GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. Today we’ll explore the ‘C’ in GRC: compliance.
Compliance is defined as “the quality or state of being in conformity with a set of official requirements, laws, orders, rules, or requests.”
Corporate compliance, then, involves the process of making sure a company and its employees follow the laws, regulations, standards, and ethical practices that apply to the organization.
In the business context, compliance has two closely related usages. There’s the Compliance function within an organization—often identifiable by the capital ‘C’—which oversees all the activities and processes that keep an organization abiding by various laws and regulations. There’s also the idea of being in compliance, which is the ultimate goal of those activities and processes. A company is said to be in compliance with a given regulation when it has met all (or enough of) its stipulated requirements and received the stamp of approval from the governing body that created it.
Compliance doesn’t only refer to external regulations, however: it also covers the internal systems of control that a company imposes on itself. These can involve the different ways of doing business that a company uses to help it attain its objectives, from hiring standards, to R&D, to documentation of best practices.
Of the three entities that make up GRC, compliance is probably the easiest for industry newcomers to wrap their minds around. Most people know that companies have different laws and standard industry practices they must follow, and that following them takes some effort and oversight. It’s the most straightforward of the bunch.
What does compliance look like in the real world?
The above definitions probably sound generic to the point of being practically meaningless, so let’s take a look at a couple types of compliance in practice.
- The 2008 financial crisis and resulting economic downturn led to increased regulatory scrutiny and regulation of the financial services industry. The purpose of these new measures was to protect investors and ensure that markets are fair, efficient, and transparent—as well as to reduce system risk and financial crime. They were enacted to support consumer confidence in the financial system, applying to things like advertising, corporate communications, conflicts of interest, and client assets, among other things. Financial services organizations in turn increased the roles of their compliance departments from mere advisory to that of active risk management and monitoring.
- The Sarbanes-Oxley Act of 2002 offers another example. This law was enacted in the wake of several massive accounting scandals that played out on a public stage, including those involving Enron, Worldcom, and Tyco. Designed to protect investors from intentionally fraudulent financial reports by corporations, the the act imposed more stringent recordkeeping requirements and created strict new rules for accountants, auditors, and corporate officers. The act also added new criminal penalties for violating securities laws.
The foregoing examples involve American financial regulations, but compliance takes on a variety of different forms depending on factors such as industry, geography, volume, and size of company—and the more that are involved, the more complicated it gets. States, countries, and even municipalities have different local laws that companies must abide by, and the laws in an industry like healthcare are more strict and specific than in an industry where patient health isn’t directly involved. To illustrate, the demands on the compliance department at Amazon—which operates at an international scale across businesses like ecommerce, finance, entertainment, cloud computing, and many more—are going to be much more onerous than they would at a small company that only operates in one line of business.
What happens when a company is out of compliance?
When a company fails to meet the requirements imposed on it by the government or industry bodies that oversee it, a variety of unsavory consequences can obtain depending on severity. For low-level infractions, companies may face fines or other small penalties. At the other end of the spectrum, companies may face class-action lawsuits, disbarment from industry groups, or even dissolution as a company. Compliance is not something companies take lightly.
In the event that an organization does face a lawsuit, the corporate compliance program can help in court. All else being equal, an organization that has made a good-faith effort to prevent and detect violations of the law by its employees and others acting for it will be treated less harshly than one that was indifferent to complying with the law.
A company won’t face external penalties if it fails to comply with its own internal controls, but it can still place its future as a company in jeopardy. Corporate compliance lays out expectations for employee behavior, keeps staff stay focused on their objectives, and helps operations run smoothly. These guidelines help the company accomplish both its long- and short-term goals, so failing to comply with them can be detrimental to reputation, stock performance, and retention of talent.
What is the role of a compliance officer?
Compliance is the direct responsibility of every employee at a company. There are few jobs that don’t involve some degree of ensuring that the company’s day-to-day practices adhere to internal expectations, external regulations, or both.
More formally, the job of identifying regulations and putting compliance systems in place falls to the Chief Compliance Officer at an organization. They’re the ones tasked with overseeing the compliance department and supporting other business areas in their duty to comply with relevant regulations and internal procedures. They also have an obligation to adequately measure and manage compliance risks the company faces, so that they may be mitigated or eliminated in the future.
Lastly, but extremely important, is senior company leadership. These individuals may be less directly involved, but it’s imperative that they’re on board with all compliance activities so that expectations are clearly communicated. Through their words and actions, the organization’s culture of compliance starts at the top.
Click here to read about Risk Management and Governance.
