Introduction to Compliance

Management
Marzia Dulal
Asst. Prof.
Dept. of TEM

Marzia Dulal 1
 What does the term 'compliance'
describe?

• The term compliance describes the ability to act

according to an order, set of rules or request.
In the context of financial services businesses
compliance operates at two levels.
• Level 1 - compliance with the external rules that
are imposed upon an organisation as a whole
• Level 2 - compliance with internal systems of
control that are imposed to achieve compliance
with the externally imposed rules.
Marzia Dulal 2
 Types of compliances

• External Compliance
• External Compliance refers to following the rules, laws and
standards set by the governmental authorities to avoid any
negative impact on the goodwill of the organization. These laws
are made to help an organisation build public relations, trust and
bring transparency to the business it does. Complying with all the
laws ensures any unnecessary duplication of efforts of resources.
Some of the broad heads can be categorized as follows :

Marzia Dulal 3
Marzia Dulal 4
• Internal Compliance :
• Internal compliance refers to internally designed
set of rules and regulations which the owners,
employees, traders, customers follow to maintain
the quality of the services or products provided
by the organisation. An organisation will comply
with external requirements only when it is
working in line with the internal rules and
regulations. Some of the broad heads can be
categorized as below :
Marzia Dulal 5
Marzia Dulal 6
 Example

• An example to internal compliance is when

the accounts departments follows the
company‘s policy and reconciles cash and
bank accounts at the end of every month and
reports to the internal auditor.
• An example to external compliance is when
statutory audit of the company is done by the
due date provided by the companies act

Marzia Dulal 7
 Why is compliance important?

• A timely compliance with all the relevant laws, regulations

and policies can benefit the organizations by keeping
things running smoothly, reducing fines & penalties and
also maintaining its position in the industry. Some of the
benefits are discussed below :
• Higher Employee retention :
Employees have a tendency to switch the workplace if they
find any complaints or issues working in the present
environment. With an effective internal compliance where
there is safety, employee benefits and compensations, a
positive work environment is developed. This positive work
environment attracts the employees to work and add to the
value of the business.

Marzia Dulal 8
• Reduced legal charges :
• No business wants to suffer the results of not complying with various laws
and legislations. Complying with those laws will decrease the risk of fines,
penalties, lawsuits or also shutdown of the business. There are so many
regulations related to how employees should be managed, how products
should be manufactured, how buying and selling should be done, how the
business should contribute to the society, etc. Obeying them all is the great
challenge but if achieved, reward is reduced fines or penalties and greater
market share.

Marzia Dulal 9
• Competitive advantage to the businesses :
The business which follows all the rules and regulations and also has strict
internal policies have a competitive advantage over those businesses which
have not complied with the requirements timely. Government authorities,
stakeholders, employees and customers are attracted to such businesses
which strictly follow the compliance and prevent any kind of improper and
unethical behaviour.
• Better public relations :
The success of the business depends a lot on its public image. When an
organisation starts facing court cases or any government interventions, the
market or customers start losing trust in it and this will lead to a negative
financial impact. Compliance will ensure that a company maintains its
public relations and holds a positive image.

Marzia Dulal 10
What duty, objective and responsibility
does a Compliance Officer fulfill?

• DUTY - The Compliance Officer has a duty to his employer

to work with management and staff to identify and
manage regulatory risk.
• OBJECTIVE - the overriding objectives of a compliance
officer should be to ensure that an organization has
systems of internal control that adequately measure and
manage the risks that it faces.
RESPONSIBILITY - The general responsibility of the
Compliance Officer is to provide an in-house compliance
service that effectively supports business areas in their
duty to comply with relevant laws and regulations and
internal procedures.

Marzia Dulal 11
 What are the five key functions of a
Compliance Department?

1. To identify the risks that an organisation faces and

advise on them (identification)
2. To design and implement controls to protect an
organisation from those risks (prevention)
3. To monitor and report on the effectiveness of those
controls in the management of an organisations
exposure to risks (monitoring and detection)
4. To resolve compliance difficulties as they occur
(resolution)
5. To advise the business on rules and controls
(advisory)
Marzia Dulal 12
What are five generally accepted key
core objectives of regulation?

1. The protection of investors/consumers

2. Ensuring that the markets are fair, efficient
and transparent
3. The reduction of systemic risk
4. The reduction of financial crime and violation
5. The maintenance of consumer confidence in
the industry.
Marzia Dulal 13
• The definition of compliance means following
a rule or order.
• An example of compliance is when someone is
told to go outside and they listen to the order.
• An example of compliance is when a financial
report is prepared that adheres to standard
accounting principles.

Marzia Dulal 14
 Compliance management

• often called compliance risk management,

• Compliance management is the management
and adherence to the laws, regulations,
standards, policies, and codes of conduct that
apply to an organization.
• Many industry-specific regulations drive the
core functions in healthcare, manufacturing,
and finance.

Marzia Dulal 15
 The Difference Between Compliance and Risk Management

• Risk management is the process of identifying

vulnerabilities and risk. These risks may be
determined or predicted based upon industry or
regulatory expectations.
• Compliance management then takes the findings of
risk management and sets the policies and
protections needed to control, mitigate, and monitor
these risks.

