This time of the year in the wild and wonderful world of compliance, we usually see an influx of draft or issued information letters and requests, directives, board notices and the like from the regulator.
That’s why I’m not at the beach (yet), but with both feet under my office desk checking the Financial Services Board’s (FSB) website for updates at least twice a day with the wise words of Confucius firmly stuck in my head: “A man who does not plan long ahead will find trouble at his door.”
Instead of worrying about all that needs to be done, I’ve decided to take control.
Planning: the key to success
Dr Gramme Edwards once said: “It’s not the plan that’s important, it’s the planning.” Where do you start though? I go back to basics; and basics for me as compliance officer are the Generally Accepted Compliance Practice Framework by the Compliance Institute of South Africa. It provides me with the much needed structure I need to make sense of the mostly unstructured legislative reality we are facing now.
Ready, steady, go!
To be compliance-ready for 2017, the following steps are true lifesavers for me:
Step one
- Identify which of the new regulatory developments will specifically impact business from a regulatory and reputational risk point of view.
- Distinguish between the core, topical and secondary regulatory developments.
- Include the new applicable regulatory developments in the overall regulatory risk universe of the company.
Step two
- Schedule a regulatory risk profile with the executive team and key persons for early in 2017.
- Highlight core pieces of legislation to be discussed.
Step three
- Do a preliminary impact assessment for further discussion and agreement at the regulatory risk profile workshop.
- Be prepared to challenge and provide direction to business through practical and current examples to ensure that the risk is adequately assessed for impact and likelihood (e.g. FSB enforcement action, Ombud determinations, Court cases).
- Consider the potential monetary loss should a fine be imposed for non-compliance, and the subsequent impact thereof on the business brand.
- The risk rating in relation to the relevant impact should include:
a.) consideration for the technological system’s ability to ensure compliance;
b.) the impact of new requirements on the knowledge and operational controls of the business;
c.) whether existing policies and procedures would have to be reviewed and aligned;
d.) whether additional training will be required for staff on the regulatory impact, new controls, or system changes due thereto.
Step four
- Prepare a risk management plan for each relevant piece of legislation that underpin the very nature of the specific business and where non-compliance could severely threaten or limit the continued viability of the business due to material impact on profits and/or market share sustainability resulting from severe penalties and/or negative publicity.
- Document existing controls and identify gaps which will require further engagement with business overall and specific business units and departments.
- Ensure to report gaps and proposed mitigating action (be specific and to the point) to the executive committee.
Step five
- Read, read and read some more. Read articles, extracts and more importantly, the actual regulatory requirements that will underpin business systems, policies, procedures and behaviour. Read to understand the intended purpose and desired outcome.
- Listen to what business is saying and understand the concerns and objections.
- Measure gaps and propose acceptable and adequate solutions to deliver and evidence the desired outcomes.
Bring it on
I leave you with a final and famous quote by Benjamin Franklin: “By failing to prepare, you are preparing to fail.” May you achieve structure and order in all compliance related matters and as such, be ready and prepared and a few steps ahead when you return for work in 2017.