Which are the functions of “Compliance” in an organization?

By: Ernesto Gómez Gallardo A.

Last week we talked about what Compliance is and mentioned some features that need to be considered to implement an effective program in this area. Today I would like to dig deeper into the topic and synthesize 5 functions that a Compliance program covers in an organization (according to the International Compliance Association), either through an internal department or through external advisors who can support the organization in the performance of these activities.

1. IDENTIFICATION. It refers to detecting and defining the risks that an organization faces and building the program on these. There are different ways to outline risks through predetermined catalogues which different subject matter experts have defined. I believe that a useful classification is the one proposed by COSO (Committee of Sponsoring Organizations of the Treadway Commission), as it is not exclusive to an industry, rather it is applicable to all sectors and business segments. This classification considers 4 types: Reporting Risk around the effectiveness of the company’s financial reports, Compliance Risk related to compliance with regulations (internal and external), Operational Risk regarding the effectiveness and efficiency of the entity’s operations including the performance and profitability of the entity, and finally the Strategic Risk in terms of aligning the mission – vision of the organization with its resources.

2. PREVENTION. It is the design and implementation of controls to protect an organization from the risks we mentioned earlier. It is essential to map the processes that are followed within the organization and then find the vulnerabilities and establish the controls in the most appropriate place or steps in the processes in order to be safe when performing day-to-day activities.

3. MONITORING AND DETECTION. It means establishing a systematic observation of controls and being able to report on their effectiveness. It does not mean that we must constantly be auditing the company, on the contrary, the idea is to determine a way to evaluate the controls previously established on the regular “business as usual”, to detect any deviations and, where required, be able to act.

4. RESOLUTION. It has to do with the organization’s reaction to any difficulty that has surfaced, either through the detection of a breach in the controls or through other escalation means. The resolutions should be made by the right person or area depending on the magnitude of the problem, and it is where a good Corporate Governance structure is key to ensure the flow of information and the level of escalation that the issue requires.

5. CONSULTANCY or ADVICE. Compliance’s constant advice and presence in the organization is key to getting things done right. Compliance often has a negative connotation in institutions of being a department that “does not allow to carry out activities or businesses”. The Compliance mindset has been changing and is progressing into more of a partner who is present from the start and not with a role of “gatekeeper” or final approver.

At Miranda Compliance, we believe Compliance should be part of the culture in the organization, not a department. The experience of having worked in different institutions performing and implementing these programs, has made us understand that doing Compliance is not to say: “it shouldn’t be done”, but to find how to do it, doing it the right way.