Regulatory Change and Compliance Risk Management: What You Need to Know and Why

This feature on Compliance has been drafted by Kgori Capital Compliance Manager, Elizabeth Ferguson, and forms part of a series of awareness material on this subject. Elizabeth has over 14 years’ experience in various Audit, Advisory and Assurance senior roles. Elizabeth has a Bachelor’s Degree in Accounting and is a fellow member of the Association of Chartered Accountants (ACCA) and Botswana Institute of Accountants (BICA). She also holds a post graduate qualification in Enterprise Risk Management.
Organisations, in recent years, have increasingly come under pressure to keep abreast of new and complex regulatory requirements. This is possibly more so for financial services firms, where regulatory oversight and enforcement is evolving and improving; indeed, the requirements of which may extend across a number of jurisdictions.
Compliance, as a speciality and a practice, is complex and yet not something one can afford to take lightly. In many regards a specialist practice, it requires a clear grasp of requirements, processes, protocol, and risks. The risk of non-compliance and a failure to actively manage any regulatory change could result in stiff penalties from regulatory authorities and, more importantly, reputational decline. For this reason, Compliance ought to be seen as going hand in hand with best practice – ensure compliance not simply because you have to, but because it makes your business a stronger one in many regards.
King IV, a leading governance framework, recommends that organisations should comply with applicable laws and consider adherence to non-binding rules, codes and standards. In simple terms, this means an organisation should, at any given time, establish all applicable legislative requirements and ensure there is specific responsibility for all components of compliance. In addition, they must identify which non-binding rules, codes and standards the organisation should follow. King IV, building on its predecessor King III, does not merely call on companies to apply or explain principles and practices; rather, King IV assumes application of all principles. It further requires entities to explain how these are applied, and is principle- and outcomes-based rather than rules-based. These are importance things for any Compliance function to appreciate and effect, and the guidelines are paramount to ensuring best practice and governance.
How then does an institution ensure that their company is adhering to the letter of the law? And how, at the same time, do we ensure not overdoing diligence to the point where it is costing the organisation more than it needs to in terms of resources and productivity? It is a fine line, and a balancing act, for sure.
Best practice recommends that an inclusive approach should be adopted in identifying all applicable regulatory requirements. First consideration should be given to the strict legal requirements arising from the law that is (Actual Laws and Acts of Parliament). Secondly, a company should then consider any non-legislated requirements such as
industry specific codes, rules and regulations. This extends all the way to organisations’ internal documents, such as significant Service Level Agreements, client mandates, and internal company polices and codes of conduct.
A risk assessment should then be performed to categorise the identified requirements and appropriate risk assessment scales applied to the regulatory items. Formulation of risk assessment compliance plans will determine what the requirements are; the requirements should be analysed and interpreted into simple language for business purposes. The plan should indicate what actions have been taken to date, to address these requirements and, finally, what corrective action still has to happen so as to ensure that compliance has been embedded within all areas of the business operations. Allocation of responsibility and timeframes should be applied to the enhancements. The complexity, structure, detail and format of these plans may vary across organisations, but ensuring clarity, inclusiveness, and comprehensiveness are vital.
Last but not least, compliance monitoring should be performed regularly to track implementation and for reporting purposes. Indeed, it must work to ensure that any new regulatory developments and changes are appropriately incorporated and applied. As I said, it may appear at first to be somewhat daunting, and yet the benefits of a well-entrenched compliance function and practice
stands to deliver great long-term benefit. The opportunities for enhanced best practice are, quite simply, enormous.