Table of contents
Nowadays, Fintech are not the only type of companies facing the kind of legal risks that may stunt their growth. Indeed, any company regardless of its size must comply with a series of mandatory laws, standards and regulations in order to successfully enter into markets and offer its products or services.
For this reason, an increasing number of companies are hiring a Compliance Officer, also known as a Corporate Responsibility Officer or Legal Director. Their role is to ensure that a company’s business is conducted in strict adherence to all legislation relating to its activity and business model, as well as evaluate the best way to managing risks.
Given the complexity of current regulations, a good Compliance Officer should have an in-depth knowledge of laws and norms, for which it is recommended that he/she has extensive proven experience in legal or fiscal matters and practical experience in regularly implementing legal standards. In addition, he/she must be an expert in defining and executing compliance strategies while using processes and tools to facilitate and improve work efficiency.
So, what exactly are the tools and processes that a good compliance officer should be using?
A Compliance Officer must ensure that a company complies with the regulations in force and avoids breaking the law, thus safeguarding its presence on the market as well as its reputation. The question is, what’s the smartest way of doing the job?
1. Define compliance goals
In order to develop a compliance plan, the first step is to establish a set of objectives. The directive UNE-ISO 19600:2015 is a global benchmark for this very task and applicable to all companies, offering a set of standards for the implementing, evaluating, maintaining and improving of a compliance management system. The law also indicates how companies can ensure that they are fulfilling goals and outlines how to guarantee that any third-party agreements are also compliant.
2. Create a balanced scorecard
In order to monitor whether compliance objectives are being met or not, Compliance Officers can make use of a balanced scorecard with a list of indicators to evaluate if current control measures are proving efficient or not. Indicators may include: the level of automation of each control; the number of satisfactorily executed controls out of the total number in any given process, etc. These indicators allow for a very quick overview of a control measure implicated in a process, which subsequently allows for an easier understanding of a compliance plan in real time. It also allows the Compliance Officer to know the state of any current risks, report them to management and design an improvement plan, if necessary.
Los controles automáticos son los que se implementan directamente en los sistemas informáticos. Cuanto más digitalizada esté una empresa, más controles automáticos se pueden implementar, y si éstos funcionan correctamente, se reduce significativamente el riesgo con respecto a un control manual, porque se mitiga el riesgo de error humano.
EJEMPLOS DE CONTROLES AUTOMÁTICOS:
- La herramienta de compras no permita emitir un pedido de compra a un proveedor si no existe presupuesto aprobado para esa compra.
- Al generar el pedido, el sistema solicita un número de documento presupuestario:
- Si introduces el número, el propio sistema identifica si el pedido que estas haciendo concuerda con la compra para la que se han solicitado fondos. Si es así, permite emitir el pedido y mandarlo al proveedor.
- Si no introduces ese número, el sistema se bloquea y no permite continuar con el pedido.
Automated controls are implemented directly into IT systems. The more digitized a company is, the greater the number of automated controls it can have, and their smooth operation means that risk factors associated with manual operations are reduced considerably.
The following are examples of automated controls:
- An authorization of purchases will not occur with a supplier if there is no prior established budget for that particular purchase.
- When creating an order, the system will request a budget document reference number:
- If you submit the reference number, the system will identify whether your order is in concordance with what the budget allows. If this is the case, it will allow the order to take place and inform the supplier.
- If the reference is not entered, the system will block the order.
3. Employ analytics and risk management methods
There are various ways in which the impact of risks and the probability of their occurrence can be evaluated. Nowadays, many companies still use a qualitative approach, which sees them evaluate risks by using questionnaires completed by the heads of each process. This approach is problematic, given that managers offer evaluations of a given risk’s impact and probability that are purely subjective and based entirely on his/her own experience. Ultimately, the most complex factor when analyzing risks is deciding which one should take priority over the rest.
> Assign monetary value to a specific risk.
> Results are more precise and in greater concordance with reality.
> Subjectively define wether risks are high, medium or low.
> Opt for methods such as risk matrices to prioritize risks according to (i) their impact and (ii) probability of occurence.
> Results depend on subjective perception of risk.
The risk management standard ISO 31000:2009 brings together a series of principles and directives to manage any type of risk and implement a management process that can be integrated at both the strategic and operational level of a business. The ISO can be used by any type of business, from any industry or sector.
4. Use monitoring systems
Companies that have successfully managed to digitally transform their business are most likely to have all their data integrated into an Enterprise Resource Planning (ERP) software tool, which makes a history of each and every task or edit. As every last thing is recorded, it is possible to know at any given moment who carried out which particular action within the system. All information generated can be traced, which when combined with an efficient monitoring tool and a system of alerts, can allow the rapid detection of suspicious or fraudulent actions with greater ease.
5. Gather evidence
In the event of an infringement, a solid compliance plan should be drawn up to demonstrate that there are sufficient controls in place to avoid similar situations. At the end of the day, compliance is about proving that action is being taken; that employees have received adequate training; that a contract has been sent to a supplier; that an informative email has been sent to management, etc. The email certificate is a perfect tool for gathering such evidence, precisely because it proves that a given document has been sent and read by its recipient.
6. Segregate duties
To avoid one person or department managing “incompatible” duties that could lead to fraudulent activity, it is highly recommendable to carefully separate and assign tasks. One way of doing this easily and quickly is by drawing up a matrix of professionals and tasks in areas where there are conflicts of interest. To give an example, the person in charge of organizing salaries should not have permission to change details of the bank account into which a payment is destined. An overlap of duties within the same working process must be avoided at all costs, as this makes it much easier for fraudulence to occur within a company.
7. Draft a Code of Ethics
It is highly recommendable to draw up a Code of Ethics, placing it in your employee handbook, and distributing it among all departments within the company. This code of ethics should be signed by as many employees as possible.
Having an electronic signature vastly contributes to maximizing the number of potential signatures, as employees can sign it easily and from wherever they happen to be, whether at their desk, on their tablet or from their mobile phone. Furthermore, the sender can know the document’s status apropos each employee at any given moment, and specifically whether it has been signed or not. As a result, time ordinarily spent following up with each individual can be reduced to an absolute minimum.
8. Set up a complaint system
In order to investigate incidents of fraud, there needs to be a clear means of filing an internal and external report, thus allowing employees and clients, suppliers and other interest groups to report any incidents that have breach the company’s Code of Ethics by an employee or a department. Reports can be filed via an online form integrated onto the company’s website or by sending an email directly to the person responsible for leading the investigation, who will determine if a breach has occurred once the report is deemed valid.
These are just some of the processes and tools available to a Compliance Officer. Since the role requires a significant level of responsibility, it is absolutely essential that a professional is aware of these 8 options and knows how to use them, all the while taking into account the needs of each individual organization.
At Signaturit, we offer 2 tools that can make a Compliance Officer’s job faster and more efficient, regardless of the type of company or sector: the electronic signature and the email certificate. You can find more information on both solutions by downloading the following white paper. If you have any further inquiries or questions, please do not hesitate to contact us directly by calling us on +34 960 03 12 03.