One Size Doesn't Fit All
There is no single structure that fits all organisations. Factors that should be taken into account when planning how you will manage your compliance risk include:
- Size of organisation (number of employees, physical locations, range and complexity of transactions and processes)
- Operational structure (single entity, multiple business units, head office)
- Nature of the business (license requirements, legal exposures and obligations)
Centralised v Decentralised
There is no one right form. In larger organisations it is important to ensure that the various Heads of operations are made responsible for managing their compliance obligations. It is inappropriate and ineffective for "responsibility" for compliance to be placed with the compliance function. Their role is to advise, design, support and monitor.
Where there is a decentralised function, consideration should be given to maintaining a central support function that provides expertise and independence from the business.
Combining Compliance & Risk
There are logical synergies, but risk management is a different discipline, which is used in identifying the compliance exposures and then ranking them. Risk management provides a tool for allocating resources to manage compliance risk in the natural environment where there will never be enough resources to do everything.
Combining Compliance & Audit
It is inadvisable for audit to control or be controlled by the compliance function. Audit should remain independent to ensure that it can conduct arms length reviews. Coordinating the compliance reviews with internal audits, and risk reviews reduces the impact on the business units.
The ACI protocols for Compliance Reviews could be used by Internal Auditors to help them understand the drivers in Compliance Reviews and improve the effectiveness of the review process.
