Chapter 10 Governance and Compliance Risk – CS Professional Governance, Risk Management, Compliances and Ethics Notes is designed strictly as per the latest syllabus and exam pattern.
Governance and Compliance Risk – Governance, Risk Management, Compliances and Ethics Study Material
Write short note on:
Factors to be kept in mind for planning to mitigate compliance risk. (Dec 2020, 3 marks)
Factors to be kept in mind for planning to mitigate compliance risk
- What kinds of compliance failures would create significant brand risk or reputational damage? Could the failures arise internally, in the supply chain, or with regard to third parties operating on the organization’s behalf?
- What is the likely impact of that damage on the organization’s market value, sales, profit, customer loyalty, or ability to operate?
- What kinds of compliance missteps could cause the organization to lose the ability to sell or deliver products/services for a period of time?
- How should the compliance program design, technology, processes, and resource requirements change in light of growth plans, acquisitions, or product/category/ service expansions?
- Is the organization doing enough to inform customers, investors, third parties, and other stakeholders about its vision and values? Is it making the most of ethics, compliance, and risk management investments as potential competitive differentiators?
- What are the total compliance costs beyond salaries and benefits at the centralized level—and how are costs aligned with the most significant compliance risks that could impact the brand or result in significant fines, penalties, and/or litigation?
- How well-positioned is the compliance function? Does it have a seat “at the table” in assessing and influencing strategic decisions?
- What are the personal and professional exposures of executive management and the board of directors with respect to compliance?
A successful compliance-risk management program which is an essential for sound and vibrant operational system contains certain elements. Point out such elements. (June 2019, 3 marks)
The compliance framework needs to be comprehensive, dynamic, and customizable, allowing the organization to identify and assess the categories of compliance risk to which it may be exposed. A successful compliance-risk management program which is. an essential component for sound and vibrant operational system contains the following elements:
- Active board and senior management oversight: An effective board and senior management oversight is the cornerstone of an effective compliance risk management process.
- Effective policies and procedures: Compliance risk management policies and procedures should be clearly defined and consistent with the nature and complexity of an institution’s activities.
- Compliance risk analysis and comprehensive controls: Organizations should use appropriate tools in compliance risk analysis like self-assessment, risk maps, process flows, key indicators and audit reports; which enables in establishing an effective system of internal controls.
- Effective compliance monitoring and reporting: Organizations should ensure that they have adequate management information systems that provide management with timely reports on compliances like training, effective complaint system and certifications.
- Testing: Independent testing should be conducted to verify that compliance-risk mitigation activities are in place and functioning as intended throughout the organization.
Compliance Management is the most important part of any business. Highlight the risk of non-compliances. (Dec 2019, 5 marks)
Failing to comply with rules, regulations, and specifications could have costly consequences. In the famous Sahara case, the Group was accused of failing to refund over 200 billion rupees to its more than 30 million small investors that it had collected through two unlisted companies of Sahara. In 2011, SEBI ordered Sahara to refund this amount with interest to the investors, as the issue was not in compliance with the requirements applicable to the public offerings of securities. Later in 2014, Mr Subrata Roy, the chairman of Sahara was arrested for the said fraud. His proposal to settle the matter was rejected by the court and SEBI.
Thus non-compliance with the laws of the land can have multi-faceted consequences, ranging from penalties, additional fines to prosecution. Following are some of the risks of non compliance :
- Penalties and Fines: Penalties include financial fines, limitations on activities, additional barriers to approval and even imprisonment.
- Criminal Charges: Criminal charges are a potential consequence for certain regulatory non-compliance.
- Reputational Damage: A business’ public image is a key to its success. When a company is thrust into the public eye for failing to comply with regulations, there are reputational repercussions, which eventually lead to distrust.
- Access to Markets and Product Delays : Non-compliance across enterprise and business network could result in exclusion from the tendering processes and supplier databases. In addition, companies that place value on corporate compliance may avoid doing business with companies which are non compliant as they would want to ensure that they meet their own regulatory obligations.
- Roadblock in Funding : A company cannot get funded, even in the seed investment level, whose compliances are not up to date.
“Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Explain. (Aug 2021, 3 marks)
Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity. GRC refers to a strategy for managing an organization’s overall governance, enterprise risk management and compliance with regulations. GRC is a set of processes and practices that runs across departments and functions. GRC might be enabled by a dedicated platform and other tools, although this is not mandatory. While organizations generally don’t need to maintain a separate GRC department, most organizations have a team in place to manage the GRC platform and tools. The scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management, information security management, quality management, ethics and values management, and business continuity management.
