Escrito por: José Manuel Garcelán Publicado: 04/05/2021
The analysis of the first hundred days of the Compliance Officer was the subject of a presentation by an expert like José Manuel Garcelán at the IECOM virtual seminar.
“From my experience, it is essential for the Compliance Officer to have a deep understanding of the business and to have held other roles within the organization”, he commented.
He also stated that “my goal has always been to integrate Compliance obligations within the organization’s business processes, so that compliance is an inherent part of them, avoiding the creation of formalities or parallel or additional requirements”.
What is most important for a professional taking on the role of Compliance Officer, how do they earn trust, what should they do in these early days, and what should they avoid?
During the last webinar we had the opportunity to discuss the most important aspects to consider in the implementation of the function, such as: ownership and risk models, emergencies, coordination, training, the Compliance program, effectiveness… etc Also through the results of the surveys we detected some areas that could be improved.
We, Compliance Officers, must not be communicating effectively, as nearly 80% of attendees at the session believe that their function is not well-known in their own organization. In my case, from a formal standpoint, through the certified Compliance management system, we have a well-detailed policy on roles and responsibilities throughout the organization. However, I believe this is not enough, and we must utilize all existing communication channels in the company: in-person informational sessions, e-learnings, newsletters, videos, signage, etc., to disseminate information and, above all, to explain our role and relevance in the organization correctly.
According to the results of the questionnaire we distributed to attendees, we generally have a clear understanding of the core of Compliance in our organizations (80% responded affirmatively), but only 40% have “gone into the arena,” acknowledging they have been actively involved in business with sales teams, visiting clients, or engaging in commercial activities.
From my experience, I believe it is crucial for the Compliance Officer to understand the business well and to have held other roles within the organization. In my case, within Grupo Antolin, I try to visit the technical and production centers we have in different countries. It is important to understand them firsthand to avoid making incorrect decisions.
Another fundamental aspect we identified is that only 20% have a unified risk system in their companies, which evaluates various types of risks, such as corporate, reputational, operational, financial, etc.
One of the core pillars of the Compliance program is risk management, but these vary based on activity, size, geographic area of operation, and other factors.
To carry out this exercise with certain guarantees, at Grupo Antolin, we have made a strong commitment to integrated risk management at the international level in SAP_GRC, which incorporates all regulations and areas, managing a significant volume of risks and controls. With this, we achieve control over our compliance risks and consolidate trust within the company.
According to the voting results, half of the colleagues who attended the webinar believe that there are insufficient external signs of support for Compliance in their organizations.
I view it as a joint effort. Typically, organizations have three lines of defense: the first line consists of all employees who must comply with the rules, Compliance represents the second line, overseeing that this is the case, and finally, Internal Audit is the third line, ensuring that the entire system operates effectively.
Therefore, we can only achieve this with the help of the entire organization, integrating all existing elements, avoiding overlaps, and creating a Compliance Management System (CMS) that leads us to implement and develop a culture of integrity and compliance within the organization.
My goal has always been to integrate Compliance obligations within the organization’s business processes so that compliance is an inherent part of them, avoiding the creation of formalities or parallel or additional requirements.
In summary, it will only work through the lens of “Compliance is everyone”.
In my day-to-day work, more than half of my time is dedicated to this mission. It is one of the fundamental pillars of any compliance program: the consulting, awareness, and educational aspect.
This graph accurately represents the consolidation and breakdown of time spent on Compliance tasks.
The great advantage is that there is a directly proportional relationship between investment in these tasks and the level of maturity of Compliance culture within the organization.
Within the Compliance management system, we use numerous indicators to monitor and compare progress, as well as to measure the Compliance culture in our organizations.
As we saw in the webinar, some of these parameters are not inherently good or bad. What is important is that the organization has sufficient control mechanisms to detect non-conformities and violations and has an action plan and an immediate response in place.
From my perspective, we could enumerate many parameters that allow us to determine if our work is effective:
Potential exemption or mitigation of the company’s criminal liability.
Ultimately, we are talking about reputation, integrity, and sustainability for the company.
In our case, in addition to ISO 37001 and UNE 19601, we already have other standards implemented with their respective responsible parties (2020 Annual Report – Existing Certifications). The idea is to be able to easily integrate our management systems within a Compliance superstructure following the recent ISO 37301.
I believe the most challenging part is integrating the Compliance function throughout the organization, making it work effectively without creating friction and “protecting the company and all the individuals who are part of it”.
As we saw in the session, this task is not easy, and in most cases, pressures, resource deficiencies, duplications, and conflicts arise.
Business in the 21st century is radically different from decades ago. Today, it has enormous complexity and a vast array of regulations imposed by public administrations and different jurisdictions, alongside ethical standards that society and stakeholders expect to be applied.
Therefore, the most rewarding aspect is being part of this contribution by establishing a sustainable culture in the company that addresses the environmental, social, and governance challenges and opportunities that are relevant to our activity and the environment in which we operate.
2024 © José Manuel Garcelán - Aviso Legal - Política de Cookies - Política de Privacidad