Marzia Dulal 16
Marzia Dulal 17
• Policies
Policies are written documents by high-management level members that
specify the responsibilities and required behaviour of every individual in an
organization. In general, policies are short and don't specify technical
aspects, such as operating systems and vendors. If the organization is
large, policies could be divided into sub-policies.
• Standards
Standards are a low-level description of how the organization will enforce
the policy. In other words, they are used to maintain a minimum level of
effective cyber security. They are also mandatory.
• Procedures
Procedures are detailed documents that describe every step required in
specific tasks, such as creating a new user or password reset. Every step is
mandatory. These procedures must align with the organization's policies.
Marzia Dulal 18
Marzia Dulal 19
Marzia Dulal 20
Marzia Dulal 21
• Rules can be described as the guidelines or
instructions of doing something correctly.
these are the principles that govern the
conduct or behavior or a person in an
organization or country. On the other hand,
regulations refer to the directives or statute
enforced by law, in a particular country.

Marzia Dulal 22
 Comparison Chart
BASIS FOR
RULES REGULATIONS
COMPARISON
Meaning The rules are the set of Regulations are the
instruction which tells rules which are
us the way things are authorised by the
to be done. legislation.

Nature Flexible Rigid

Made as per Conditions and Act
Circumstances
Set By Individual and Government
Organisation

Marzia Dulal 23
• Law implies a system of rules, recognized by
a country to regulate the actions of the
citizens. On the other hand, Act is that
segment of legislation, that deals with specific
circumstances and people. Many use the two
legal terms interchangeably, but there is
notable difference between act and law, as
the former is a subset of the latter.

Marzia Dulal 24
 Example : Order Entry System

• Business Rule:
A Customer must have an Email Address.

• Business Requirement:
Capability to enter email address for a customer.
This can easily be implemented by providing a GUI to
enter an email address.

Marzia Dulal 25
 There are various examples of
Compliance:

• Labor compliance- It includes all the compliance

that is related to labor. Example PF, ESI, Wages
and etc
• Financial Compliance- It includes all the
compliance related to GST and Tax and etc.
• Statutory Compliance- All the compliance related
to the companies act.
• Miscellaneous Compliance- It means all the other
compliance that is mandatory but can not be
grouped into above 3.

Marzia Dulal 26
The compliance management life cycle
with phases, products, and actors.

Marzia Dulal 27
Compliance Management Strategies
• The term compliance, in its literal meanings, is the ‗ability of an
object to yield elastically when a (preferably external) force is
applied‘. In other words, given the presence of an external force,
the object has to respond flexibly without repelling the force
being applied.
• The compliance management includes the legal and tactical
activities in day–to–day business processes.
• ―an act or process to ensure that business operations, processes,
and practices are in accordance with prescriptive (often legal)
documents‖

Marzia Dulal 28
Marzia Dulal 29
• It is clear that the term compliance connects two distinct domains: the
legal domain and the business process domain
• Essentially, the legal domain (that is, regulatory domain) is prescriptive
in nature; it ascribes conditions that details which actions can be
considered legitimate, and which actions must be refrained while
executing a business process.
• In contrast, the business process domain is more descriptive detailing
how business processes are executed to carry out business objectives.
• Compliance aims to gain more understanding on how enterprises should
operate in a more sustainable way to continue providing their services
without violating the applicable regulations that can significantly effect
their business operations

Marzia Dulal 30
 Enterprises initiate compliance related activities due to a number of factors that
affect enterprises processes:
(i) imposition of external rules and regulations,
(ii) decision to adhere and define its own internal policies, and
(iii) manage the regulatory processes within the enterprise to fulfill the social
requirements.
 However, the identification of the relevant regulations may cause frustration
when regulations are ambiguous and require a great deal of efforts to be
understood.
 Thus, enterprises pay less attention to compliance, even when regulatory bodies
put pressure on them to comply with stringent regulations and recommend
severe penalties—or even criminal prosecutions for non–compliance .
 To avoid these problems with the regulatory bodies, enterprises are putting more
efforts into the compliance related activities, and employ a number of compliance
reporting strategies namely: design–time ,run–time and auditing

Marzia Dulal 31
• Design–time (otherwise, pre–execution
time) is a preventive compliance
management strategy where business
processes are assessed for any non–
compliant patterns at the very early
stages of the process design. As such, in
this approach, the compliance
requirements are captured through a
logic–based requirements modelling
framework, and propagated into business
processes. Any non–compliant issues can
be detected in the very early stages, thus
saving an enterprise‘s efforts, time, and
financial resources.
Marzia Dulal
Run–time (otherwise, execution–time)
compliance checking is a strategy by which
enterprises use specialised software products
or manual that produce compliance reports
while the processes are being executed.
Auditing (otherwise, post-execution) is a
strategy by which specialised compliance
consultants manually analyse the logs
generated by the processes to detect possible
violations. The main drawback of this strategy
is the use of manual checks, which requires a
great deal of time and resources, and the use
of manual checks is thus a costly venture
32