In this blog, find out more about the roles and responsibilities relating to compliance and how to ensure everyone plays their part.
Why define compliance roles and responsibilities?
‘Compliance’ is a simple concept in itself (it means ‘the act of obeying an order, rule or request’), but ensuring people behave in a compliant way can be extremely complex. Managing compliance cuts across departments and functions, impacting on health and safety at work, information security and data protection, anti-corruption, competition law, finance, legal, contracts/procurement and HR. So whose role and responsibility is it?
Compliance roles and responsibilities
Compliance roles and responsibility will vary according to the size of an organisation and the level of compliance risks it faces.
- The CEO of an organisation is ultimately responsible for compliance, along with the Leadership Board or Board of Governors. If the CEO appears at times not to behave in an ethical way, the rest of the organisation will struggle to develop a culture of compliance, as the tone needs to come from the top. Because of the complexity of the role, responsibility for managing the organisation’s compliance program is often devolved to a Chief Compliance Officer (CCO). CCOs report directly to the CEO and Leadership Board where they can influence organisational strategy and set the ‘tone from the top’.
- The CCO’s role is to establish/lead an organisation-wide compliance infrastructure. This might include a Compliance Group or Committee and a team of compliance experts – Compliance Officers - in the business. The role typically includes overseeing and reporting on performance against the organisation’s compliance program, leading investigations into non-compliance, identifying areas of potential risk, developing an effective compliance communication and training program and managing a whistleblowing hotline.
- Where there is no requirement for a separate compliance infrastructure, an organisation may allocate the responsibility for compliance to the Head of Internal Audit, Head of Legal or other senior leader. The risk here is that responsibilities other than compliance will be prioritised, potentially putting the organisation at risk.
- The Compliance Officer role may be a stand-alone role or be allocated to existing managers in the organisation. Compliance Officers typically deal with compliance issues at a more local level, reporting back to the Compliance Group or Committee so that individual issues can be resolved and learned from and an organisation-wide picture can be collated.
- The line manager is not typically seen as responsible for compliance but he or she is the person who monitors day-to-day performance and so needs to ensure that individuals in their team or department are complying with organisational requirements on a daily basis. Line managers need easy access to their local compliance officer, to the central compliance team or to HR to enable them to deal with any concerns quickly and effectively, escalating them when necessary. Line managers can also highlight good practice, share examples of near misses and help people to learn from them, and identify who presents most risk to the organisation and who might need more training.
What about individual employees?
Employees are the lifeblood of your organisation. Motivating them to take personal responsibility for compliance in their own actions – to behave in a compliant way, despite pressures to the contrary - is the key to success. Compliance is then both ‘top down’ and ‘bottom up’ and a culture of compliance will become the default behaviour across the organisation. To be compliant, employees need to:
- Know what they are expected to do - make policies clear and easy to find; make procedures easy to follow
- Have the skills to behave in the right way – offer training or on-the-job support to build the skills they need
- Have the right attitude – use different channels (communication, learning, etc.) to persuade employees that compliance is the right thing to do; set good examples at all levels; share ‘war stories’ and learn from them; reward compliant behaviour.
Effective compliance lies in the overlap between the attitudes, knowledge and behaviours of managers and employees. (Paula Davis, SAI Global)
A proactive approach
By sharing the responsibility for compliance across the organisation, along with raising general levels of awareness, individuals can be encouraged not to behave in a risky way but instead to raise a concern, ask an expert or talk to their manager before they act. This proactive approach is much more effective than dealing with breaches after they’ve happened – and much less costly!
The next blog will look at how organisations can move from a ‘tick box’ approach to compliance to developing a culture of compliance across the organisation.