Compliance organization is a must because compliance is the process of making sure your organization and employees follow applicable laws, regulations, standards, and ethical practices. The board of directors members work as agents of the shareholders and are responsible for the organization’s stewardship.

The board sets the risk appetite, tolerance, and compliance culture and approves compliance programs and policies. Board establishes board-level sub-committees to monitor the performance of management and takes regular feedback from the Compliance Committee of the management.

The board expresses concern if the compliance culture is not strong or the compliance breaches are reported. Organization of compliance requires incurrence of cost, including setting the compliance function, team, and resources devoted to compliance management. As enterprise risk management practices evolve, it is now important that activities spanning risk, compliance, control, and even governance be efficiently coordinated to maximize the organization’s benefit.

Many board members and executives frequently express concern about the cost of compliance, including the compliance organization, design, implementation of its processes, and controls compared to the value gained. 

The Importance of Compliance Organization

As enterprise risk management practices evolve, it is now important that activities spanning risk, compliance, control, and even governance be efficiently coordinated to maximize the organization’s benefit. It may represent one of the nest opportunities for enterprise risk management to redefine its importance to the organization. Risk management activities are not complete and effective without organizing compliance.

In an organization, compliance works as a second line of defense. In this regard, it serves the first line of defense, including business departments. It also simultaneously monitors the activities of the first line of defense to ensure that they comply with regulations and laws applicable to the organization and the industry in which it operates.

As the second line of defense, compliance is organized in a way that is independent of the first line that provides oversight and challenge of risk management to provide confidence to the senior management and the board. 

In an organization, the responsibilities of compliance being the second line of defense include: 

1. Review First Line risk proposals and make decisions to approve or reject as appropriate. 
2. Oversee and challenge first-line risk-taking activities. 
3. Own processes for setting Risk Type Frameworks, Policies, and Standards, and monitoring compliance. 
4. Own and manage processes for oversight and challenge. 
5. Propose Risk Appetite to The board, monitor and report adherence to Risk Appetite. 
6. Intervene to curtail business if it is not in line with existing or adjusted Risk Appetite, material non-compliance with policy requirements, or when operational controls do not effectively manage risk. 
7. Ensure effective implementation of the policies and risk type frameworks and affirm the effectiveness to Risk Framework Owners. 
8. Identify, monitor, and escalate risks and issues to the risk owners, senior management, and the board or the board-level committees. 
9. Review risk remediation plans set by the first line to mitigate Risk Appetite issues. 
10. Set risk data aggregation, risk reporting, and quality requirements. 
11. Ensure that appropriate controls are in place to comply with applicable laws and regulations and escalate significant regulatory non-compliance matters and developments to the risk and controls owners, the management, and the board level sub-committees. 
12. Promote a healthy risk culture and good conduct. 

Final Thoughts

Enforcing compliance assists your company in preventing and detecting rule violations, protecting it from fines and lawsuits. The process of compliance should be ongoing. Over time, many organizations have consistently and accurately governed their compliance policies.