Speaker 1: Thank you everybody and welcome back to Compliance with Kutsai. I am so excited as always to share with you some more great information about compliance risk management. Such an interesting field, so much to talk about. I'm super duper excited to go through this video today and we are going to be talking or I am going to be talking and sharing with you about the roles and responsibilities of compliance. And it's a super interesting topic because I know that sometimes people get a little bit confused. What should compliance be doing? When should we be pushing back? What is the responsibility of the business? So my hope is that by sharing this video with you today, you will gain a lot more clarity on what you own as a compliance officer and are responsible for and what the business owns and are responsible for. And it will put you in a better position to focus on your own responsibilities and push back and make sure that the business is focused on what they are responsible for too. But before we jump straight into that topic, thank you so much for your support. The channel is growing and I'm super excited about that. And I look forward to creating more great content for you next year. This is going to be the final video for 2023. I am ready to take a long, well-deserved break this December. And I'm sure you are going to do the same. You guys have been working hard, studying, working, trying to get your career in compliance off the ground. So let's get some rest and come back strong in January. So this is the last video. I will stay in touch with you on the community channel, though, on the community page. So do keep an eye out. I'll be letting you know what's happening, what's coming in January, maybe what topics I'm going to be dropping in the first month of the year. So don't be complete strangers. And of course, keep watching the videos that we do have on the platform already. Lots of great content to keep you going during our short little holiday period. So with that being said, let's jump to it. And if you are new to the channel, if this is somehow the first video that you are watching, be sure to click the notification button and to subscribe to the channel. There is so much content that you can get through. And of course, that will be coming up in the new year as well. So let's jump straight into it. Compliance, risk management, roles and responsibilities. So the most important thing that I want to say right up front is that it is critical that compliance is an independent function. We cannot be reporting into a business function or a business head, for example, because that creates a conflict of interest. You need to be able to operate independently and impartially and not trying to figure out if I write this report this way, is my boss going to be upset? Is he going to say, you know, quickly erase this compliant finding or write it in less harsh of a manner? So you completely need to be independent, have a reporting line that goes straight up into the board and has no kind of influence from business functions, because we ultimately are assisting them and advising them, but are also kind of like an oversight function to make sure that they're operating in a compliance, risk managed way. So it's really important that we have that independence and no conflict of interest. So the independence of the compliance function is critical and is established all the way at the board level through the compliance, risk management framework. If you want to know more about the compliance, risk management framework, please do check out the video where I speak about compliance, risk management framework versus the compliance program and go into a lot more detail explaining the difference and the nuances within those two things. So now that we have our compliance function and it's set up independently, the reporting line goes all the way into the board. It's important for the compliance officer to have sufficient, not only independence, but authority and empowerment again established in the compliance framework by the board to be able to access senior management, executive management report on the performance from a compliance perspective to all the way to the board level. We need to have a seat at the table and I'm sure you've heard that saying before and I actually did get a question. What does it mean when they say compliance should have a seat at the table? It means that we need to have enough seniority at a functional level and at the executive compliance officer level needs to be sitting at a table where decisions are actually made and have the capacity and the power to influence decisions and make sure that the business is aware of the risks that they face based on the activities that they're doing and has a voice to be able to speak and influence and impact at that senior level. So that is where we need a seat at the table. You can't say that you are a big organization that is multi-million dollar and your compliance officer is a junior level employee. They, no matter what you say at the end of the day, they're going to be intimidated and are not necessarily going to have access. They won't attend the board meeting or present to the board. They won't be attending EXCO. So compliance in reality, if that's who you're saying is your compliance officer for your organization, does not have the empowerment necessary. So you definitely have to have a compliance function that ultimately has a seat at that senior level and has the power and capacity to advise and speak to the business and influence decisions. So what is our role? Compliance as a function has, I'll describe it as two main things that we do. We are supposed to implement the compliance program. The compliance program means that we have policies and procedures that we put in place that communicate to the business that this is how we stand or where we stand with respect to various topics, data protection, cybersecurity, anti-money laundering, fraud, anti-bribery and corruption. All of those are policies that we would put into place. And in those policies, we would communicate what the company position is with respect to the behaviors and ways of working that employees are expected and how they should conduct themselves in relation to that specific subject matter. So we as compliance will put in place our corporate compliance policies and the compliance policies that come into place as a result of regulatory requirements and obligations. We also in our program will have training where we make sure that we impart and educate people about the requirements from a compliance perspective. We also have to identify risks through our CRMP process where we do risk identification and risk assessment and make sure that we have identified the risks that apply to the business. We have assessed what the potential impact and likelihood of that risk is and advise the business of that. We need to do monitoring and testing. So all of that work within a compliance risk management system in our compliance program is the work and responsibility of compliance to execute. On top of that, we play an advisory role in terms of the day-to-day BAU operations of a business as well as at a strategic level. So you've got your tactical advice and your strategic level advice and we are going to be working with the business and making sure that whatever decisions they're making, whatever the five-year plan is, that five-year plan is executed and in awareness of the risks, the regulations, whether it's licensing permission, business process outsourcing, if you want to go the route of implementing cloud and moving away from data centers, what does that mean if that's a five-year process from a regulatory perspective, data protection perspective, what are the considerations and all of that sort of thing. So we play an advisory role to the business day-to-day, every day, Monday-to-Monday as well as at a strategic level to make sure that whatever they're planning and doing at both those levels is aligned with the regulatory activities that apply to those specific activities. So executing the compliance program and