COMPLIANCE MONITORING - WHAT'S THE RIGHT QUESTION

Pretty often, I have found that compliance monitoring programmes don't really ask the right question. Compliant? Perhaps there's a better question out there.

Compliance Monitoring Programmes, in my experience, tend, almost invariably, towards trying to answer the question, Are we compliant?

They most commonly reflect upon the regulatory obligations and assess if there’s evidence of ‘compliance’.

What you’re getting then is nothing more than a ‘tick in the box’ against that regulatory requirement.

Little risk management.

Little confidence.

Little value.

It’s very difficult, therefore, to really determine if you are getting any real return on investment from your compliance function.

Of course what boards really should be seeking is a level of assurance, because the question above actually can only be honestly answered with the response ‘No’.

The better question is,

What levels of assurance do we have that we have identified, suitably mitigated and are monitoring our regulatory risks?

Compliance assurance should be risk-based, aligned with the outputs from your business risk assessment and set on a recognised and validated framework, such as ISO or COSO.

Is yours?