Please enable JavaScript.

Coggle requires JavaScript to display documents.

Frameworks for Governance, Risk and Compliance - Coggle Diagram

- - - - Employees must understand that a policy or procedure is needed to ensure regulatory compliance, to protect stakeholders and to help organisations set and achieve its objectives
      - Employees that understand why a policy or procedure is needed are more likely to accept and comply with its contents
    - - These are the principles that underpin an organisation's activities
      - Eg to protect the environment
      - An organisations values will often be integrated with its risk management principles
    - - The people to whom a policy or procedure applies should understand their roles and responsibilities in relation to the execution of the policy or procedure
      - This will generally mean employees, but policies and procedures may apply to contractors, on site third parties or customers
      - For example, health and safety policies and procedures will apply to a customer in relation to their safety and personal conduct while they are on the premises of an organisation
    - - Employees are unlikely to comply with the contents of a policy or procedure if they see that those higher up the organisational hierarchy are not complying with it or do not see it as important
      - Boards and senior managers should make clear in their words and deeds that every risk management policy and procedure is important - they should take steps to comply with all policies and procedures and remind others to do the same
    - - Non-compliance with a policy or procedure can have some serious consequences for an organisation
      - Using line management structures, employees should be reminded of the importance of compliance and of the sanctions for non compliance
      - This might include verbal or written warnings, poor performance reviews, the witholding of bonuses or promotion, suspension and ultimately dismissal
    - - Employees need to be informed when a policy or procedure is introduced or updated
      - They need access to the policy or procedure
      - Training on how to comply can help to increase compliance rates
    - - Regulations, working practices and organisational structures change
      - To cope with these and other changes, policies and procedures should be reviewed at least annually to ensure that they remain up to date and fit for purpose
- - - - The degree of compliance required for health and safety, environmental laws or sector regulation can vary by jrusidction. In some jurisdictions, there may be little discretion in terms of what constitutes compliance or non compliance, in others there may be more discretion
      - EG, the the UK health and safety law is based on the principle of 'as low as reasonably practical'
      - Discretion can be useful when it prevents an organisation from taking costly compliance related actions that grossly outweigh the benefits of compliance
      - Can lead to problems where the organisation and its regulator disagree on the standards for compliance
      - Inflexible rules that require specific actions, irrespeciveof the costs involved, remove this problem but can result in excessive compliance costs
      - Where an organisation has discretion in determining the nature of their compliance with laws and regulations, It is important that they decide in advance the standards they will expect for compliance
    - - An organisation will have more discretion over the degree of compliance expected from its employees when it comes to compliance standards for internal policies and procedures or voluntary external guidance, standards or codes of conduct
      - An organisation may decide that compliance should be absolute - alternatively it may decide to tolerate a degree of non compliance providing that the is reported and accepted and a clear rationale provided
      - Extreme care should be taken when a degree of non-compliance is allowed. All such cases should be reported to the audit committee or board so that an organisations directors are kept informed
  - - - Compliance management policies and procedures
        
        Policy
        
        The compliance standards and principles that re expected
        
        Links to key compliance management procedures
        
        Reporting and escalation arranegments
        
        Roles and responsibilities for the board, senior management, other managers and employees and the risk, audit, governance and compliance functions if present
        
        Principles
        
        An expectation that all employees will act honestly and with itnegrity
        
        To manage compliance risks in order to preserve the reputation and financial resources of an organisation
        
        That all decision makers own the compliance risks that are associated with the decisions that they make, even though the board is ultimately responsible for effective compliance
        
        That compliance related risks must be monitored adequately and all cases of non compliance escalated to the appropriate levels management
        
        Procedures
        
        How to deal with enquiries from regulators such as who should speak with them
        
        How to investigate cases of unatuhrosied non compliance
        
        Disciplinary procedures for unauthorised non compliance
        
        Procedures for temporarily allowing non compliant on cost benefit grounds
      - Compliance reporting and escalation processes
        
        The managers and directors of an organisation will require regular assurance that it is complying with relevant laws and regulations and that any associated compliance risks are managed effectively
        
        This assurance may come in the form of compliance reports
        
        One common form of reporting is a periodical review of compliance. This review is normally prepared by a company secretary and reported to the board
        
        The review willl remind the board of the various laws and regulations that must be complied with and outline the various processes and controls that are in place to ensure compliance
        
        Evidence of the effectiveness of processes and controls may be provided such as the results of compliance reviews and internal audits
        
        Compliance monitoring and reporting to management and senior management will occur much more regularly - this might include daily control effectiveness checks to ensure that compliance with financial crime regulations are adhered to such as the prevention of money laundering
        
        Escalation processes come into play when ineffective controls are detected or where employees or managers are not behaving in an appropriate manner.
        
        Escalation may occur as a result of an audit finding, regular compliance control checks or whistleblowing
        
        Escalation should be to the appropriate level of management, where non compliance threatens the whole organisation, it should be escalated to the most senior level of management
      - Compliance training and communication
        
        Employees may require training to understand the importance of complying with all applicable laws and regulations and to help them operate the relevant compliance controls effectively
        
        This training may be provided in house or by an external training agency
        
        Regular compliance oriented communication can supplement formal trining, this might include emails or memos reminding staff of specific compliance responsibilities, poster campaigns, discussions in staff meetings, away days or awareness weeks
- - - - Project risk reprots
      - Health and safety reports
      - Strategic risk reports
      - Operational risk reports
      - Compliance risk reports
      - Governance effectiveness reviews
      - COBIT reports
      - Financial misstatements risk reports
  - - - A repository of all relevant policies and procedures, such as risk management policies, compliance management policies, risk appetite and internal audit procedures
      - A library of the governance, risk and compliance controls used across the organisation (this may also include information on the effectiveness of these controls)
      - Governance, risk and compliance metrics such as information on reported loss events or compliance breaches
      - The results of risk assessments
      - Incident management, to record any loss events that may have occurred
      - Financial performance data
      - Internal audit modules to track identified audit issues
      - Action planning to address control weaknesses or audit issues