The Scope of the Compliance Function
The scope of the Compliance function encompasses various areas, with examples of regulatory domains that are commonly deemed Compliance-relevant, including:
• Fight against corruption (and fraud)
• Conflict of interest prevention
• Protection of Competition
• Consumer protection
• Personal data protection
• Whistleblower protection and other labor law matters
• Prevention of money laundering and terrorism financing
•
Sustainable business practices and environmental risks
How Should Companies Approach Organizing the Compliance Function?
The strategic approach to structuring the Compliance function within companies involves a methodology that essentially outlines how the company deals with Compliance-related areas. The extent and nature of Compliance activities are contingent upon the unique characteristics of each company and the regulatory requirements. It is imperative for this function to align with the company’s business model and operations.
Given these considerations, the methodology for the Compliance function cannot be universally standardized across multiple companies, even if they operate in the same industry. Instead, a tailor-made approach is essential, adjusting the function to address the specific needs of each company. For instance, a company may need to meticulously structure procedures for data protection and conflict of interest, allocating resources accordingly, while potentially expending fewer resources on anti-money laundering procedures. Factors influencing the definition and organization of the Compliance function within a company encompass company size, industry type, client portfolio, market reach, regulatory scrutiny, and other pertinent considerations.
When defining the Compliance function, companies should apply the principle of proportionality, considering their size, internal organization, as well as the nature, scope, and complexity of their business activities. Larger companies, characterized by numerous employees and clients, and intricate business operations, necessitate sophisticated corporate governance. This entails comprehensive Compliance teams, augmented by robust IT resources and tools, overseeing complex processes and procedures. Conversely, small, and medium-sized companies, prevalent in our country, may implement simpler management systems. Often, they appoint a Compliance officer or small teams, leveraging straightforward procedures with a focused range of activities. In some cases, these companies delegate specific activities to law firms, and consultants, or engage external experts for specific areas in which internal resources prove insufficient for a thorough analysis and precise responses to particular inquiries.
As an illustrative example, a company engaged in payment transactions may reasonably allocate more resources to formulate policies and procedures for anti-money laundering than a company involved in the manufacturing of electrical components for the automotive industry. The latter may prioritize resource allocation toward sustainable development and mitigating environmental risks. In essence, companies should tailor their Compliance functions to effectively address the distinctive risks stemming from their operations. This embodies the risk-based principle, emphasizing the prioritization of addressing the most significant risks before tackling lower-intensity ones.
The methodology of the Compliance function is reflected in the following activities:
• Monitoring changes in the regulatory framework
• Counseling
• Risk assessments
• Controls
• Investigations
• Trainings
• Compliance culture
• Relationship with government authorities/regulators
• Reporting
Why It is Important to Precisely Define the Position of the Compliance Function in the Company
The Compliance function has an advisory role in the company and is responsible for advising the management (and other organizational parts) of the company so that the business decisions and internal acts they make are in line with regulations, standards, best practices, ethical norms and internal rules. It is very important to emphasize that Compliance does not make business decisions because it is exclusively the responsibility of the company’s management, and this distinction is important for the adequate establishment of the Compliance function in the company.
In addition to the mentioned, Compliance function also has a control role, and it monitors and controls Compliance-relevant risks that may arise as a consequence of the company’s operations.
Compliance relevant areas that are the responsibility of the Compliance function must be precisely defined in the company’s internal documents, because if the boundaries are not precisely set, it often happens that the Compliance teams deal with issues that do not fall within their scope of work.
It is especially important to define the division of duties within the company between the legal department, the departments dealing with human resources, the risk management function and the internal audit, because this is where most often there is confusion about the division of duties within the company and the Compliance teams are expected to answer all the questions of the employees and company management. For adequate action, it is necessary to arrange the relationship of the Compliance function with other functions within the company and arrange it so that it is independent, because only a precisely defined and independent Compliance function within the company can detect and evaluate risks on time, provide comprehensive reports, and suggest strategies for the effective management of identified risks.
