legislation and enables you to prove that you have made efforts to reduce this risk exposure. In the event of an investigation, InsiderLog maintains a record of all changes made to your lists and every attempt made to contact insiders. This produces an invaluable audit trail whenever you need to prove you took the necessary steps to reduce insider trading risk and stay compliant.

4.6 Improve compliance communication and training

Your compliance risk management framework should create processes for communicating compliance matters to all stakeholders and for facilitating training in order to ensure a consistent and effective response to current and forthcoming risks. 

Having procedures for compliance is important, but the compliance function must also fully prepare and equip those who will carry out these procedures with adequate resources. They should know what they are required to do, when they should do it and why these systems are in place. 

Without adequate knowledge of relevant legislation and compliance procedures, you will struggle to gain buy-in from anyone, regardless of their position in the company. 

4.7 Monitor, audit and test your reporting systems

As part of a speak-up culture, there should be reporting systems in place that encourage and allow for swift whistleblowing from other stakeholders. This means creating routes for confidential reporting and reducing the chances of retaliation as part of your internal controls. 

Using IntegrityLog, you can provide a confidential online reporting channel for whistleblowers that they can access on any device, wherever they are. This allows for streamlined reporting without the need to enter the work environment where they believe wrongdoing is taking place or where they might feel they are open to retaliation. If you implement anonymous reporting at your organisation, IntegrityLog allows for this too. 

IntegrityLog is GDPR compliant, holding personal data in a secure manner. It allows for confidentiality, with access controls preventing anyone other than authorised team members from reading the details of the case.

When you have your reporting channels in place, you should monitor the reports coming through to check that they are working as they should. Do investigations stall? Is there a drop-off in reporting? Are whistleblowers satisfied with the process? 

By analysing these outcomes, you can hone a system that works in the best interests of the business and its people. 

4.8 Ensure proper response to wrongdoing

Another key element of a compliance culture is ensuring that wrongdoing is properly dealt with and is seen to be dealt with, too. 

Your framework should set out the procedures for reporting, investigation, finding of a verdict and adequate punishment for non-compliant behaviour within the business. Reinforcing the consequences of unethical behaviour in the workplace and ensuring you take corrective action sends a message to others that it will not be tolerated, helping to create a culture where compliance is encouraged and valued. 

5. How to measure compliance risk management

The way to measure your compliance risk management is to match it against the goals of your framework. If awareness of compliance is increased amongst your employees, your risk score will be reduced, follow-ups on reporting will improve, and there will be less need for internal investigations. As a result, the company will face fewer sanctions, and you can be sure that your risk management is working. 

The measure of its success depends on those aspects of compliance that your company prizes the most. To quantify this, you should work to set compliance KPIs that are relevant to your business.

6. FAQs

6.1 How do you encourage employees to report wrongdoing?

Developing a culture from senior management down that prizes compliance and encourages, rather than punishes, speaking up is important. Creating a transparent reporting and investigation process also helps, as does regular training on the benefits of reporting and on how to make a report. 

6.2 How do you identify your potential legal risks?

A compliance risk assessment is the first step to identifying the types of risks at play. Talk to stakeholders and field their opinions on those risks that they feel most relate to your business. Collate the answers, and find a consensus. 

6.3 How does culture influence compliance risk management?

Culture is key to compliance risk management. Where there is a compliance culture, compliant behaviour becomes the norm. Employees feel comfortable reporting misconduct and do not feel they will be bullied for doing so. It helps you meet your regulatory requirements.   

7. Conclusion

A compliance risk management framework not only provides a unified approach to protecting the organisation from compliance risk, but it also sends a message to employees, investors, customers and suppliers that your business prizes ethical behaviour. This, in turn, creates a positive culture that means there will be more chance of stakeholder buy-in to your efforts to mitigate current and future risks. It also helps you take corrective action in good time. 

In order to make it easy for employees to make confidential reports of misconduct and to keep your investigating team on track with deadlines, ComplyLog offers a suite of tools:  

• IntegrityLog enables you to fulfil the regulatory requirements relating to whistleblowing reports in EU member states.  
• InsiderLog helps you automate your insider list management as per MAR.  
• TradeLog makes managing employee personal trading easier and faster. 

To find out more about how ComplyLog aids your business, request a free demo today.