How to effectively identify new and changed compliance obligations and evaluate their impact
Compliance is an ongoing process and the outcome of an organisation meeting its obligations. In accordance with clause 4.5 of ISO 373011, you are therefore required to systematically identify your compliance obligations resulting from your activities, products and services, and assess their impact on your operations.
Furthermore you are required to have processes in place to:
1. Identify new and changed compliance obligations to ensure ongoing compliance;
2. Evaluate the impact of the identified changes and implement any necessary changes in the management of the compliance obligations.
This is easier said than done. But before we dive into how to actually identify new and changed obligations, and evaluate the impact thereof, let’s first look at what compliance obligations are. Clause 3.25 of ISO 37301 provides the following clear definition: “requirements that an organization mandatorily has to comply with as well as those that an organization voluntarily chooses to comply with”
Requirements that you mandatorily must comply with can include:
- laws and regulations (e.g. EU 4th AML Directive)
- guidance issued by regulatory agencies (e.g. EBA ML/TF Risk Factors Guidelines)
- judgements of courts or administrative tribunals
Requirements that voluntarily can be chosen to comply with can include:
- agreements with public authorities and customers,
- organisational requirements, such as policies and procedures (e.g. AML Policy)
- relevant organizational and industry standards (e.g. ISO 37301)
How can new and changed compliance obligations be identified?
You should first identify compliance obligations by departments, functions and different types of organisational activities in order to determine who is affected by these compliance obligations. For smaller organisations this is logically much easier than larger organisations. It both cases it is however recommendable to use an organizational chart together with a complete list of departments and functions, including job descriptions within your organisation. In case of a large organisation it might also be needed to interview the managers of the different business units, departments or other subdivisions within your organisation to better understand the structure.
Secondly you should have one or more processes in place. Processes to obtain information on changes to laws and other compliance obligations can include, but are not limited to:
- being on the mailing lists of relevant regulators
- membership of professional groups (e.g. ICA or ACAMS)
- subscribing to relevant information services (e.g. AML Intelligence or RiskScreen)
- monitoring the websites of regulators
- monitoring the sources of the compliance obligations (e.g. regulatory pronouncements, court decisions)
A risk-based approach should be taken, i.e. you should start with the identification of the most important compliance obligation that is relevant to your business and then focus on all the other compliance obligations. This is also referred to as the Pareto principle.
How can the impact of the identified changes be evaluated and any necessary changes in the management of the compliance obligations be implemented?
Where appropriate you should establish and maintain a single document (such as a register or log) setting out all of your compliance obligations and have a process for updating the document on a regular basis.
In addition to setting out your compliance obligations, the document should include:
- the impact of the compliance obligations,
- the management of the compliance obligations,
- controls linked to the compliance obligations
At Simon Consulting we are ready to help you identify all your compliance obligations and guide you through all the necessary steps.