Core principles for an effective compliance programme
The standard not only addresses the required assurance procedures to form a conclusion in relation to an effective CMS, but also introduces five interlinked principles. These are fundamental to an effective compliance programme and should be integrated as part of the organisation’s business processes: 1) compliance culture, 2) compliance goals / objectives, 3) compliance risks, 4) compliance program and 5) compliance organization.
Organisations that implement these principles and related criteria successfully are able to:
- establish an ethics and compliance culture across all relevant levels of the organisation,
- consider the impact that general business goals have on the CMS,
- drive a structured risk assessment / management approach to determine compliance risks,
- implement an effective CMS to enable both the detection and prevention of compliance risks,
- define responsibilities and accountabilities in relation to the compliance organisation, and
- establish and maintain an effective compliance programme.
Areas where the core principles can be applied
Next to the core principles for a CMS that is valid throughout the organisation, there are a number of other areas where sound governance frameworks are required to establish and maintain an effective level of compliance, e.g.:
1) Distributed Supply Chain
A characteristic of the today’s ecosystem is that networks of contributors play their role in the production in almost every physical or virtual product or service. Its suppliers and component producers are working in an interoperable or cooperative workspace connected via legal contracts and relationships driven by financial interests.
To protect and ensure their own reputation and as a risk and quality measure, multinational companies request from their suppliers attestations that they comply with minimum legal requirements as well as generally accepted principles. For suppliers and multinational companies alike, an attestation about the existing CMS before entering into or sustaining a business relationship forms the foundation for mutual trust. To name a few legal requirements that may be considered: e.g. corporate governance, anti-money laundering, anti-bribery, sanctions or voluntary principles: norms as described in International Labour Organization conventions (e.g. Ethic trading initiative, Social accountability etc.), Global Compact SDG Goals or greenhouse gas protocol, sustainability requirements for suppliers issued by a multinational manufacturer.
2) Data Protection
The principle of accountability is increasingly embedded into data protection laws and regulations. For instance, organisations subject to the General Data Protection Regulation (GDPR) issued by the European Union (EU) must demonstrate their compliance with these rules. By being transparent about how an organisation is meeting the requirements of applicable laws, it can provide the trust that business partners, other stakeholders and society in general seek.
In this area, there are a number of standards and guidelines that can be applied as part of a data protection specific CMS. A practitioner might, for example, use the GDPR-CARPA (Certified Assurance Report-based Processing Activities Certification Criteria) from Luxembourg or the NOREA-PCF (Privacy Control Framework) from the Netherlands to evaluate the specific CMS.
3) Tax Compliance
Compliance across all taxes, statutory accounting and tax reporting is becoming increasingly complex. Companies are struggling to do more with less while driving value out of their tax and finance functions. The centralisation of finance and accounting functions presents additional challenges when dealing with complex local rules, disparate technologies, and manual processes during the compliance cycle. This results in a greater risk of compliance failures and minimal time for strategic forecasting or planning.
A tax-specific CMS enables organisations to implement a sound compliance programme, while rethinking their approach to domestic and global compliance and reporting by taking a closer look at their technology, processes, resources, and service providers (including co-sourcing/outsourcing).
4) Corporate Sustainability
As worldwide focus on sustainability intensifies, businesses are facing an ever-growing array of new restrictions on the materials they use, the by-products they produce, the safety of their facilities and other aspects of their operations. The restrictions, both voluntary and involuntary, are emanating from a variety of industry initiatives, and governmental and non-governmental organizations, frequently with overlapping jurisdictions and each with a unique set of reporting requirements. The need to verify adherence to these multiplying standards and restrictions is creating vast new demands on businesses’ compliance and assurance functions.
Sustainable companies understand that both corporate sustainability and compliance teams have a critical role to play in driving ethical behaviour and embedding values throughout the organization. These teams need to coordinate more with each other and across the business in an integrated CMS to design more effective ways to generate resilience dividends.