Conduct Risk Compliance – Challenges & Best practices
Managing Conduct risk is an essential element of good governance and a strategic priority for most organisations today. The current economic, regulatory, social and ethical climate, coupled with increasing stakeholder expectations has pushed conduct risk compliance to the forefront of corporate priorities.
Boards and senior executives are being called upon to respond to increasing pressure and scrutiny from stakeholders to provide tangible evidence that they are effectively managing conduct risk compliance — from a corporate and individual perspective.
Organisations need to be focused on determining whether their conduct risk management infrastructure (programs, structures, people, processes, and controls) is effective in preventing and detecting non-compliance, and whether it is effectively integrated into business processes and everyday decision-making.
Managing Conduct risk is an essential element of good governance and a strategic priority for most organisations today. The current economic, regulatory, social and ethical climate, coupled with increasing stakeholder expectations has pushed conduct risk compliance to the forefront of corporate priorities.
Boards and senior executives are being called upon to respond to increasing pressure and scrutiny from stakeholders to provide tangible evidence that they are effectively managing conduct risk compliance — from a corporate and individual perspective.
Organisations need to be focused on determining whether their conduct risk management infrastructure (programs, structures, people, processes, and controls) is effective in preventing and detecting non-compliance, and whether it is effectively integrated into business processes and everyday decision-making.
Employee misconduct is no longer an accepted part of doing business, organisations are now being held accountable to demonstrate proactive and effective conduct risk management.
Legislation and regulatory focus
Australia have introduced the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Bill 2018, which allows ASIC to impose harsher criminal and civil penalties for corporate misconduct, and increased protections for whistleblowers under the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018, increasing protection for whistleblowers who come forward with information of organisational wrongdoing.
There has been a prudential inquiry into a culture of misconduct within Australia’s largest bank, a royal commission into misconduct within the finance and superannuation industry, and formation of (BEAR) Banking Executive Accountability Regime, co-regulated by ASIC and APRA, requiring deposit taking organisations to take all reasonable actions to prevent matters from arising that would adversely affect their prudential standing or reputation.
Recent concern is not just related to the financial services industry either. Franchising within Australia has been affected by widespread underpayment of wages and policy breaches, resulting in a federal review. There has been a royal commission into institutional child sexual abuse, with the recommendations focusing on the fact religious institutions, as well as professional sports and not for profit organisations, need to strengthen and proactively demonstrate their approach to conduct risk compliance. And the Royal Commission into age care institutions, which have been hit by ethical and integrity concerns in recent years.
It is clear, the pressure is on regulators to take a more enforcement style approach and to hold Directors more accountable for their company’s non-financial risks. Accordingly, the obligation is on Boards to demonstrate how they are proactively managing such risks, not just that they have policies in place and expect their employees to, “do the right thing.”
Current Board and Director’s Environment
Boards need to demonstrate what they are doing to improve governance, conduct risk compliance and culture. The call to action is for an active board who identifies the strategic need for conduct risk compliance as part of their overall compliance framework and allocate the required resources.
Traditional compliance programs alone are not sufficient to create a compliance culture. Each director must assess the legal and regulatory environment applicable to their organisation and ensure the development and adherence through practical management tools to conduct risk compliance programs as part of a ‘culture of integrity.’
Boards need visibility of the drivers of misconduct, such as potential conflicts of interest or a ‘laissez faire’ attitude to corporate hospitality and corporate credit card management and the actions taken by management to control these risks. Indeed, the need to manage conflicts of interest between duties and personal motivation and holding boards to account were two key findings of the royal commission.
As noted previously in this article, employee misconduct is no longer an accepted part of doing business and Boards need to demonstrate what they are doing to improve conduct risk compliance and culture. There is now a strategic need for conduct risk management. This combined with the increasing obligations around Whistleblowing, Modern Slavery, Cyber security, and Environmental Sustainability (ESG), makes it increasingly difficult for any organisation to demonstrate proactive and effective conduct risk management and compliance. This has created an increasing need for organisations to adopt more comprehensive solutions that provide an integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity.
One platform for integrity risk and compliance
Corethix brings together all of your out-dated and disconnected risk and compliance activities into one, centralised online solution with 8 modules.
The modules include policy management, declarations, whistle-blower hotline, incident reporting, and certificates in our easy to use, and quick to deploy solution.
Corethix also includes a real-time dashboard with analytics to measure the effectiveness of your integrity program
All organisations are subject to the risk of their employees being involved in actions which are in breach of current legislative or regulatory obligations, contrary to the organisations stated values, policies and objectives, or at odds with accepted standards and practices for their industry and the broader community. Such actions by their employees can cause significant harm to a business including potential legal action against the company and its management and directors, significant financial loss and damage to their brand and reputation and, importantly, be harmful to the welfare of employees and the morale of the organisation. To help protect against these risks, organisations need to ensure that they are compliant with their legal and regulatory obligations and have effective policies and procedures in place that align with the organisations values, goals and objectives and that employees understand and adhere to.
Every organisation, regardless of its size, industry or maturity is exposed to conduct risks such as fraud, corruption, conflicts of interest and employee misconduct. Proactively managing conduct risk is the only way for an organisation to ensure that it is protecting its people, reputation, and bottom line.
How to effectively manage Conduct risk compliance – best practices
Commitment from the Board and Management
The successful launch and implementation of a people conduct risk program involves many elements for organisations. For a start there needs to be up to date policies, procedures, registers and reporting tools put in place. However, equally important, there also needs to be the engagement of the senior management and directors or business owners in order for the employees to also become engaged.
