Denial and retirement savings insanity

The career of the Compliance Officer
By Greta Maritz
1. Introduction
he concept of a formalised compliance function is relatively new in SouthAfrica compared to global markets. Historically, the only organisations thathad semblances of compliance officers or functions, were those who wererequired to have them in terms of exchange rules. However, since the late ‘90s, the concept has spread much further, albeit still predominantly in thefinancial services industry. It is a risk management tool, which, if appliedcorrectly, holds unlimited benefits for the organisation.
In this article, I use mainly financial services terminology and examples but theprinciples are applicable to all organisations that have to adhere to statutory,industry and best practice requirements.
2. What is a Compliance Officer ("CO")?
A CO is someone with an expense account for Prozac! It is also someone whose job description soundsworse than that of an actuary but who, in fact has an unbelievably stimulating and diversified function.
A CO is a person who is tasked with facilitating the elimination/ management of regulatory risk from theorganisation. The term “compliance risk” is also used. This is achieved by facilitating and enablingcompliance with the rules applicable to the organisation.
In South Africa, “regulatory risk” should be interpreted in its widest possible sense. This is particularlyrelevant where we do not yet have industry rulebooks to assist with the application of legislation andwhich form part of the regulatory framework. Risk from a compliance perspective is incurred when anyrules applicable to the organisation are breached.
The “rules” include all statutory requirements as well as management requirements which have beenadopted as policy by the organisation pursuant to industry or best practice requirements e.g. codes ofconduct, Corporate Governance principles, etc.
Globally, non-core legislation e.g. HR and tax, do not form part of a CO’s jurisdiction and therefore, I donot recommend that you include them in your compliance monitoring program unless, of course, theorganisation tasks the CO specifically to include all applicable legislation.
The prioritizing of identified regulatory risks must be determined on a risk-weighted basis in conjunctionwith the relevant business area.
Your risk weighing should be done on the basis of probability of non-compliance with a rule and, if it does occur, the impact thereof (referred to as a “risk matrix”).
N.B. The compliance function merely facilitates and enables the business areas to comply with the
rules. MANAGEMENT IS ACCOUNTABLE FOR ENSURING COMPLIANCE. This is an
accountability that can NEVER be outsourced.
3. Who are COs?
A CO is anyone who is called a CO and fulfils a compliance function or, if not called a CO, anyone whoin substance fulfills such a function.
Currently, there are several statutes which specifically require the formal appointment of COs andformalised compliance functions e.g. the Financial Advisory and Intermediary Services Act, 2002 ("theFAIS Act").
Any organisation in any industry that faces regulatory risk should have a formalised compliance functionif it is serious about risk management, which it will be, if it is serious about being profitable.
Job titles
It does not matter what you call a CO as long as the word “compliance” appears in it e.g. complianceofficer, compliance manager, group compliance officer, head of compliance, etc. The use of appropriatejob titles will raise and acknowledge the role and credibility of COs.
4. Where does a CO fit into the organisation?
This question is often a sensitive one in some organisations. The more sensitive, the more indicative of theorganisation’s attitude towards compliance (which will, of course, be denied by the relevant organisation).
Certain statutes provide that the CO must report directly to the CEO.
In principle, compliance must be an independent function at a senior level and at least have access to theCEO.
The CO must also have access to all corporate governance forums within the organisation and attend allcommittees charged with internal control e.g. the Audit Committee.
An executive director on the board must be charged with accountability for the compliance function.
As far as day-to-day line management reporting is concerned, it depends on applicable legislation, failingwhich, the Head of Risk or the Finance Director is not uncommon.
The make-up of your compliance unit must be tailor made to suit your organisation, its products and theapplicable rules. A structure that seems to work very well for a large organisation, is to have a centralteam of a few COs that fulfils macro compliance activities and in addition thereto, have specialist COs,where, required, who physically sit in the relevant business area e.g. Treasury, etc.
If you are part of a group of companies, a group compliance plan should be put in place, which sets groupstandards and self-assessment methodologies.
It must also be kept in mind that all your offshore operations should form part of the compliancemonitoring program for your organisation or group.
