Putting Com­pli­ance At The Top Of The Agenda For Mid­dle East Busi­nesses

Forbes Middle East - - CONTENTS - By Haren­dra Kailath

In re­cent years, the con­cept of Gov­er­nance, Risk and Com­pli­ance (GRC) has gained trac­tion, and one of the rea­sons for this is the rapidly evolv­ing reg­u­la­tory en­vi­ron­ment. While gov­er­nance and risk man­age­ment are rel­a­tively well es­tab­lished, com­pli­ance—es­pe­cially in the non-fi­nan­cial ser­vices sec­tor—is rel­a­tively less de­vel­oped.

There are many rea­sons for this, in­clud­ing lim­ited reg­u­la­tory en­force­ment driv­ing or­ga­ni­za­tions to think about com­pli­ance or GRC. How­ever, the lack of reg­u­la­tory pres­sure should not be the only driver for de­vel­op­ing an ef­fec­tive com­pli­ance pro­gram.

All or­ga­ni­za­tions should be fo­cused on man­ag­ing their com­pli­ance ac­tiv­i­ties or else face the risk of cen­sure, fines, im­pris­on­ment, loss of their op­er­at­ing li­censes, or rep­u­ta­tional dam­age that could leave a last­ing im­pact on their cred­i­bil­ity. In this con­text, com­pli­ance is de­fined as how ef­fec­tively an or­ga­ni­za­tion is geared up to com­ply with ex­ter­nal laws, reg­u­la­tions, in­ter­nal guide­lines and poli­cies, and how ef­fi­ciently these are re­ported, mon­i­tored and con­trolled in real time.

In this re­gion we are be­gin­ning to see signs of change be­ing brought about by a shift in the reg­u­la­tory land­scape through VAT, anti-money laun­der­ing (AML) and data pri­vacy reg­u­la­tions, cap­i­tal mar­ket reg­u­la­tions, etc. Or­ga­ni­za­tions are in­creas­ingly be­com­ing aware that demon­strat­ing an ef­fec­tive com­pli­ance pro­gram is im­por­tant be­cause of in­tense scru­tiny from cus­tomers and busi­ness part­ners. Com­pli­ance is now rec­og­nized as a crit­i­cal com­po­nent of an or­ga­ni­za­tion’s wider GRC ca­pa­bil­i­ties.

In the Mid­dle East, com­pli­ance is gen­er­ally em­bed­ded within the re­mit of the In­ter­nal Au­dit func­tion, which is an in­her­ent con­flict of in­ter­est be­tween the se­cond and third line of de­fense, de­feat­ing the prin­ci­ples of in­de­pen­dence and ob­jec­tiv­ity.

Mid­dle East busi­nesses seem to find it dif­fi­cult to de­fine com­pli­ance—is it only about ex­ter­nal laws and reg­u­la­tions or can it in­clude in­ter­nal guide­lines, poli­cies and pro­ce­dures or all? For oth­ers, it is fo­cused only on ethics, AML, bribery and cor­rup­tion. In prac­tice, com­pli­ance should en­com­pass a wider scope such as in­dus­try spe­cific reg­u­la­tions, in­ter­nal poli­cies, health and safety, en­vi­ron­ment pro­tec­tion, cor­po­rate and tax, em­ploy­ment, in­tel­lec­tual prop­erty and im­mi­gra­tion laws.

Con­sol­i­dat­ing and doc­u­ment­ing the op­er­a­tional and reg­u­la­tory land­scape is of­ten seen as the most chal­leng­ing part of de­vel­op­ing a com­pli­ance frame­work. It is gen­er­ally dif­fi­cult to get a holis­tic view of an or­ga­ni­za­tion’s com­pli­ance obli­ga­tions as many ini­tia­tives across dif­fer­ent busi­ness units and de­part­ments are of­ten con­ducted in si­los, lead­ing to an in­con­sis­tent un­der­stand­ing of them.

Reg­u­la­tory in­ter­pre­ta­tion is an­other ma­jor chal­lenge—busi­nesses of­ten find it dif­fi­cult to get ac­cess to new laws or up­dates, and have lim­ited abil­ity to in­ter­pret the im­pact of these laws and the changes that their pro­grams must un­dergo to be com­pli­ant.

Com­pli­ance is also of­ten not viewed as a strate­gic value driver and at best is seen as a “nice to have”. This is re­in­forced when top man­age­ment are them­selves am­biva­lent to­wards the ben­e­fits of an in­te­grated GRC pro­gram. In­stead they should, with the Board, cre­ate a cul­ture of ef­fec­tive risk man­age­ment that in­te­grates the three el­e­ments of GRC.

Or­ga­ni­za­tions should re­spond to these chal­lenges by mak­ing com­pli­ance a board agenda item, no less im­por­tant than gov­er­nance and risk. This will help set the tone from the top and cre­ate a strong and ef­fec­tive first line of de­fense.

The com­pli­ance land­scape should be de­fined based on risk ap­petite, com­plex­ity and scale of the busi­ness op­er­a­tions. Con­sider the fi­nan­cial, rep­u­ta­tional and le­gal im­pli­ca­tions, and how it can add value to the busi­ness, es­pe­cially if con­sid­er­ing an IPO, at­tract­ing in­vestors or ex­pand­ing in­ter­na­tion­ally.

Main­tain in­de­pen­dence and ob­jec­tiv­ity by de­lin­eat­ing com­pli­ance roles and re­spon­si­bil­i­ties. Who is re­spon­si­ble for what and how? The role be­tween the se­cond line and third line of de­fense needs to be clearly seg­re­gated and de­fined to avoid any con­flicts and at the same time not over­com­pli­cate the or­ga­ni­za­tion’s struc­ture.

Tech­nol­ogy can cre­ate ef­fi­ciency and assess how com­pli­ance au­toma­tion could ben­e­fit the or­ga­ni­za­tion. Most lead­ing or­ga­ni­za­tions are go­ing dig­i­tal with their com­pli­ance ef­forts and are con­sid­er­ing ro­botic process or in­tel­li­gent au­toma­tion for mon­i­tor­ing rou­tine com­pli­ance tasks.

While there is no one-size-fits-all ap­proach, many or­ga­ni­za­tions have man­aged to de­velop a com­pli­ance frame­work that can stand up to reg­u­la­tory scru­tiny. This, aligned with an over­all GRC strat­egy, could well sup­port fu­ture suc­cess.

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.