Compliance Lifecycle: First step before considering GRC
As the compliance function is growing in its importance, we are seeing an influx of new terms and concepts. Compliance Lifecycle and GRC are such terms growing in usage among compliance professionals. It is worthwhile to consider these terms in detail and their relationship to each other. We will consider Compliance Lifecycle and its role as the first step in moving towards GRC.
Definitions
Compliance Lifecycle denotes the end-to-end compliance between the regulator and the firm. Compliance Lifecycle links a regulator's approach on rules regarding a firm's individual business activities and the reporting by the firm to the regulator.
Is there any relation between GRC and Compliance Lifecycle? GRC covers the elements of Governance, Risk management and Compliance ("GRC"). A common definition on GRC reflects "an integrated approach that looks to ensure an organisation acts in accordance with its self-imposed rules, risk appetite and external regulations."
Considering the above definitions, GRC addresses a wider problem than Compliance Lifecycle. From a risk management perspective, one could say that Compliance Lifecycle approach is the way to go for mitigating Compliance Risk and the GRC approach is the way to go for mitigating the overall risk of operational failures, which includes compliance risk.
Regulations are imposed to mitigate operational failures; therefore, the major objective of a compliance function is to mitigate operational risk. The approach that focuses only on Compliance Risk is not really serving the purpose. Therefore, a GRC approach must be aligned with the underlying Compliance Lifecycle.
Challenges while applying a Compliance Lifecycle approach
In the light of the recent credit crisis, regulators around the world have tightened their scrutiny and the approach is more stringent now. The onus is on the firms to prove that their approach towards regulatory compliance is serious by showing details of their compliance monitoring programme. The regulators need to see the picture of a firm from a Compliance Lifecycle point of view. However, there are some genuine challenges faced by firms.
The first part of the Compliance Lifecycle is to understand the rules applied to a business function in a firm. The second part is the interpretation of the rules and the creation of the right policies or procedures for the functioning of the specific business process. The third part is the monitoring of adherence to these created policies and procedures. The fourth and final part is the reporting of adherence. In addition, the firm should have a clearly visible way to portray this end-to-end adherence or the Compliance Lifecycle.
Now, let us consider an example based on the Financial Services Authority (FSA), the UK regulator for financial sector. The rules are specified in the FSA handbook. The rules are given terms like SYSC, TCF, MAR etc. As discussed above, these rules are to be applied to business areas and should be reported back to the FSA.
Ideally, the FSA will like to see end-to-end compliance or the Compliance Lifecycle along these rules. However, a firm does not follow these categorisations and have their own way of looking at their business - Sales & Marketing, HR, IT, Finance etc. You have a scenario where the management is thinking in this way, whereas compliance is thinking in terms of COBS, TCF, MAR etc. One can find similar challenges in the case of every regulatory environment.
How do you incorporate Compliance Lifecycle?
Based on the above discussions, we are sure that the Compliance Lifecycle is definitely the way to go for mitigating Compliance Risk in the best possible manner. However, we need to address the challenge of business view Vs compliance view before we are able to address the wider issue of mitigating operational failures.
Perhaps the way for compliance to overcome this challenge is to consider the activities in the business areas and than overlay the appropriate rules. Following from the previous example of the UK FSA, it is highly likely that more than one FSA rulebook category may be relevant to one business area.
Let us consider sales and marketing. Rules such as KYC/AML (Know Your Customer / Anti Money Laundering), customer categorisation and financial promotions (COBS) are relevant. When it comes to HR, you may apply Training and Competence, PA Dealing and ethics. There is a slight change in the mindset here, and that this makes you think in terms of business areas, and then the rules, and not the other way around.
The benefit of this approach is that it allows the firm to get its business done, and the compliance function to marry the long-term interests of the firm and its clients, with regulatory requirements.
In addition, by effectively integrating and embedding compliance within the business systems and processes of the firm, – the errors, breaches and failures are derived from these areas are also mitigated. This approach can lead the way for implementing a GRC approach later.
Conclusion
There is no doubt that the compliance function has a growing role in any organisation. Incorporating a GRC approach is becoming an industry practice. However, the first step for a compliance function before considering GRC is to take a stock of their firm’s place in the Compliance Lifecycle and the way it is implemented aligning the view from the business and from its regulator.
About the Author
John Cyriac is the CEO of the Compliance Software as a Service company Compliance Track.