Seven steps to compliance
I have been asked on a couple of occasions recently, what are the requirements for a compliance function, a strange question because this was raised by regulated firms.
The firms governing body has overall responsibility for compliance and they must through policies and training communicate its core values. The governing body and senior managers should work with the compliance function to drive the culture and embed a framework of compliance throughout the business, the following seven steps may help
1. Identify the regulations that you must comply with and undertake a risk assessment against each applicable regulation.
This may include:
- Financial Conduct Authority
Data Protection Act
Money Laundering Regulations
Health and Safety
Advertising standards
The risk assessment must identify the inherent and residual risk, and consider the impact and probability before and after the establishment of your controls. Remember this is a living tool and must be revisited regularly.
2. Create procedures for staff to follow. This includes developing a number of key controls to reduce the impact and probability of your identified risks.
- Procedures should have an owner and be kept up to date and version controlled. These should be made available to all staff.
Key controls should be identified, documented and assigned a control owners.
3. Assess your controls to ensure that there are no gaps and that they are designed and operating effectively and develop a monitoring process to test whether they continue to operate as designed.
4. Create a compliance manual with all of your procedures, policies and guidelines for staff to follow. This should notify staff of their responsibilities and escalation procedures should they identify incidents or breaches of the regulatory system. The compliance function is there to provide your business with support and advise.
5. Train your staff on relevant regulatory matters. Make sure training is developed in line with your business needs and also covers your legal and regulatory obligations.
6. Carry out regular audits and assessments to ensure that you are still compliant and that your controls continue to meet the requirements. Report findings to relevant risk, compliance or audit committees.
7. Use Management Information and record keeping to demonstrate your compliance with the rules and ensure your key risk indicators (KRI’s) identify and monitor trends. Make sure your records are maintained in line with system and control record keeping requirements.