What is regulatory compliance?
Why is regulatory compliance important?
How to get a job in regulatory compliance
What is regulatory compliance audit?
What is regulatory compliance in financial services?
What is regulatory compliance in healthcare?
Simply stated, regulatory compliance is making sure that an organization is following the rules and standards set for its industry. These rules are usually set by government legislation or by proxy via government agencies. In the EU, many regulations are set at a supra-national level. Regulatory compliance management means the set of processes, procedures and technology put in place by an organization to ensure regulatory compliance.
In most countries, the number of rules and regulations has gone up over time. The technology revolution combined with increasing wealth has driven a profusion of complex new products and services offered to consumers and businesses. The possibilities for bad behaviour and bad consequences are multiplied.
Managing and auditing regulatory compliance can be a very expensive endeavour. The problem can get more complex when a firm has to face a variety of compliance requirements in each of the market segments it operates in.
Examples of recent new regulations:
- EU Euro5/6 standards for exhaust emissions from passenger cars
- EU PSD2 regulations strengthening security for online payment transactions
- US FDA new regulations for e-cigarettes and vaping
Regulation has always been a bit of a political football. Some say that we should drastically reduce the burden of regulation. Others point out that regulation is vital to prevent or punish bad corporate behaviour. However, since regulations are always woven into the law of the land, businesses must comply with them or face severe sanctions.
Hand in hand with the need for regulatory compliance go the systems needed to manage it. Large organizations have for many years used compliance management software to support their compliance programs. Increasingly, small and mid-sized firms are using systems like Plio that are designed to be much simpler to use. Instead of a week’s work by a technical specialist to set up, a Plio account runs in the cloud and can be set up by a user in just one minute.
Clearly, regulatory compliance is important to protect consumers and society from harm. This may seem like an abstract concept to many, and far removed from their everyday experiences. It is a sobering experience to realise that the consequences of regulatory breaches are not just financial, but career-limiting. Company directors can and do go to jail.
There is increasing regulatory pressure on companies as the regulatory rulebook continues to grow. This pressure has also been driven by some high profile bankruptcies (e.g. Enron, Worldcom, Lehmann Bros) and safety disasters (Deepwater Horizon).
The Volkswagen emissions scandal, also known as dieselgate, began in September 2015 when the US Environmental Protection Agency issued a notice of violation of the clean air act. A group of five scientists at West Virginia University had detected unusual emissions behaviour during live road test of VW cars.
In April 2017 a US federal judge ordered VW to pay a $2.8 billion criminal fine for “rigging diesel powered vehicles to cheat on government emissions tests”. Oliver Schmidt who headed VW’s environmental and engineering office in Michigan was jailed for 7 years. CEO Martin Winterkorn was charged with fraud and conspiracy and faces a 10 year jail term if found guilty.
Regulatory compliance is important for the following reasons:
- For consumers, to them from the harmful consequences of actions carried out by firms
- For businesses, to protect their brands and reputations
- For directors and managers, to avoid criminal liability and career termination
Compliance management can be daunting and expensive for smaller organizations. Plio is a good example of a new breed of low-cost compliance software can simplify compliance processes. By reducing the cost of running the system by an order of magnitude (to as low as £40 per month) Plio makes this kind of system affordable for any size of company.
The bottom line is that compliance when done right is always cheaper and less hassle than non-compliance!
As the number of rules and regulations increases, compliance management has emerged as a distinct function in organizations in many industries. At the top of the tree, firms have appointed chief compliance officers, sometimes called chief regulatory officers. They run departments staffed by compliance managers and compliance assistants. Their collective job is to make sure the organization confirms to the particular set of laws & regulations that apply to its activities, products and services.
Compliance can be an attractive career choice for a couple of reasons. First, because it gives broad exposure to many different functions and activities within an organization. Second, because it’s largely recession-proof. Jobs in compliance tend to be less at risk In a downturn. Some firms may need to bolster their compliance functions even as they are reporting reduced profits.
