Developing an compliance obligation register for your business

Posted on March 4, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

What are compliance obilgations?

The importance of business integrity has increased over the past 10 – 15 years. Increased enforcement action by international regulators, culminating in hefty fines and prosecution, has occured in areas such as trade sanctions, bribery and corruption, modern slavery and anti-money laundering. Additionally, the ‘social licence to operate‘ for every business is gaining increased importance amongst communities globally, with businesses who behave unethically or inappropriately incuring the wrath of consumers.

man sitting in front of keyboard — Photo by Jopwell on Pexels.com

Compliance management, including complying with regulatory and policy obligations, is a fundamental component of business integrity (what the OECD refers to as ‘responsible business conduct‘). Understanding your compliance obligations and having actions in place to ensure your business complies with them is expected by regulators and consumers alike.

Illustrative example of a compliance obligation (Curwell, 2023)

For business, managing compliance obligations has always been a challenge – they are not something which can be produced once and never refreshed. Legislation is constantly changing, international standards are being updated, and organisations regularly revising internal policies. The first step in managing your compliance obligations starts with building an obligation register customised for your business.

How do you build an obligation register?

The time and effort required to conduct this work depends on your business, your industry (highly regulated industries will have more obligations), and the jurisdictions you operate in. There are six main steps to building a obligation register for compliance management:

Identify and map your compliance landscape – this step involves identifying all the regulation (legislation), international standards (e.g. ISO27001), and internal policies which create obligations that dictate the way your business, suppliers or employees / contractors need to operate. This may be most efficiently done using a combination of research, interviews and / or workshops or brainstorming – it is also a task you may wish to outsource.
Build your obligation register template – this is the document that will utlimately become your Business Obligation Register. You may wish to do this in something like Microsoft Excel, Microsoft Sharepoint, Microsoft Word or in a database, such as a Governance Risk Compliance (GRC) system (see ‘the importance of regular updates’ for more detail). An example of a Business Obligation Register is illustrated below.
Review the source documentation – for each compliance obligation (e.g. ISO27001, or your jurisdiction’s companies legislation), extract the relevant information, and populate the register. In some cases, you may need a lawyer to provide an interpretation on a specific obligation, or to help convert the interpretation of that obligation to the actual things you need to do to comply (i.e. the ‘plain english’ obligation).
Map the populated obligations to your business’ internal control environment – identify what controls do you have in place to ensure compliance or mitigate the risk of non-compliance. Note this step does not consider the effectiveness or coverage of each control, which are related but separate concepts. I will write about this in a subsequent article.
Review the final draft – this step should involve stakeholders involved in the previous steps, as well as a legal review to ensure nothing has been overlooked or misreprented prior to implementation.
Publish your Business Obligation Register in a central location which can be accessed by line managers (you may want to make this version read only to avoid any unauthorised updates or accidental modifications). You should also implement a process to periodically update the register.

Illustrative Obligations Register in Microsoft Excel. — Illustrative Obligations Register in Microsoft Excel (Curwell, 2023).

What sort of data is captured in an obligation register?

There is no mandatory structure for an obligation register – the fields you wish to capture in your obligation register depend on your organisation. Common examples of data captured include:

Document type – such as legislation, policies, international standards etc.
Document reference – this might be an identification number (e.g. ISO9001). Typically you will have obligations from multiple sources in the same register.
Document name – e.g. “Consumer Act”
Version or date of last update – to allow for comparision of the Obligations Register to the source to determine whether current
Obligation wording – the original wording contained in the source document, word for word
Simple english obligation – some legislation is gibberish to non-lawyers, and requires a simple explanation of what the organisation needs to do to comply which can be understood by all staff
Priority or importance – this might be reflected by including penalty information, or showing how critical compliance with an obligation is to the business, to help inform management decisions. An example might be where a company states it will ‘endeavour to comply’ with ISO23001 (business continuity management), but is not actually ISO certified making compliance optional.
Applicable business unit / team – not every obligation is relevant to every team on the organisational chart, so capturing this makes compliance easier for line managers
Internal control name – what is the name of the control which mitigates non-compilance with the obligation?
Internal control identifier – many organisations have numbers for controls, such as where a control is part of a mapped business process
Internal control owner – sometimes, the owner of the control resides in a different team to the owner of the compliance obligation, meaning both parties need to communicate to ensure compliance.