The role of an external CO to small and medium –sized businesses must be adapted to make provision for a less formalised environment which presents its own challenges. However, the principles remain thesame and management must include the compliance function at an appropriate level. External COs mustnot be relegated to an administrative level by not affording the CO direct interaction with key individuals.
A typical CO
COs may be sourced from various disciplines and I suggest that you build a team with a combination ofthe following skills: auditinglegaloperationalex-regulatory.
A CO must always understand and know the business failing which he/she will probably be ineffectual. I
disagree with the opinion that a CO who comes from an engineering company will be an effective CO to a
bank and that the type of business is irrelevant.
Note that certain COs e.g. a CO appointed in terms of the FAIS Act, must comply with certain set fit andproper requirements and may require registration with e.g. the Financial Services Board.
5. What does a CO do?
As stated above, the core function of a CO is rule driven. A CO identifies the rules applicable to thebusiness area and then establishes a process in the organisation that gives effect to that rule.
A formal compliance monitoring program is then established to monitor that the business area complieswith the rules on an on-going basis.
The CO must ensure that policies and procedures are put into place to achieve compliance. This does notmean that the CO must be held accountable for the creation or writing of these procedures but once aprocedure has been identified as lacking or incomplete by the CO, the CO must escalate the matter untilsuch procedure is implemented by the business area. In some cases, the CO is in fact the best person toinitiate or write certain procedures but management still remains accountable for ensuring implementationof and compliance with such procedures.
The total time of an internal compliance unit should be spent as follows: advisory - ± 40%monitoring - ± 30%training - ± 30% Advisory
The advisory function is not an ad hoc, shoot from the hip, reactive, advise you in the passage, type offunction. Several organisations think that they have an effective compliance function by doing exactlyonly that.
The advisory function must be formalised and the sign-off/role/attendance of the CO must beimplemented on a permanent, compulsory basis in exco, opco, new product and all other relevantmeetings, committees and forums, where the CO must render input and advice in an in-depth, holistic andpro-active manner. Hence, you must know the business! Monitoring
You must design a compliance-monitoring plan that will make sense and be practical for yourorganisation. In essence, you must, on a regular basis do an audit to monitor compliance with the rules.
This is the part of compliance that resembles the internal audit function.
Training
Training is the function that usually suffers most if the compliance unit is under resourced. Trainingincludes presentations on policies and procedures, liaising with regulators, alerting management topending legislation, the impact thereof and collating their comments for submission to the relevant parties,interpretation of legislation, establishing and maintaining a practical compliance manual, presentations onnew legislation, etc.
The compliance manual is the best source of training requirements. The compliance manual is an in housecustomized manual which will alert and refer employees to the rules in a practical manner e.g. riskpolicies, references to the applicable statutory framework, organograms setting out accountability ofpositions/areas, etc. The contents of the compliance manual may be grouped according toproducts/processes as opposed to rules.
An external CO’s duties are contained in a service level agreement which may limit the CO’s rolecompared to an internal CO. It is the organisation’s responsibility to ensure that any compliance or otherrisk management duties not performed by a specific external CO are taken care of by the organisation.
The relevant service level agreement must comply with any statutory requirements.
Generic job description
Determine statutory and management requirements (“rules”) applicable to particular business area.
Develop a risk matrix for that business area.
Assess compliance therewith by linking rules to processes (*"rules & process analysis").
Implement policies and procedures to assist, facilitate and enable compliance with rules.
Implement a compliance programme.
Monitor compliance with rules via compliance programme.
Assist, enable, facilitate and monitor compliance with laws, policies and procedures on a riskweighed basis as determined in terms of the risk matrix.
Establish and update compliance manual relating to business area.
Do written reports to management of business area.
Establish and maintain relationships with business area, line management of the business area,internal and external audit and other complimentary departments and divisions e.g. Legal, HR,Internal Audit, etc.
Give ad hoc advice to business area in respect of regulatory and operational risk (“compliancerisk”).
Recognise any requirements of senior management in respect of compliance function.
Escalate material non-compliance to appropriate representation forum.
Initiate and ensure disciplinary proceedings, where necessary.
Be involved in major decisions.
Do training, where necessary.
Communicate rules to business area.
Cultivate compliance culture.
Comment on draft legislation.
Interact and liaise with regulators.
Represent the organisation in respect of the compliance function and any matter related thereto.
