Instituting Compliance in an Organization
Risk and compliance forms part of the 2 nd line of defense mechanisms of an organization’s controls system (COSO Framework). It complements other lines of defense in an organization including external audit and regulators. Most organizations have instituted a Risk and Compliance function to manage risks, ensure effectiveness of internal controls, and enhance corporate governance principles.
Compliance in an organization – whose role?
Instituting compliance in an organization is largely an oversight role of the Board or an organization’s top management body. However, ensuring compliance is everyone’s role. Compliance implies complying with an organizations’ policies and SOPs, national laws and regulations, donor requirements, global standards, and practices among others. This is everyone’s responsibility.
But most importantly, we should not forget that non-compliance is a risk that anorganization ought to mitigate to an acceptable level.
How to institute compliance?
Inculcating a compliance culture is never a one-day job, but rather a process that can take between 3-5 years depending on various underlying factors. I.e. a right tone at the top, documented organization’s policies and procedures, respect for organizational values and culture, adequate internal controls, a functional and competent compliance team among other factors.
Establishing a compliance culture also requires a number of initiatives and activities which could include among others; capacity building programs for all staff, consistent compliance checks and audits, policy reviews, sensitization and creating staff awareness on organizational policies and procedures. Also as principle, compliance is comprehensive and should encompass all operational and strategic areas of the organization. As a matter of fact, compliance checks should include holding accountable persons in top executive offices.
Reporting about compliance?
One other principle in compliance is communication. This involves documentation and discussion of compliance reports. As a means of enforcing compliance in organizations, management places reliance on compliance reports detailing different risks/ findings from the compliance activities (audits, reviews, and checks) for follow up and mitigation. Whereas internally compliance reports are a vehicle of improvement by enabling tracking of risks, externally they are also vital for external audits. They are a basis of planning for and understanding the different risks faced by the organization.
Lastly compliance is a commitment. It’s a role that should involve all key stakeholders in an organization ranging from managers/directors, all employees, donors, board members, clients/ communities we serve, government et cetera.
Jimdeen Ankunda
Risk & Compliance Officer, MTI-Uganda.