The initial catalyst for a business to implement an integrity risk program may in many ways have been based on evolving legislative requirements, changes in societal expectations, or even a specific conduct risk event occurring. However, before a business embarks on the development of a conduct risk compliance program, there also needs to be a clear decision by the management team and directors on the role that conduct risk compliance has in the long term for their business.
This will also enable the business leaders to more easily express to their whole organisation why integrity is important for everyone. In that way, the engagement of the business leaders will be the example for everyone in the business to follow.
Effective policies and procedures in place
To help protect against conduct risks, it is critical for organisations to ensure that they are compliant with their legal and regulatory obligations and have effective policies and procedures in place that align with their values, goals, and objectives.
Organisations need to use policies and procedures to set out their expectations of standards and behaviour. These policies provide clear direction for employees, contractors and suppliers to operate under and the organisation needs to enforce those standards of behaviour where required.
The policies and procedures need to be clearly communicated to all relevant stakeholders within the organisation to ensure that employees understand their roles and responsibilities in adhering to the policies.
Keep policies up to date
Conduct risk compliance policies need to be routinely reviewed and updated to ensure that they match the strategic direction of the organisation and current legislative requirements.
Ensure policies are easily accessible
All policies and procedures need to be easily accessed by employees, contractors and suppliers otherwise, they may not be aware of what is, or is not, acceptable behaviour in the workplace. That means storing policies on an internal intranet can be a problem as it does not allow contractors and suppliers to have access, plus employees will have difficulty with mobile accessibility to view policies whilst away from the organisation.
The best solution is to use a cloud based software platform to provide access for all employees, contractors and suppliers and to also allow access by mobile devices when not at the office.
Enforce policy attestation
Policy attestation refers to the process of verifying and ensuring employees, contractors and suppliers have read and understood the policies within an organisation. It helps ensure that policies are understood, implemented, and adhered to, thereby promoting a culture of compliance and risk mitigation.
The best way to monitor policy attestation, is to record all user interactions with the policies and procedures and to keep a record of each employee, contractor and suppliers acknowledgement of having read and understood the policies and procedures (policy attestation). It is also important to be able to easily review and analyse attestation records so that there can be follow up when attestation has not occurred.
In addition to monitoring policy attestation, testing of user’s knowledge of policies is an additional method to confirm that policies have been read and understood. This can be achieved by sending out surveys to each user containing questions relating to their relevant policies, and then analysing the results to identify if there are any knowledge gaps. The results of the surveys need to be recorded to document the policy understanding for all employees, contractors and suppliers for future review and detailed analysis.
Many organisations have a policy requirement for their employees to declare any actual or potential conflicts of interest that may arise, and to also declare any gifts and entertainment that they may receive.
All declarations need to be recorded in a centralised register and managed with oversight by the appropriate leaders in the organisation. Approval of declarations should be recorded, and date stamped for review and future analysis (or investigation).
Provide an easy process for incident reporting (including anonymous reporting)
All employees and contractors need a simple and easy process to report any incidents that occur in the workplace such as health and safety issues or any non-compliance with the organisations policies and procedures. Nominated investigators need to be alerted when a new incident is reported, and the investigators need the ability to invite other people to assist with the Incident resolution. There needs to be 2-way communication with the person who lodged the incident so that they are kept up to date with the progress of the investigation and informed when there is an agreed resolution.
All incidents and investigation communication need to be recorded in a database to provide an audit trail for review, analysis and future investigations.
Many employees who would want to report on any inappropriate incidents occurring in the workplace, would want to do so anonymously and to be confident they will be protected as part of the reporting process.
This requires access to a 3rd party reporting hotline and/or platform with provision for full access 24 hours a day, 365 days a year. The focus needs to be on security and creating trusted conversations, as well as providing a secure two-way communication with anonymous reporters. All reported incidents need to be stored in a database providing indelible audit logs of all interactions.
One of the more difficult areas for managing conduct risk is the recording and monitoring of workplace certificates. All organisations have some workplace certificate requirements of their employees, contractors and even suppliers and it is possible that each person could have anywhere between 2 to 10+ certificates required for their function, each one expiring on a different date.
Therefore, the process of monitoring this is extremely difficult, time consuming, and in most cases poorly done. Yet the risk to the organisation of having uncertified employees or contractors in considerable. Effective monitoring of workplace certificates requires all required certificates to be uploaded by employees, contractors and suppliers and stored on a centralised database. This allows effective verification and oversight of certificates and providing a warning if certificates are expired or not in place at all. Fortunately, there are software platforms that include this capability with automatic email reminders to employees and contractors when certifications are due for renewal.
Regular review
The success of any program to mitigate conduct risk requires a regular review of all the key elements to proactively ensure compliance with policies and procedures and to identify in advance any potential problem areas. Details of policies that need to be checked for compliance, employees’ attestation of policies, the results of employee policy surveys, employee conflict of interest, gift and entertainment declarations and the status of any incident reports that have been received should all be recorded and able to be easily analysed.
Best practice is to have a real-time dashboard with analytics to measure the effectiveness of a conduct risk program. The dashboards can provide a real-time display of all key data to allow proactive management, up to-date reporting and an audit trail of historical data. This provides a very simple way to give organisations a real time view of employee engagement and to measure the effectiveness of an organisation’s conduct risk program.
Need help with Conduct Risk Compliance? Click here