Consult widely.
Liaise with key third parties in respect of strategic issues relating to compliance.
(Job descriptions are subject to specific statutory requirements and SLAs.) Relationships
Despite everything that I have said, you (if you are new to compliance) are probably still completely in thedark as to what a CO does that is so different and why we need them. Comparing and pointing out thedifferences between the compliance function and other existing functions may assist.
1. Compliance
The CO must enable, facilitate and monitor compliance with all applicable rules. In other words,your point of departure is a rule.
2. Internal audit
Internal audit (in SA) checks the efficiency of processes in order to verify financial statements.
He/she does not necessarily check that all rules/statutory requirements are complied with. Theinternal auditor attempts to identify any operational risk. His/her point of departure therefore, isprocesses.
3. Company Secretary
The company secretary’s core function is to be the right hand person to the board of directors.
4. Legal Adviser
The typical legal adviser facilitates legal documentation and advice and in most organisations, isreactive and does not form an integral part of the business area.
5. Management
Management is accountable for ensuring that the organisation complies with all rules as defined andapplies proper risk management practices. They, therefore, use the above functions to assist them inverifying that the organisation has adequate internal controls.
N.B. The above functions, as well as all other risk management functions within the organisation, should
form strategic relationships with each other. Several non-core activities are performed by more than one
of these functions e.g. the company secretary may use the training function of compliance to train the
board, the compliance function may use the audit reports to assist with monitoring, etc. It’s important that
the organisation does this exercise. If you experience a territorial or other attitude from some of the other
functions, you have no choice but to approach your function by doing everything it takes to achieve your
goals. Compliance is accountable for facilitating the elimination/ management of compliance risk. Even if
you are able to “delegate” some of your activities, they must still form part of your monitoring
programme.
An external CO would follow the same principles adapted to the organisation.
6. What is the procedure in the event of non-compliance and the
responsibility of a CO?
If an event of non-compliance occurs, you should report it to the line management of that business area. Ifnot rectified, you must escalate the event to the next level until you have exhausted the entire corporategovernance structure within your organisation. You may wish to make any high-level escalation subject toa definition of “materiality”. If it is a statutory requirement to advise the regulator, you have to do so.
However, you will find that this reporting duty issue is a highly controversial issue, even in countries suchas the UK, where the reporting duty of the CO is spelt out under all circumstances.
The science fiction writer, Ray Bradbury, said, “Living at risk is stepping off the cliff and building your wings on the way down.” This in-flight wing-building analogy was used in the context of discussing the inherent conflict that a COfaces when he/she has to make a decision whether to report the organisation to the regulator or not. If youoverride your organisation’s decision not to report it, you will be unemployable and unemployed soonthereafter. If you don’t report it, you face the risk that the regulator finds out and you will beunemployable as a CO, in any event. You may also face personal liability.
Despite the huge personal liability that a CO may incur, we still find this issue highly controversial. I amof the opinion that if you are part of an organisation that does suppress material non-compliance with thelaw, you should tender your resignation. It is not an option that a CO could be overridden at any time bythe organisation.
This highlights the importance of appointing high-calibre COs as it is also not desirable to have amaverick CO that reports every single incident of non-compliance to the regulators without consulting theCEO, the board of directors, etc.
I believe that at the very least the CO must act upon an event of non-compliance by raising it with andescalating it to the highest level in the organisation. In most cases, the CO’s personal liability has beenbased upon a lack of doing so and not purely for not reporting it to the regulator (subject to statutoryrequirements).
7. Conclusion
Compliance is here to stay. If you do not have a compliance function in your organisation whilst subject torules, your business will not survive. Compliance is the first function to be formally charged withreconciling the applicable rules with the business. The CO adds value – he/she does not obstruct thebusiness. The question “Do we need a compliance function/ officer?” has, therefore, become an ignorantquestion.
I also think that the compliance professionals within the different industries should support each other andshare information freely. In SA, there is a perception that you don’t know what you are doing if you askquestions.
Finally, I must say that the life of a CO puts Prozac to the test but it is a very stimulating, diverse andchallenging function!

Source: http://www.financialmarketsjournal.co.za/18thedition/printedarticles/complianceofficer.pdf