On the downside, compliance is becoming more and more specialised, especially in larger firms. You may become frustrated at getting trapped into a silo in a very specific work role. This reduces your exposure to different teams and functions in the organisation, making for a dull and repetitive workload.
It can be hard to break into compliance. Firms tend to want to hire people with prior compliance experience and qualifications. However the group of people that can be poached is finite so there are always opportunities for people starting out at the bottom of the ladder.
An important aspect of professionalising the compliance function is to use the right software tools to structure and streamline key compliance processes. These tools are now very accessible and easy to use. Some, like Plio, can be set up in a few minutes and offer a 30 day free trial. Familiarising yourself with these tools can give you an edge in any compliance job interview.
Here’s some good ways to start your compliance career:
- Prior experience through a legal or operations track
- Prior experience in back-office operations
- Prior experience in internal audit
- Working in temporary admin roles in compliance-related projects (e.g. anti-money laundering, know your customer)
- Gaining a relevant qualification
- Working on the right soft skills (you need to be inquisitive, approachable and methodical)
Regulatory compliance audit is – as the name suggests – a structured review of an organization’s adherence to a set of legal or regulatory guidelines. Audits are important because they provide management with a a way to monitor whether compliance obligations are actually being upheld, or whether they are being ignored or side-stepped. Audits can be carried out internally (management audits) or by qualified external auditors.
During an audit we need to demonstrate that our compliance controls are working. A control can be defined as a process of interlocking activities designed to achieve a compliance objective supported by properly designed policies and procedures and reliable records.
External audits can be time-consuming and costly, especially when you need to engage with a Big 5 accounting firm. It’s important to try and minimise the failure rate in such audits. Kyle Robinson at Grant Thornton has summarised the six most common reasons for audit failure. Understanding these gives great insight into some of the key success factors for running an effective compliance function.
Poor prioritisation from the top
If top management doesn’t buy into the importance of compliance then people working lower down won’t buy in either. The attitude of senior management drives behaviour through the entire organization.
Lack of documentation
Without documentary proof auditors are liable to assume that processes are not operating or are being performed inconsistently. Firms should document what they are doing in written policies, train everyone in the procedures and create a documentation trail of the relevant controls.
Human error compounded by too many manual processes
Manual processes are vulnerable to human error and omissions. Compliance management systems like Plio automate key aspects of the compliance workflow, reducing errors.
Weak or missing risk assessment
According to Pareto’s Law, 80% of the compliance risk comes from 20% (or less) of the organisation’s activities. Without a good risk assessment you will waste time on putting in place controls for less critical activities. This means that less time is available to focus on the critical 20% of activities where the bulk of the compliance risk is found.
Internal assessment too congratulatory
It’s only human nature to want to represent yourself and your team in the best light. This means that internal auditors will frequently overlook or seek to minimise important shortcomings. To avoid this, it’s important to bring independence of viewpoint into the equation. Internal reporting lines need to incentivise the right behaviour. Bring an independent assessor or consultant in if you need to.
Not understanding that some audits need to be ongoing
Some audits e.g the PCI DSS are point-in-time audits, Others e.g. Sarbanes-Oxley require that your controls need to operate consistently over a long period of time. Some organizations don’t’ understand the difference and will cease control work as soon as the auditor walks out of the door.
To be effective, compliance work needs to be embedded in the culture of the organization, as part of a continuous improvement process. If this isn’t done then gaps in the compliance work soon show up as negative findings in the next audit.
Using a compliance management system like Plio makes it much easier to build compliance into your culture. Plio is designed around a continuous improvement framework so that a compliance breach triggers the start of a structured workflow leading to a root cause analysis and completion of corrective and preventative actions. By putting simple-to-use tools like Plio in the hands of your key managers, compliance becomes a natural part of the everyday work routine.
Some industries are more heavily regulated than others. Financial services as a sector is particularly highly regulated for a couple of reasons. First, because of the high risks that consumers and businesses may suffer harm from aggressive or deceptive business practices. Second, because of the history of repeated abuses in this industry. High risk combined with repeated abuses is a recipe for heavy regulation.
