In an article entitled – How to manage compliance risk and stay out of the headlines – the Australian Prudential Regulation Authority (APRA) emphasises its continued focus on lifting compliance risk management practices and calls on all regulated entities to give this area 'the same attention and prioritisation…that they give to cyber risk, operational risk management and other risk classes'. 

The regulator also highlights three key areas in which it considers entities should focus.  

A brief overview of the key points in the article is below.  

Why compliance risk should be a priority for boards and senior management 

For clarity, APRA defines compliance risk as:

'an organisation’s ability to comply with the laws, rules, regulations and standards (both external and internal) which govern its operations – including voluntary industry standards and codes of conduct that an organisation elects to comply with – and the consequences that may flow if it fails to do so'.

APRA points to the spate of recent compliance failures to underscore that these consequences can include both 'severe financial and reputational damage'.  

APRA considers it

'essential that compliance risk management remains a priority for senior management and boards' because it enables entities to focus on 'creating value for, and having meaningful interactions with, customers, instead of dealing with the consequences that can arise due to non-compliance with laws and other obligations, including reputational damage'. 

As such, the regulator sees sound compliance risk management as an important factor in maintaining trust in individual entities and more broadly in the financial services sector.

From a regulatory perspective, APRA also considers an entity's approach to compliance risk may 'also provide a barometer of its approach to risk management generally'.  

APRA's approach to monitoring compliance risk management practices

APRA states that its chief focus in this context, is on entities' ability to 'demonstrate and monitor compliance with prudential standards, and to consider APRA’s guidance' and to ensure that the underlying cause of any breach of an APRA prudential standard is identified and addressed.  

However, the regulator makes clear that this is not to say that it doesn't also consider an entity's approach to managing compliance risk more broadly.  APRA states: 

'APRA also looks at an entity’s ability to meet non-prudential obligations and laws as a way of gauging the adequacy of entities’ risk frameworks, and risk management processes and practices.  APRA considers an entity’s compliance risk management processes to understand how the entity captures and maintains its obligations, and ensures adherence to those obligations.  This helps inform APRA of the suitability of the entity’s risk management framework to manage risk'.

Three key areas of focus 

Following the reviews of the four major banks in 2019, APRA states that it has stepped up its attention on 'how entities across all industries are managing compliance risk, the challenges they face in doing so, and how their practices in this key area can be improved'. 

APRA's recent supervision activities have focused on how larger and more complex entities have approached managing non-financial risk and more particularly: a) their compliance management strategy, b)their implementation of frameworks and systems, and c) their accountability and oversight mechanisms to support their strategy.

Based on observations from the regulator's recent supervisory activities, APRA highlights the following three areas as key to implementing sound compliance risk management.  

1. Entities should have a  'clearly defined approach to managing compliance risk'

There is no single consolidated set of obligations that APRA-regulated entities must follow and the .  compliance obligations that apply to a particular entity will depend on a range of factors including the industry in which an entity operates and the products and services it offers.  As such, APRA considers 'businesses need robust processes to identify relevant obligations and keep up-to-date with regulatory change'.

In light of this, APRA has observed that entities face challenges in accurately identifying and keeping on top of the full range of compliance obligations that apply to their particular business, with these challenges 'compounding' for entities operating across multiple jurisdictions'.  

APRA considers that 'better practice' in this context entails:

• supplementing the information received through subscription services with input from compliance subject matter experts, to ensure that all obligations are captured and regularly updated.  APRA comments that this approach is 'enhanced when representatives from different business units and the compliance function work together to maintain a detailed understanding of all end-to-end processes'.
• a coordinated approach across business units with the compliance function, coordinating its approach to plan for and manage any change to obligations, to ensure the entity is compliant in time.  

2.  Entities should have established and well-documented processes

APRA has observed that maintaining an accurate view of the processes associated with the full scope of product and services on offer can also be a challenge for entities.  

APRA suggests that 'better practice' in this context involves: 

'understanding end-to-end processes for products and services, applying an overlaid view of compliance obligations, and implementing ongoing monitoring to identify any gaps between business process and applicable regulations and laws. This allows business units to understand their current level of compliance and to maintain processes so they are compliant by design. This should be supported by the business unit reporting to senior leadership and the board to present a complete view of obligations compared to the end-to-end process so that gaps can be identified and addressed'.

3. Entities should ensure there is clear accountability

• APRA considers that the Three Lines of Accountability model to be an 'effective framework for risk management'.
• APRA has observed that in many entities, accountability for the management of obligations and corresponding controls remains more with Line 2 risk teams than with Line 1 business functions.  APRA considers this to be a problem because 'failure of Line 1 to take accountability for compliance management limits the ability of the Line 2 risk team to provide meaningful oversight and challenge, as they instead need to step in to the day-to-day management of obligations and controls'. 
• APRA considers that 'better practice' in this context involves entities 'creating clear accountability for compliance risk management across the Three Lines of Accountability model, as part of their compliance risk management framework' to ensure that established processes are implemented.   
• APRA notes that accountability is further improved when: a) senior leadership and the board foster a culture of treating compliance risk with the utmost importance to set the tone for all staff; and b) a Chief Compliance Officer is appointed.   On this last point, APRA comments that:

'In the absence of a CCO role at senior leadership levels, it is essential that mechanisms are in place for the voice of compliance to be heard in executive and board discussions, and that compliance is championed by senior leaders of the organisation'.

[Source: APRA article 17/02/2022: How to manage compliance risk and stay out of the headlines]