A Compliance Management System may be just what your business needs

By Joselyn B. Mwine

With new legislation and regulations announced almost every week, it is no surprise that compliance has become one of the biggest challenges facing businesses today. What’s compliance you ask? Simply put, it refers to a company complying with all of the laws and regulations impacting how they manage their business, their staff and their treatment of consumers. Basically, the foremost goal of compliance is to make sure that companies fulfil their responsibilities. Many businesses, however, question the need for compliance and its associated costs, especially if they can get away with not complying. But there is a catch, for failing to have the right controls and culture in place could mean paying millions, or even billions, in fines as well as suffering reputational damage. So how can businesses get it right?

No organization or individual wants to spend money on re-work and/or defending civil or criminal charges or on loss of trust or reputation. The best protection and defence against this is being able to demonstrate or evidence that a robust framework has been implemented to manage compliance risk, in other words a compliance management system (CMS). A CMS gives people working in compliance a detailed and implementable road map or framework to build an appropriate compliance function in their business. Additionally, the Uganda National Bureau of Standards (UNBS) has developed an appropriate Standard US ISO 19600:2014, Compliance management systems — Guidelines .

The Standard provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization. The guidelines on compliance management systems are applicable to all types of organizations.

Both internal requirements and external laws and requirements can be managed using this standard. This is crucial given that many organizations are now recognizing the importance of complying with the spirit as well as the letter of the law. The standard also facilitates benchmarking, both internally and externally, to maintain effectiveness and give comfort to boards and management. A robust implementation should minimize regulatory errors, omissions and failures by enhancing management information and hence the better management of regulatory and reputational risks.

How does the standard help a business reduce regulatory risk and protect its reputation?

In today’s world of increasing laws and regulations – banking, financial services, tax, information security, human resources, safety, environment, etc. – it is easy for an organization to breach a law or regulation and tarnish their reputation, resulting in loss of trust among customers, shareholders, regulators and/or in society. The standard enables an organization to co-ordinate, manage, monitor and continuously improve the management of internal and external risks associated with regulatory compliance, thus helping to mitigate liabilities and preserve its good name.

If inadvertent breaches do occur, the CMS is also needed to assist in the reduction of potentially severe civil and/or criminal penalties and hence help protect reputation. Whilst an organization hopes never to be answering regulatory inquiries or civil or criminal suits, the existence of a well implemented and robust CMS can demonstrate that it has taken compliance risk management seriously, which could reduce fines and penalties. Nevertheless, many factors still need to be taken into account, including whether the errors are systemic, the jurisdiction, etc.

What is the biggest problem with compliance? How can companies overcome these obstacles?

Developing and maintaining an appropriate culture is a key issue, a culture where prevailing actions or behaviours demonstrate a “right things/right way” philosophy and where the first line of defence (the business) takes ownership for the management of compliance risk. In many companies, a fear of “getting it wrong” has led to overstaffing of, and overreliance on, compliance teams (the second line of defence) and the crippling of business initiative due to a fear of doing anything without approval from compliance. Taken to extremes, this generates a reluctance to admitting one’s mistake – with the dire consequence that mistakes are hidden, only to be found when the cost of remediation and other repercussions is significant. With an appropriately implemented CMS, the management of compliance risk is robustly controlled. The first, second and third (internal audit) lines of defence have clear roles and responsibilities, and are empowered with knowledge and tools to act so that a business can be nimble, able to react quickly and competitively to changing regulation, legislation and society’s expectations. Obviously, a strong and independent compliance function is required. This is where a CMS can assist in reducing an unnecessary explosion in the numbers of second-line, non-income-producing staff, and where the cost of complying and not complying is significantly reduced.

The standard gives comprehensive guidance with helpful and easy-to-follow examples for users wanting to implement a CMS or benchmark their framework against a standard. Having a published international guidance document in the form of Uganda standard could greatly assist the continual improvement of compliance frameworks since it is expected to serve as a global benchmark for compliance officers, businesses, commentators, academics – and regulators and the courts of course.

Thanks to the standard’s “one-size-fits-all” guidance, all organizations can benefit.

The writer is a Public Relations Officer at the Uganda National Bureau of Standards