advising the business both on BAU and strategic levels is what compliance does. And a key point for you to note in this instance is that compliance does not own compliance risk. We support the business, we advise the business, we help them to implement processes, structures, a controlled environment to manage compliance risk as the subject matter expert, but in terms of ownership of the risk, actual execution of the risk management on the ground within the operations that is owned by the business. So let me give you an example to kind of illustrate that a little bit. So as compliance, we do compliance training, for example. Once we roll out training, whether it's instructor-led training or an online course that people have to complete as self-paced learning, they need to complete that training. And we will track and see who's attended or who completed the training online. And if people in let's say a certain business area have not completed their training, we escalate that to their management, their leadership, and say five people in your team haven't executed, haven't completed their training or attended the training. And it's management's responsibilities to make sure that their team members are completing their training, have done what needs to be done, and make sure that that actually happens. And they need to make sure that things like that are included into the performance objectives of their employees, completing training for compliance and making sure that, you know, if there are issues that are identified in those areas, those issues are resolved. If I, as a compliance officer, go into a space and do a testing exercise and identify some issues for remediation, I'm not the person who's going to go now to sit in the operations seat and actually say, oh, okay, I'm amending this, I'm fixing that. My role as the compliance officer is to communicate the finding to the business, agree an action plan with the business to address the control deficiency or process or risk area that we've identified, and then they are the ones who have to, on the ground, implement the action plan that we have agreed to remediate the identified issues. I don't go and sit and remediate the issue, the business does, because they own the process, they own the operations. So I hope that kind of clarifies to you the difference between ownership and playing an advisory and supporting role to the business. We advise and support, but the business owns the processes, they own the risk, and they are responsible for making sure that they are managing the risks on the ground. So that's very much, you know, the role within compliance. We are a support role, an advisory role, business owns the risk, and then, of course, we implement our own compliance program. I want to also talk a little bit more about, you know, the distinction between the roles and responsibilities when we're talking at a governance level, your board, or your executive management level, and then your compliance level, and just to clarify that a little bit. And a great place for you to kind of read a little bit more after you've watched this video is the ISO Standards on Compliance Management, and that is ISO 37301. That's the latest version. I think it was published in 2021. So if you want to go and check that out, you can read in much more in-depth about the roles and responsibilities for compliance and the compliance function. But essentially, the board is the one that sets up that compliance framework right at the top, top, top level of an organization and sets that tone that we as an organization are going to, and it's not only compliance risk management, the board has oversight responsibility for all risk management, including compliance risk management. But specifically for compliance risk management, they will approve the framework that says this is how compliance is going to be empowered, this is how they're going to have access to the board and to senior management and have a seat at the table, and this is the tone, and they need to be showing visible and consistent, you know, approach and respect and uplifting, I guess, of compliance and compliance risk management because they're setting the tone. And then the leadership, the executive leadership is the one that says now on a day-to-day basis, how are we making sure that priority is given to compliance, it forms part of how we do things and way of working on a day-to-day basis. And that includes whether, like I said in the training example, you're making sure that your teams are completing their compliance training or attending the compliance workshops, you're making sure that within their performance objectives that, you know, managing compliance is part of that, you're making sure that if incidents are occurring, they feel that they can report, if not to the senior management, then directly to compliance and say that there are these weaknesses in the control process that might result in compliance issues, how can we address this? So it's about creating that day-to-day environment and culture where compliance is a priority and it's something that they do in their day-to-day basis and it's not something that's, oh, okay, I must just attend training and moving on swiftly and carrying on with my business as usual afterwards. So the leadership also has to set that tone within their teams, within their lines of business, all the way from the top right down to the lowest level of employee that you are expected to operate in a compliant way. These are the behaviors we will accept and that we will not accept and apply those consistently. So that's the board and that's your executive leadership in terms of how they contribute to setting that tone and implementing compliance. And then compliance, like I said, we are the advisory and support role. We don't own the risk, the business owns the risk, but we advise the business on their risk and put in place the support structure that they need to have in place to meet their obligations from a regulatory and compliance perspective. I hope that is super clear for you guys and, you know, there's the governing body that empowers compliance, there's the leadership guys that sets the tone from the top all the way to the bottom within the operations of the business and says, this is what we need to do. And it actually illustrates to you how things can go wrong. If you have a leadership structure that is unclear about, you know, the compliance obligations, they don't really set that tone within their team, that filters down. If you have a governing body that is not clear and consistent and visible in terms of their respect and upliftment of a culture of compliance and make sure that they are having, you know, sufficient oversight and exercising that and compliance has access to also escalate issues to them, if that's also kind of muddy waters, it all kind of filters down. And as great a function as you might have here, if that ex-co and governing body level is not, you know, operating effectively in terms of compliance risk management, then it's really going to be an uphill battle for any compliance officer. So roles and responsibilities. That's essentially how it works with compliance. So if you are working with the business, you need to be very clear and say, I am your advisory and support functions. You guys own the risk. You need to implement the controls on a day-to-day basis. You can engage with compliance to see if these controls are sufficient. Are they working correctly? Can we change them maybe for efficiency and still meet the regulatory obligations? And that's something that it's a collaborative effort, but at the end of the day, execution of the controls sits squarely within the business's pockets and responsibilities. Thanks so much for watching the video guys. Truly appreciate you and your support. Have a fantastic holiday period. More, more great videos coming out in January. I cannot wait to share with you and make great content for you. And please continue to support the channel. It's going to be fun over here from January, 2023 and going forward. All right. Have a good week, everybody. Bye.