Even the top firms with the most impeccable reputations have been sanctioned. In January 2016 Goldman Sachs agreed to pay $5.06 billion to settle claims that it misled investors during the financial crisis. A large group of investors suffered financial losses and put pressure on politicians to seek redress. Congressman Barney Frank and senator Chris Dodd gave their names to a set of US government regulations (the Dodd-Frank Wall Street Reform Act) put in place by the US Congress in July 2010.
Similar regulatory compliance frameworks now operate throughout the global financial system supervised by (amongst others) the Securities and Exchange Commission in the USA, the Financial Conduct Authority in the UK and by the European Banking Authority in the EU.
Financial services firms must fulfil the following compliance functions:
- Identification: the compliance risks facing the company must be identified.
- Prevention: the compliance department must implement controls designed to protect the organisation
- Detection: the company must constantly monitor and create reports about the effectiveness of the controls
- Resolution: compliance problems should be resolved as and when they occur
- Advisory: the company must advise and train employees about the rules and controls
Plio has launched a new version of its compliance management system for small to mid- sized financial services firms. A purpose-built configuration has been developed for financial advisors and investment managers, with a rapid one minute setup process and a 30 day free trial.
In healthcare we are dealing not merely with financial impacts, but with risk to human life. This ramps up the level of potential harm, and explains why legal regulation has become so pervasive in the healthcare sector. In common with other sectors, it is the history of previous abuses that leads to the impetus for new laws and regulations. Let’s look at one recent example in the UK – the Mid Staffs scandal.
Mid-Staffs has become a byword for NHS care at its most negligent. It is often described as the worst UK hospital care scandal of recent times. Disputed estimates suggest that between 400 and 1500 patients died over a 4 year period between 2005 and 2009 at Stafford hospital, a small district general hospital in Staffordshire.
These deaths first came to light in mid 2007 when the UK regulator, the Healthcare Commission, became anxious that Stafford seemed to have unusually high death rates when compared to other hospitals. Dissatisfied with the hospital’s explanations, the HCC assigned a team of investigators to get to the bottom of what was happening. This was the first of five major enquiries.
The regulator found that care at Stafford was “appalling” with “inadequately trained staff who were too few in number, junior doctors left alone at night and patients left without food, drink or medication as their operations were repeatedly cancelled.” Eventually this led to the resignation of the head of the NHS and significant changes to the regulatory framework for healthcare in the UK.
There is now a legally-binding ‘duty of candour’ that obligates healthcare professionals to be honest when things go wrong. Serious and persistent breaches can result in criminal prosecution. Codes of practices have been revised for doctors, nurses and midwives. New educational programs have been put In place to try and prevent any future recurrence.
Bringing professional compliance management processes into healthcare is going to be vital to reduce the risk of recurrence of scandals like Mid-Staffs.
Plio has recently launched a new version of its compliance management system for healthcare. A purpose-built configuration has been developed for use in hospitals and community health organisations, with a rapid one minute setup process and a 30 day free trial.
Back to top
In this article I’ve highlighted how important regulatory compliance has become across both the private and the public sector. Despite recent initiatives to deregulate, the regulatory rulebook continues to grow. Regulatory risk has increased dramatically in some key industries, including financial services, automotive and healthcare. Managers need to understand not just the need for regulatory compliance but also become proficient in the processes that need to be put in place to control and reduce compliance risk.
An important aspect of professionalising the compliance function is to use the right software tools. Smaller firms are less able to afford large teams of compliance specialists and front line managers have to carry compliance responsibilities. Plio software is designed to ease the burden of compliance management processes by automating workflows and enabling real time collaboration. It runs in the cloud has been designed to be much easier to set up and to use than older systems.
Back to top
Bio of author:
Steve’s interest in management systems began at Wharton, where he studied for his MBA. He then tried to apply what he’d learned with varying degrees of success in two startups that he founded in the early days of computer networking and the mobile internet. Fournder of Trigenix, a mobile user interface company that was acquired by Qualcomm Inc. Loves cycling, golden retrievers and the Cotswold hills.
Back to top