Author: Paul Curwell
What are compliance obilgations?
The importance of business integrity has increased over the past 10 – 15 years. Increased enforcement action by international regulators, culminating in hefty fines and prosecution, has occured in areas such as trade sanctions, bribery and corruption, modern slavery and anti-money laundering. Additionally, the ‘social licence to operate‘ for every business is gaining increased importance amongst communities globally, with businesses who behave unethically or inappropriately incuring the wrath of consumers.
Compliance management, including complying with regulatory and policy obligations, is a fundamental component of business integrity (what the OECD refers to as ‘responsible business conduct‘). Understanding your compliance obligations and having actions in place to ensure your business complies with them is expected by regulators and consumers alike.
For business, managing compliance obligations has always been a challenge – they are not something which can be produced once and never refreshed. Legislation is constantly changing, international standards are being updated, and organisations regularly revising internal policies. The first step in managing your compliance obligations starts with building an obligation register customised for your business.
How do you build an obligation register?
The time and effort required to conduct this work depends on your business, your industry (highly regulated industries will have more obligations), and the jurisdictions you operate in. There are six main steps to building a obligation register for compliance management:
- Identify and map your compliance landscape – this step involves identifying all the regulation (legislation), international standards (e.g. ISO27001), and internal policies which create obligations that dictate the way your business, suppliers or employees / contractors need to operate. This may be most efficiently done using a combination of research, interviews and / or workshops or brainstorming – it is also a task you may wish to outsource.
- Build your obligation register template – this is the document that will utlimately become your Business Obligation Register. You may wish to do this in something like Microsoft Excel, Microsoft Sharepoint, Microsoft Word or in a database, such as a Governance Risk Compliance (GRC) system (see ‘the importance of regular updates’ for more detail). An example of a Business Obligation Register is illustrated below.
- Review the source documentation – for each compliance obligation (e.g. ISO27001, or your jurisdiction’s companies legislation), extract the relevant information, and populate the register. In some cases, you may need a lawyer to provide an interpretation on a specific obligation, or to help convert the interpretation of that obligation to the actual things you need to do to comply (i.e. the ‘plain english’ obligation).
- Map the populated obligations to your business’ internal control environment – identify what controls do you have in place to ensure compliance or mitigate the risk of non-compliance. Note this step does not consider the effectiveness or coverage of each control, which are related but separate concepts. I will write about this in a subsequent article.
- Review the final draft – this step should involve stakeholders involved in the previous steps, as well as a legal review to ensure nothing has been overlooked or misreprented prior to implementation.
- Publish your Business Obligation Register in a central location which can be accessed by line managers (you may want to make this version read only to avoid any unauthorised updates or accidental modifications). You should also implement a process to periodically update the register.
What sort of data is captured in an obligation register?
There is no mandatory structure for an obligation register – the fields you wish to capture in your obligation register depend on your organisation. Common examples of data captured include:
- Document type – such as legislation, policies, international standards etc.
- Document reference – this might be an identification number (e.g. ISO9001). Typically you will have obligations from multiple sources in the same register.
- Document name – e.g. “Consumer Act”
- Version or date of last update – to allow for comparision of the Obligations Register to the source to determine whether current
- Obligation wording – the original wording contained in the source document, word for word
- Simple english obligation – some legislation is gibberish to non-lawyers, and requires a simple explanation of what the organisation needs to do to comply which can be understood by all staff
- Priority or importance – this might be reflected by including penalty information, or showing how critical compliance with an obligation is to the business, to help inform management decisions. An example might be where a company states it will ‘endeavour to comply’ with ISO23001 (business continuity management), but is not actually ISO certified making compliance optional.
- Applicable business unit / team – not every obligation is relevant to every team on the organisational chart, so capturing this makes compliance easier for line managers
- Internal control name – what is the name of the control which mitigates non-compilance with the obligation?
- Internal control identifier – many organisations have numbers for controls, such as where a control is part of a mapped business process
- Internal control owner – sometimes, the owner of the control resides in a different team to the owner of the compliance obligation, meaning both parties need to communicate to ensure compliance.
As you can see, obligations registers vary in relation to content and structure, but the key element is to ensure executives know what their obligations are, and what steps (in the form of controls) the business has implemented to ensure compliance.
The importance of regular updates
As we have seen in previous paragraphs, it is important that an Obligation Register is up to date and reflects the organisation’s internal and external compliance obligations at that point in time. Building an obligations register from nothing takes substantial time and effort, but it can also get out of control if periodic updates are not made.
Modern tools and technology help make period updates comparatively easy, particularly whe n it comes to monitoring obligation sources for updates. Ways businesses can monitor for updates to compliance obligations include:
- Subscribing to legislative update alerts on government websites in the juridsidiction(s) concerned.
- Alternatively, businesses without internal resources to do this may seek to outsource this to lawyers or consultants, or purchase updates from commercial information vendors.
- Monitor the relevant International Standards Organisation webpage to get updates on when standards are being refreshed that relate to your business
- Ensure the Business Obligation Register owner is informed of any internal policy refreshes or updates, such as when they are tabled at management committees or the board for endorsement, to trigger the refresh process.
Better practice involves assigning responsibility for oversight of the overall obligations register to one person (ideally a senior executive) to ensure it is properly managed and updated, however there will typically be teams from across the organisation who manage the actual updates.
Can a Governance, Risk and Compliance (GRC) system help?
Many organisations are increasingly using Governance, Risk and Compliance (GRC) systems to help manage compliance obligations, policy versions and refreshes, risk registers, control libraries and assurance tasks. GRC systems are a great idea, however they require considerable forethought in terms of design to ensure the way they work will accomodate business requirements.
As someone who has implemented a few different GRC systems for clients in the Financial Services and Mining industries, a number of vendors on the market haven’t really thought through the ‘GRC architecture’ and design, or have designed their systems by someone who doesn’t understand the complex relationships inherent in risk architecture, meaning some systems are more difficult to implement and operate than others. More on this in a future article.
- Curwell, P. (2022). Ukraine and looming Russian sanctions – implications for supply chains
- Curwell, P. (2021). Modern Slavery, Human Trafficking & People Smuggling? (Part I)
- International Standards Organisation (2021). ISO 37301:2021 Compliance management systems, https://www.iso.org/standard/75080.html
- Organisation for Economic Cooperation and Development (2023). Responsible Business Conduct in Guidelines for Multinational Enterprises, https://mneguidelines.oecd.org/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.