On their own, regulations and policies will not ensure compliance

13 September 2023 Myra Knoesen

Organisations’ compliance programs now need to undergo fresh risk assessments due to the rapid changes in an already complex regulatory environment.

FAnews spoke to Rianné Potgieter, CEO of the Compliance Institute Southern Africa about the new risks impacting compliance, conduct and culture, and how technology could be used to mitigate conduct risk. 

The new risks

According to Potgieter, we find ourselves in a period of various megatrends developing across the world, which give rise to risks such as climate, cyber, health, financial crime, cryptocurrencies, and artificial intelligence (AI) (ChatGPT anyone?) to name a few. Society’s response, she says, will ultimately include formal regulation as we grapple with mitigating these risks. 

“Regulatory responses are evident in guidance notes, proposed regulations, bills and acts such as our own ESG JSE guidelines, Treating Customers Fairly (TCF), Conduct of Financial Institutions (COFI), and the amended Financial Intelligence Centre Act (FICA). Other countries have seen the enhancement or introduction of regimes such as the Senior Managers and Certification Regime (UK), the individual Accountability Framework (Ireland) and various codes of conduct,” she added. 

In the EU, Potgieter said the Artificial Intelligence Act is at an advanced stage of development, while in the UK, the government has launched an AI white paper to guide the use of artificial intelligence in the UK, to drive responsible innovation and to maintain public trust in this revolutionary technology. These might very well have extraterritorial reach, she said. 

“Organisations may also face the increasing use by regulators of principles-based regulation to achieve the desired outcomes. The benefits of this approach include the fact that it enables laws to be future-proof, i.e., to respond to new issues as they arise without having to create new rules. The onus is on the organisation to define its response to compliance risk mitigation within the bounds of its own risk appetite. It frees up organisations to find the most efficient and innovative ways of achieving the desired outcomes,” continued Potgieter. 

However, she said it may also lead to uncertainty and possible conflicting interpretations between the organisation and its regulator. 

Overcoming challenges in meeting the requirements

As can be seen from many examples over the years, Potgieter stated that regulations, policies and procedures on their own will not ensure compliance. Culture and conduct do.

“As responsible corporate citizens we should determine and guide our own behaviours ahead of regulations. We should decide as an organisation, and individually, what our values are and how we want to support these through the culture that we create in our respective environments. The so-called ‘tone at the top’ may be a clichéd term, but it is as relevant and important today as ever. The leadership in an organisation has an undeniable influence on its culture,” she said. 

Equally important, Potgieter said, is the ‘mood in the middle’. “The middle layer refers to the managers and employees who are responsible for implementing policies and who have the most direct control and impact on an organisation’s conduct. This is where the organisation’s culture is embedded and comes alive through the everyday actions of all employees. As we say in our Generally Accepted Compliance Practice framework (GACP) – it is all about ‘people, processes and systems’,” she emphasised. 

  • People - are their values aligned with the organisation’s values? Ensure they are trained, that recruitment and remuneration practices support the organisational values and culture, etc. In the case of principles-based regulation, the organisation should set out in practical terms what is required at each level and within each role. The organisation’s ethics and corporate culture are important to how it interprets the operation of the law. Staff must be trained in values so that their decision are aligned with the organisation’s values. This will support the organisation to observe the spirit of the law by developing policies or other mechanisms that simultaneously comply with the relevant principle and meet the organisation’s needs.
  • Processes - develop policies, procedures and codes of conduct that are role-specific, practical and up to date.
  • Systems - the use of fit-for-purpose technologies that ensure efficiencies and control.
  • Culture - consider conducting surveys and confidential discussion groups to ensure honest feedback from the participants. Some questions to ‘test’ the culture and commitment to compliance are, ‘Are there consequences for bad behaviour, or do we turn a blind eye?’, ‘Is our organisation serious and committed to compliance and doing the right thing?’, ‘Are you aware of any fraud or unethical behaviour being committed?’ ‘Is our organisation’s reporting and disciplinary system fair and reliable?’ ‘Do you understand the compliance responsibilities in your specific role?’ 

When it comes to technology, Potgieter said we should expect to hear terms like regtech, suptech, fintech, insurtech and other ‘…techs’ that are still coming. “This is the world we live in today. Everyone in business should be comfortable with the terminology to know how it can be employed in the organisation. Technology can no longer be left to ‘the IT guys’. It has become imperative to have a working knowledge of technology, its benefits, shortcomings and risks.” 

Arm yourself with facts, skills and resilience

“On a final note, Potgieter said, we can view this new world as a scary place - there is more than enough reason to be panicky. Or we could arm ourselves with facts, new skills and resilience, see the benefits of regulation from a business perspective, understand that something like principles-based regulation has far less rules, and that it acknowledges that the knowledge and the know-how to mitigate risks are within organisations themselves. At the heart of all these developments lies innovation. This is the time to embrace it,” she concluded. 

Writer’s Thoughts

As mentioned above, it is the responsibility of the organisation to delineate its approach to mitigating compliance risk. Merely having regulations, policies, and procedures in place is insufficient to guarantee compliance. The crucial factors in ensuring compliance are the prevailing culture and conduct within the organisation. The leadership within an organisation undeniably shapes its culture. Do you agree? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts


Comment on this post

Email Address*
Security Check *
Quick Polls


The shocking crime and motor vehicle accident statistics shared during a recent SHA presentation suggests that group personal accident and personal accident cover are a no-brainer. Do you agree?


Not sure
fanews magazine
FAnews April 2024 Get the latest issue of FAnews

This month's headlines

FAIS Ombud lashes broker for multiple compliance blunders
TCF… a regulatory misfit initiative?
The impact of NHI on medical malpractice insurance
Fixed versus variable: can you have your cake and eat it too?
The future world of work
Subscribe now