This post is part of our GRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. Today we’ll explore the ‘C’ in GRC: compliance.
Compliance is defined as “the quality or state of being in conformity with a set of official requirements, laws, orders, rules, or requests.”
Corporate compliance, then, involves the process of making sure a company and its employees follow the laws, regulations, standards, and ethical practices that apply to the organization.
In the business context, compliance has two closely related usages. There’s the Compliance function within an organization—often identifiable by the capital ‘C’—which oversees all the activities and processes that keep an organization abiding by various laws and regulations. There’s also the idea of being in compliance, which is the ultimate goal of those activities and processes. A company is said to be in compliance with a given regulation when it has met all (or enough of) its stipulated requirements and received the stamp of approval from the governing body that created it.
Compliance doesn’t only refer to external regulations, however: it also covers the internal systems of control that a company imposes on itself. These can involve the different ways of doing business that a company uses to help it attain its objectives, from hiring standards, to R&D, to documentation of best practices.
Of the three entities that make up GRC, compliance is probably the easiest for industry newcomers to wrap their minds around. Most people know that companies have different laws and standard industry practices they must follow, and that following them takes some effort and oversight. It’s the most straightforward of the bunch.
The above definitions probably sound generic to the point of being practically meaningless, so let’s take a look at a couple types of compliance in practice.
The foregoing examples involve American financial regulations, but compliance takes on a variety of different forms depending on factors such as industry, geography, volume, and size of company—and the more that are involved, the more complicated it gets. States, countries, and even municipalities have different local laws that companies must abide by, and the laws in an industry like healthcare are more strict and specific than in an industry where patient health isn’t directly involved. To illustrate, the demands on the compliance department at Amazon—which operates at an international scale across businesses like ecommerce, finance, entertainment, cloud computing, and many more—are going to be much more onerous than they would at a small company that only operates in one line of business.
When a company fails to meet the requirements imposed on it by the government or industry bodies that oversee it, a variety of unsavory consequences can obtain depending on severity. For low-level infractions, companies may face fines or other small penalties. At the other end of the spectrum, companies may face class-action lawsuits, disbarment from industry groups, or even dissolution as a company. Compliance is not something companies take lightly.
In the event that an organization does face a lawsuit, the corporate compliance program can help in court. All else being equal, an organization that has made a good-faith effort to prevent and detect violations of the law by its employees and others acting for it will be treated less harshly than one that was indifferent to complying with the law.
A company won’t face external penalties if it fails to comply with its own internal controls, but it can still place its future as a company in jeopardy. Corporate compliance lays out expectations for employee behavior, keeps staff stay focused on their objectives, and helps operations run smoothly. These guidelines help the company accomplish both its long- and short-term goals, so failing to comply with them can be detrimental to reputation, stock performance, and retention of talent.
Compliance is the direct responsibility of every employee at a company. There are few jobs that don’t involve some degree of ensuring that the company’s day-to-day practices adhere to internal expectations, external regulations, or both.
More formally, the job of identifying regulations and putting compliance systems in place falls to the Chief Compliance Officer at an organization. They’re the ones tasked with overseeing the compliance department and supporting other business areas in their duty to comply with relevant regulations and internal procedures. They also have an obligation to adequately measure and manage compliance risks the company faces, so that they may be mitigated or eliminated in the future.
Lastly, but extremely important, is senior company leadership. These individuals may be less directly involved, but it’s imperative that they’re on board with all compliance activities so that expectations are clearly communicated. Through their words and actions, the organization’s culture of compliance starts at the top.
Click here to read about Risk Management and Governance.
The critical importance of operational resilience in financial services is evidenced by the flurry of guidance from global financial regulators detailing expectations and mandating best…
A well-planned incident response capability can protect your organization from external and internal threats, no matter where work takes place.
Risk Cloud Exchange is an ecosystem that is designed to inspire your risk program in Risk Cloud by giving you that holistic look into the…
