Material compliance

IT ISN'T ALWAYS PRACTICAL or cost effective to test every transaction in an organisation's financial cycle to achieve risk-based compliance. The focus should rather be on the material risks an organisation is exposed to. Julie Methven, CEO of the Compliance Institute of South Africa, says both management and the compliance function should be more focused on higher risk areas. "They're responsible for establishing materiality levels and for effectively communicating them to relevant employees."

The institute published the Generally Accepted Compliance Practice framework that provides compliance principles, standards and guidelines for South African companies.

"Although risk tolerance - in particular, compliance risk tolerance - will help determine materiality levels, management must also consider the potential impact of those risks on the organisation's strategy and the achievement of its business objectives," says Methven. "All companies need to carry some level of risk to be successful."

Many business textbooks would say effective risk management requires assessment of inherently uncertain events and circumstances, typically addressing two dimensions: How likely the uncertainty is to occur (probability) and what the effect would be if it happened (impact).

The latter includes both quantitative and qualitative factors. Quantitative factors would include monetary losses or fines and how a company views these could be pre-determined. For example, a company could decide any single loss above R1m would be disastrous, whereas amounts below R10 000 may have little impact. Qualitative factors can include a negative impact on the organisation's image or reputation.

While unambiguous frameworks can be developed for impact assessment, probability assessment is often less clear. This is particularly true for projects where data about risk probability from previous projects is either unavailable or not relevant. The credibility and value of the risk process are enhanced if data is collected with care, taking the time and using the tools needed properly to develop information based on judgmental inputs.

Conversely, the process is undermined when probability assessment appears to be wholly subjective (a guess). It's therefore important to be able to assess probability with some degree of confidence with the range of alternative techniques for assessing risk probability that are available that attempts to remove the subjectivity from this vital element of the risk management process.

"The company should also decide whether these factors would typically be considered material," says Methven. For example, in the financial services industry these would include regulatory sanction or having a licence to operate revoked, any money laundering activity, market abuse or financial fraud or insider trading. As to the probability of a compliance risk materialising, some of the factors to consider include whether relevant controls exist to ensure compliance and their adequacy and effectiveness; the complexity of the regulatory requirements; and the skills and effectiveness of the people in the company.

Methven says it's important to be as objective as possible when rating risks and the rating level at which an event should be escalated or reported to top management or regulators should be defined. "Risk assessment scales should, first, be used to rate the risk a particular legislative requirement, as a whole, poses to a company and then used to rate the most important requirements thereof."

For example, a company may rate compliance with the Financial Intelligence Centre Act (Fica) as significant to its business, based on the severe regulatory sanctions that could be imposed should a breach of the Act occur. Then the important requirements of Fica would be rated and ranked by considering the impact a breach of each section could have.

Says Methven: "Having decided which regulatory requirements should be escalated it's possible to ascertain the most important requirements that will need reporting. That helps the compliance function determine those sections of the law that require particular focus and to ensure those are routinely included in compliance reports."

It's obvious no two organisations will have the same definition of materiality levels, but Methven says it's important routine reporting focuses on the high risk areas, particularly those that can impact on a company achieving its business goals. "That may require the compliance function to become more business orientated and to work closely in developing compliant solutions together with business management. That should be done regularly, as risks change over time."