As you can see, obligations registers vary in relation to content and structure, but the key element is to ensure executives know what their obligations are, and what steps (in the form of controls) the business has implemented to ensure compliance.

man standing on a rock — Photo by Andrei Tanase on Pexels.com

The importance of regular updates

As we have seen in previous paragraphs, it is important that an Obligation Register is up to date and reflects the organisation’s internal and external compliance obligations at that point in time. Building an obligations register from nothing takes substantial time and effort, but it can also get out of control if periodic updates are not made.

Modern tools and technology help make period updates comparatively easy, particularly whe n it comes to monitoring obligation sources for updates. Ways businesses can monitor for updates to compliance obligations include:

Subscribing to legislative update alerts on government websites in the juridsidiction(s) concerned.
Alternatively, businesses without internal resources to do this may seek to outsource this to lawyers or consultants, or purchase updates from commercial information vendors.
Monitor the relevant International Standards Organisation webpage to get updates on when standards are being refreshed that relate to your business
Ensure the Business Obligation Register owner is informed of any internal policy refreshes or updates, such as when they are tabled at management committees or the board for endorsement, to trigger the refresh process.

Better practice involves assigning responsibility for oversight of the overall obligations register to one person (ideally a senior executive) to ensure it is properly managed and updated, however there will typically be teams from across the organisation who manage the actual updates.

Example of free subscription to receive legislative updates (Australia)

Can a Governance, Risk and Compliance (GRC) system help?

Many organisations are increasingly using Governance, Risk and Compliance (GRC) systems to help manage compliance obligations, policy versions and refreshes, risk registers, control libraries and assurance tasks. GRC systems are a great idea, however they require considerable forethought in terms of design to ensure the way they work will accomodate business requirements.

As someone who has implemented a few different GRC systems for clients in the Financial Services and Mining industries, a number of vendors on the market haven’t really thought through the ‘GRC architecture’ and design, or have designed their systems by someone who doesn’t understand the complex relationships inherent in risk architecture, meaning some systems are more difficult to implement and operate than others. More on this in a future article.

Ukraine and looming Russian sanctions – implications for supply chains

Posted on February 20, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Historically, awareness of sanctions has been mixed in Australia and typically strongest in financial services and commodities. This article examines what sanctions are, who issues them, the core components of a Sanctions Compliance Program, and what the introduction of sanctions on Russia as a result of any future invation of Ukraine might mean for Australian supply chains.

Moscow, one part of Russia which will feel the pinch of international sanctions. — Photo by u0414u043cu0438u0442u0440u0438u0439 u0422u0440u0435u043fu043eu043bu on Pexels.com

What are sanctions?

According to HM Treasury, “sanctions are restrictions put in place to achieve a specific foreign policy or national security objective. They can (a) limit the provision of certain financial services, or (b) restrict access to financial markets, funds and economic resources”.

Each jurisdiction uses its own terminology for sanctions, but the United Kingdom categorises sanctions into three simple categories:

Targeted asset freezes – for individuals and entities
Restrictions on financial markets and services – for individuals, entities, specified groups or entire sectors including:
- Investment bans
- Restrictions on access to capital markets
- Directions to cease banking relationships and activities
- Requirements to notify or seek authorisation prior to certain payments being made or received
- Restrictions on the provision of financial, insurance, brokering or advisory services or other financial activities
Directions to cease all business – specifying the type of business and applicable to a specific person, group, sector or country

As you can see, sanctions and their impact can by quite broad and far reaching. One particular challenge with sanctions lies in identifying parties who are indirectly sanctioned. This requires more sophisticated due diligence and compliance oversight to manage properly.

Who promulgates sanctions?

The UN Security Council (UNSC) has the power to levy economic and trade sanctions however this requires consensus from the five permanent members of the UNSC, which is rare.

