Organisations are facing continual changes to their regulatory requirements, so building a strategy to manage the pace and complexity is essential to avoid costly fines, reputational damage, or even a loss of the right to operate.
As forces including technology, competition, regulation and globalisation drive immense, rapid change to the business landscape, regulatory bodies are responding with significant new compliance requirements. Organisations not only have to transform to remain relevant in this dynamic world, but must keep one step ahead of their obligations to prevent breaches across a number of potential exposures.
A number of recent scandals, such as the Panama Papers and Unaoil, along with record fines for breaches handed down by US, UK and EU regulators, demonstrate the riskier regulatory environment that they are now operating in.
Martin Dougall, Partner, Forensic, KPMG, says issues such as bribery, corruption, money laundering and sanctions breaches have focused the minds of Australian regulators, who see the need to raise domestic standards.
“Australian organisations must take urgent action to address latent risks in their current and historic operations, and to ‘future proof’ their businesses,” he says. “Now is the time to act to avoid being engulfed by future scandals with attendant reputational carnage.”
Peter Hader, Director, Internal Audit, Risk, & Compliance, KPMG, adds that there are “so many sources of regulation and law that apply to organisations, and they are always changing”.
“Particularly for large corporations with global activities across multiple countries, with multiple subject matters."
Regulatory change reflects globalisation, technology, customer privacy, cyber security, email spam, anti-money laundering and other pertinent issues. And it is not the end of change, according to Nathan Robinson, Director, Compliance and Conduct Risk, KPMG. He thinks that events of late 2016 have set the scene for even more amendments.
"There was a continued shift in the global environment – with Brexit, US President Donald Trump’s election, ongoing political tension and shifts in Europe and around the world," he says. "We are going to see more shifts in laws out of those countries and issues for trade. I don’t see the pace of change slowing down."
When change is fast, laws are complex, and their subject matter diverse, compliance can be challenging for organisations to manage.
"There is a lack of formal strategy to keep up. Teams need to put in a big effort to get up to speed," says Robinson.
Robinson says without a strategy, small but significant alterations to laws could be missed, or competing requirements could create issues.
"The more regulation, the harder it becomes. Companies don’t just get to comply with one regulator or law," he says.
Hader adds that many companies lack an up-to-date register of compliance obligations – covering internal, local, state, federal and international requirements. Others need a methodology to rank the risk related to each obligation.
In addition, Dougall notes that Australian businesses must get better at proactively engaging with regulators, developing a coherent multi-regulation strategy and embedding a values-based culture at the heart of the organisation.
Failing to manage regulatory change can see organisations face vast penalties from regulatory bodies, in addition to customer dissatisfaction and reputational decline.
Dougall says this has occurred in a number of major developed economies, with the size, scale and significance of penalties being levied across Australian business now increasing.
“It is vital that Australian businesses act now to protect their brand and reputation with customers, regulators and the market more generally,” he says.
Robinson adds that accidents are a predominant risk issue – and things can easily go wrong.
“If an accident relates to non-compliance with internal maintenance programs or regulatory safety requirements, the consequences for the organisation and its management can be severe," he says.
In the worst cases, a compliance breach could lead to a loss of licence to operate. Jail terms could be issued for officers or board members that have not fulfilled their obligations. Negative media exposure is a common result.
“Think about the reputational damage of those organisations that find themselves in the press for the wrong reasons, such as accidents or employee disputes. Customers will say, 'I don’t want to support an organisation that behaves like that’,” Robinson says.
Becoming irrelevant is another potential threat stemming from non-compliance.
"If you are not compliant, you are ripe to be challenged by disrupters. Start-up organisations are looking for ways to comply with obligations more efficiently and are doing so without the burden of legacy systems and processes, so if organisations simply maintain the status quo, new market entrants will do things better and may quickly overtake them," Robinson says.
For better management of regulatory compliance changes, a comprehensive compliance framework should be established.
"We work with a methodology and set of tools that are linked to international standards around compliance. It covers all elements of compliance, from understanding your obligations, to having a comprehensive register of obligations, risk controls, reporting, and keeping up-to-date with changes," Hader says.
Training staff, monitoring compliance and reporting back to regulators and the board are key.
"It is also important to have a strategy for breach management, so if something does go wrong, you have a plan," Hader says.
Technology can assist this process, Robinson adds. For example, engaging technology to monitor calls with customers, or using cognitive computing such as IBM Watson to scan and summarise content for industry-relevant changes to the law.
"We will one day move to a real-time environment where the cognitive computer is actively keeping its eye on the law," Robinson says.
Strategy is important, but so are people, and it is up to the staff of an organisation to be compliant. Robinson says this must start with ‘tone from the top’.
"A compliant organisation could have a board that demonstrates commitment to compliance, along with the policies, culture and conduct of its people. That message is reiterated through management, so everyone is showing a commitment to compliance,” he says.
As scrutiny and expectation of organisations grows, it is clear there is a need to improve management of regulatory compliance. Organisations that do it well have a clearly articulated commitment to compliance, for example a statement defined compliance management policy and framework, and properly deal with instances of non-compliance through assessment and reporting, as well as appropriate consequence management.
“The pace of change will only grow. It is not getting any easier. Organisations will need to address this and have systems in place," Hader says.
The adoption of new technology will continue to provide both regulatory compliance challenges and solutions. Explore the possibilities of RegTech in: Regulatory technology and the challenge of compliance.