In recent years, the concept of Governance, Risk and Compliance (GRC) has gained traction, and one of the reasons for this is the rapidly evolving regulatory environment. While governance and risk management are relatively well established, compliance—especially in the non-financial services sector—is relatively less developed.
There are many reasons for this, including limited regulatory enforcement driving organizations to think about compliance or GRC. However, the lack of regulatory pressure should not be the only driver for developing an effective compliance program.
All organizations should be focused on managing their compliance activities or else face the risk of censure, fines, imprisonment, loss of their operating licenses, or reputational damage that could leave a lasting impact on their credibility. In this context, compliance is defined as how effectively an organization is geared up to comply with external laws, regulations, internal guidelines and policies, and how efficiently these are reported, monitored and controlled in real time.
In this region we are beginning to see signs of change being brought about by a shift in the regulatory landscape through VAT, anti-money laundering (AML) and data privacy regulations, capital market regulations, etc. Organizations are increasingly becoming aware that demonstrating an effective compliance program is important because of intense scrutiny from customers and business partners. Compliance is now recognized as a critical component of an organization’s wider GRC capabilities.
In the Middle East, compliance is generally embedded within the remit of the Internal Audit function, which is an inherent conflict of interest between the second and third line of defense, defeating the principles of independence and objectivity.
Middle East businesses seem to find it difficult to define compliance—is it only about external laws and regulations or can it include internal guidelines, policies and procedures or all? For others, it is focused only on ethics, AML, bribery and corruption. In practice, compliance should encompass a wider scope such as industry specific regulations, internal policies, health and safety, environment protection, corporate and tax, employment, intellectual property and immigration laws.
Consolidating and documenting the operational and regulatory landscape is often seen as the most challenging part of developing a compliance framework. It is generally difficult to get a holistic view of an organization’s compliance obligations as many initiatives across different business units and departments are often conducted in silos, leading to an inconsistent understanding of them.
Regulatory interpretation is another major challenge—businesses often find it difficult to get
access to new laws or updates, and have limited ability to interpret the impact of these laws and the changes that their programs must undergo to be compliant.
Compliance is also often not viewed as a strategic value driver and at best is seen as a “nice to have”. This is reinforced when top management are themselves ambivalent towards the benefits of an integrated GRC program. Instead they should, with the Board, create a culture of effective risk management that integrates the three elements of GRC.
Organizations should respond to these challenges by making compliance a board agenda item, no less important than governance and risk. This will help set the tone from the top and create a strong and effective first line of defense.
The compliance landscape should be defined based on risk appetite, complexity and scale of the business operations. Consider the financial, reputational and legal implications, and how it can add value to the business, especially if considering an IPO, attracting investors or expanding internationally.
Maintain independence and objectivity by delineating compliance roles and responsibilities. Who is responsible for what and how? The role between the second line and third line of defense needs to be clearly segregated and defined to avoid any conflicts and at the same time not overcomplicate the organization’s structure.
Technology can create efficiency and assess how compliance automation could benefit the organization. Most leading organizations are going digital with their compliance efforts and are considering robotic process or intelligent automation for monitoring routine compliance tasks.
While there is no one-size-fits-all approach, many organizations have managed to develop a compliance framework that can stand up to regulatory scrutiny. This, aligned with an overall GRC strategy, could well support future success.
Harendra Kailath is the Governance and Compliance Leader at PwC Middle East.