Effective GRC implementation helps the organization to reduce risk and improve control effectiveness, security and compliance through an integrated and unified approach that reduces the ill effects of organizational silos and redundancies.
How is compliance different from conformance?
Conormance is voluntary adherence to a standard, rule, specification, requirement, design, process or practice.
Compliance is forced adherence to a law, regulation, rule, process or practice.
Conformance applies to strategies and plans that are adopted to be more productive or to improve quality.
Compliance applies to laws and regulations that one has no option but to follow or face penalties. Such regulations may potentially be productive for society but don’t necessarily contribute to an organization’s goals,
What inputs should Internal Auditors be able to validate or provide to the CRMP?
Internal Auditors should be able to validate or provide the following inputs to the CRMP:
- Impacted Areas – processes, systems and policjes
- Existing Controls
- Additional Controls – arising from amendments to, or new legislation
- Risk Exposure – High, Medium, Low
- Responsible Party – Affected Parties
- Monitoring Plan – Business Unit Compliance
What are the possible risks of non-compliance?
possible risks of non-compliance
|Compliance Area||Possible Risk of Non Compliance|
|Direct tax compliance||
|Indirect tax compliance||
|Labour law compliance||
|Environment, health and safety laws||
|Corporate law compliance||
Prepare the checklist that has to be followed for setting up a good compliance program.
Checklist to be followed for setting up a good compliance program:
(a) Understand the Scope: Identify all regulatory and internal compliance needs and efforts to challenge if organizational responsibilities are properly aligned. This should not be a “one and done” step, but rather performed periodically as regulatory landscapes and operational environments are typically changing.
(b) Gather Internal and External Intelligence: Tap the collective intelligence of the company by soliciting thoughts from the Board, management and employees. Also look beyond the walls of the organization to understand industry developments and competitor reactions to corporate compliance. This includes researching legal actions to help identify risks.
(c) Define Objectives: Define objectives from an enterprise and business unit standpoints. This should be a significant part of the periodic strategic planning process.
(d) Conduct a Risk Assessment: Identify risks, probabilities, and the significance in terms of both qualitative and quantitative measures. Consider scenarios from a cause-and-effect standpoint.
(e) Align Controls: Policies, procedures, and actions within a process, should be in place to address the risks to best achieve objectives.
(f) Verify /Buy-In and Understandability: Everyone needs to know their roles. For control owners to be expected to act appropriately, they need to understand the “why” and “how” of the compliance program. Controls need to be clearly communicated, ideally with a feedback loop so control owners can voice their insights and concerns.
(g) Test Cultural Support: Many organizations have put in place paper programs that have no real effect on the operations of the organization. Determine if the cultures at headquarters and all relevant business units are supportive of a strong corporate compliance program. This can be accomplished through surveys, independent reviews and entity-level control assessments.
(h) Assess On-Going Compliance: Build monitoring, internal audit and special reviews into the compliance program to help ensure that controls are operating effectively. This effort should also seek to identify the most-efficient alignment of responsibilities and controls.
(i) Train, Educate and Communicate: Deliver periodic targeted training and share compliance information with the business units, global functions, external partners, customers, vendors, and other stakeholder groups.
(j) Measure Results and Report to Board: Develop a reporting dashboard to keep management groups and the Board aware of compliance measures, trends and developments. This should address both internal and external activities.
Governance and Compliance Risk Notes
Compliance Vs Conformance:
Conformance is voluntary adherence to a standard, rule, specification, requirement, design, process or practice. Compliance is forced adherence to a law, regulation, rule, process or practice.
Conformance applies to strategies and plans that are adopted to be more productive or to improve quality.
Compliance applies to laws and regulations that one has no option but to follower face penalties. Such regulations may potentially be productive for society but don’t necessarily contribute to an organization’s goals.
Legal compliance is the process or procedure to ensure that an organization follows relevant laws, regulations and business rules. The definition of legal compliance, especially in the context of corporate legal departments, has recently been expanded to include understanding and adhering to ethical codes within entire professions, as well.
Challenges for Effective Corporate Compliance management:
- Large number of legislations and multiple regulators
- Multiple business locations attracting state legislations
- Lack of ownership /awareness of functional staff about compliance requirements
- Segmented compliance initiatives
- Time-consuming and unreliable manual reporting
- Dynamic legal environment, lack of a robust updation process, frequent changes in process owners and internal processes.
Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
Internal audit is a dynamic profession involved in helping organisations achieve their objectives. It is concerned with evaluating and improving the effectiveness of risk management, control and governance processes in an organization.