In addition to the UNSC, individual countries have also recognised the strategic power of sanctions, resulting in country specific legislation that impacts companies and individuals resident of, or operating in their jurisdiction that has been enacted since the use of blockades during World War One (Mulder, 2022).

Some national sanctions regimes are politically motivated, such as where foreign dissidents, human rights defenders, or the political opposition are targeted, but this sort of behaviour is typically restricted to non-democratic countries. Globally, major sanctions bodies align with the worlds main financial centres, including:

United Nations Security Council – with sanctions enforced by each member state
US Treasury Office of Foreign Assets Control (OFAC)
HM Treasury Office of Financial Sanctions Implementation (OFSI)
European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA)

Of these, OFAC is undoubtedly the strongest in terms or reach, influence and enforcement. This is because of the United States’ position as the global financial centre, with most companies having a presence or nexus to that market (including through their bank transactions). OFAC is also an active regulator, levying substantial fines and penalties on companies worldwide. This means that OFAC can be used as the benchmark for any sanctions compliance program – if you satisfy OFAC, you will probably satisfy all other regulators as well.

As it’s global power and influence grows, the People’s Republic of China is increasingly becoming a player in relation to sanctions as highlighted in the Atlantic Council’s Global Sanctions Dashboard. China’s rise and influence in relation to sanctions will be increasingly important.

What should a sanctions compliance program comprise?

In 2019, the U.S. Treasury published its 12-page guidance on designing and implanting a Sanctions Compliance Program in a document entitled “A Framework for OFAC Compliance Commitments”. OFAC expects regulated entities to undertake at least five core elements in their compliance program:

Management Commitment
Risk Assessment
Internal Controls
Testing and Auditing
Training

On face value, these elements are much like any other risk or compliance program we would expect to see. However, with sanctions the devil lies in the detail and particularly the complexity of the various regimes. This post is not intended to be a detailed overview of sanctions compliance, rather to provide context for the following discussion on what this means for supply chains.

If your sanctions program is not up to scratch, or if you don’t have one at all, seek specialist advice as the fines and penalties for non-compliance can be substantial and extend beyond the enforcement action to potentially mean your suppliers and customers will no longer do business with you due to the risk you present.

Photo by ThisIsEngineering on Pexels.com

What does the situation in Ukraine mean for supply chain hazards, as an example?

Under Australia’s new Security of Critical Infrastructure (SOCI) Act, one of the key elements of the associated Rules, Supply Chain Hazards, requires regulated entities to ‘establish and maintain in the entity’s program a process or system that the entity uses to minimise or eliminate the material risk of, or mitigate, the relevant impact of” amongst other things “(d) disruptions and sanctions of the asset due to a disruption in the supply chain”.

With the prospect of more sanctions on Russia, companies need to start working now to review their suppliers, update their risk assessments, and identify any potential connections to Russian individuals, entities and sectors. Some of the steps you may need to take include:

Examining the geographic presence of your suppliers – are any based and / or headquartered in Russia or its allies?
Ultimate Beneficial ownership or control – who (individuals) or what (other legal entities) one some or all of your suppliers and are any of them Russian, or do they have a nexus to Russia?
Once you have identified your suppliers and their beneficial owners, be prepared to conduct name screening against the relevant sanctions lists, or alternately use a reliable vendor solution such as Refinitive’s WorldCheck, Dow Jones Watchlist, LexisNexus World Compliance.
Identify any other potential foreign influence from Russia or its proxies that could impact your supply chain or operations.

If you are new to sanctions, your reaction is probably that this would take a lot of effort and involve some cost. In my experience, this is exactly the case. Once sanctions are promulgated, you need to compare the sanctions list(s) to your supplier data to ensure there are no matches. Your bank will do the same, so if you don’t do this you risk a supplier payment being confiscated by a regulator which can be hard to recover. In addition, intentionally or unintentionally breaking a sanction has serious criminal and civil penalties.

ForewarnedBlog.com

Actionable insights on security, fraud, integrity and resilience for innovative industries

Tag Archives: Compliance Obligations