Developing a compliance culture within an organisation is vital to an effective compliance function. There are five basic elements for a compliance monitoring programme.
Developing a compliance culture within an organisation is vital to an effective compliance function. This allows the implementation of an effective compliance monitoring programme, which is linked into senior management. This will help to demonstrate to the regulator that the firm has the right compliance mindset. Job done!
Well don’t go home just yet. Now you need to make sure that your compliance monitoring programme is effective, ongoing and well documented – it needs to deliver and live up to those expectations.
By ensuring that your programme covers the following five basic elements, you can be sure that this will happen. This is a topic which is close to my heart, as we followed these steps while designing Compliance Track, a compliance software as a service product.
Compliance Testing Process
Compliance Testing Frequency
Compliance Testing Approach
Compliance Testing Documentation
Let us take a step back. The firm needs to comply with the regulator's rules and regulations. (For example, the FSA in UK and SEC in the US for the financial sector or FDA in the US for the pharmaceutical sector).
The Compliance manual tells you that you will comply. From this, a procedure manual can be developed which tells you how you are going to comply with the regulator's rules. As long as you follow this, your firm will be in compliance.
So how will you know that your firm has been following those procedures and the compliance manual? The answer is by conducting compliance testing on a regular basis.
So what are you testing? You are checking to see whether those procedures are working as expected, and what the exceptions are. In this way, a history and profile is built up, that can more easily demonstrate that you are in fact following those procedures that will help you comply with the regulator's rules and regulations.
Most of the regulators put the onus on senior management to prove they have been complying with the regulator's rules. Implementing a compliance monitoring programme will go a long way to demonstrating this to the regulator during an inspection.
How often should the compliance tests be carried out? Every week? Every month? Once a quarter? Annually?
There is a fair amount of subjectivity around this question, and a large part of this will be to determine in a methodical way what you perceive to be the risks of something failing. In short you need to start with a risk assessment first before deciding how often a compliance test be carried out.
A simple assessment could include the probability of failure and the impact that would result. Higher risk areas should be tested more regularly, at least monthly, medium risk areas, at least quarterly, and lower risk areas, at least annually.
These are just guidelines, other factors may need to be considered before deciding.
A methodical approach will reap rewards later. Using a checklist of tests, categorising them into various business areas or based on a standard prescribed by the regulator. (Example: The FSA handbook categories) The common trend among compliance professionals is to use business areas.
Tests should be completed clearly, concisely and accurately. Use reasonable sample sizes when testing areas with a volume of data, say trades.
Documenting the results, and keeping a record of backing documentation is critical to a good monitoring programme. Without this audit history, the monitoring programme has no teeth – there is no ability to demonstrate to the regulator that you have been complying.
Ideally, the backing documents should be indexed or referred to the main testing plan to allow an easy follow through the tests and results.
There maybe follow up points and further queries and questions resulting from of those tests. It would be good practice to record and document these and linked to the corresponding tests.
The importance of having a compliance monitoring is clear – without one, you lose a powerful defence in being able to demonstrate compliance with the regulations on a consistent basis over a period. The considerations discussed here are guides only and a good place to start - one may need to consider other firm specific considerations while developing a comprehensive compliance monitoring programme.