Does the risk of an expensive compliance breach keep you up at night?
Compliance failures are at the top of the worry list for many a business owner and director. Getting it right is in no way an easy task, especially with ever-changing legislation and a workforce fed up with increasing amounts of admin and constant change. Compliance is one of those things that is important but is usually put off until it’s unavoidable (mostly due to those increasing fines!). In 2017/2018, the Information Commissioner’s Office (ICO) alone accumulated fines of over £4,000,000, and they are not the only ones looking for loose links in your business.
So, what can you do to ensure the smooth running of compliance in your business?
1. An effective Risk Committee – Lead from the top down
A risk committee focuses attention on an organisation’s high-risk areas and risk management capabilities. It’s important that the board assign top-level directors and managers with the necessary knowledge and expertise to provide effective solutions to minimise your business’ risks. Ensuring compliance in your business involves making important decisions and ones that your workforce might not always like, so it’s key that top-level management shows their support to decisions and lead from the top down! Having written agendas, minutes and action lists are all good governance methods.
2. The 3 R’s – Risk Assessment, Risk Profile and Risk Register
Risk Assessment, Risk Profile and Risk Register are 3 crucial components to effective Risk Management.
- Risk Assessment: A Risk Assessment helps you to identify and understand the risks which matter to your workplace and that are unique to you. All organisations are different so it’s essential to think about the risks with the potential to cause real harm to yours.
- Risk Profile: A Risk Profile is an evaluation of how far an individual or organisation is willing to go to take risks. Some are more cautious than others, so where is your cut-off point? A risk profile also evaluates any potential threats your organisation may be exposed to.
- Risk Register: Having a Risk Register is an effective risk management tool to comply with regulation as it shows that you’ve identified and are managing your risks. It should record all identified risks for your organisation (or at least the key ones). It could include rating by likelihood and severity, who they affect and any mitigating measures, controls or action steps put in place. It should be a working document that’s updated regularly – more on this in number 5 below!
3. Write it down – Proper policies and procedures
Having completed the 3 R’s it’s important to create proper written policies and procedures in line with your risk management strategy. They’re a key control for managing the risks on your register. This ensures ownership and responsibility are appropriately spread through your organisation and provides clarity to your workforce.
4. Top Training – Train it regularly
It’s great to have policies and procedures in place, but they are no use if people don’t understand how to use them in practice. That’s where the training comes in. It’s another key control for managing your risks. Make sure you have training records so you know who was trained and when. You must also consider the frequency of your training (for example, annual training) it can’t just be a one off! Educating employees on the laws and regulations relating to their industry or specific job function not only allows employees to understand the expectations, standards and obligations of the organisation but also encourages a good workplace culture. Compliance can seem scary so it’s crucial to have a culture that defeats that myth.
5. Monitor, fix and monitor some more
It’s important to continually monitor compliance with your policies and procedures, are they working? If not, why not and how can you change them? Monitor for any breaches, log them, fix them and then refine your procedures and guidance if you need to. Monitor whether there are any changes to the law or any new threats to your organisation, or industry as a whole. Re-evaluate the risk to your organisation by undertaking the 3R’s exercises at least annually. Don’t get complacent with your current policies, continual monitoring and updates are key to staying on top of compliance in your business.
To summarise, remember: lead from the top down with an effective Risk Committee and put into practice the 3R’s, write down proper compliance policies and procedures, train staff regularly and monitor, fix and monitor some more! By following these 5 steps compliance in your business is sure to be tip top (and you’ll get a better night’s sleep!).
Want more or need a hand in understanding the ever-changing legislation? Please contact the Corporate & Commercial Team at Blackadders.
Thanks to Bethany Buchanan, our Regulation and Compliance Assistant for input to this article.
Campbell Clark, Partner
Corporate & Commercial
The opinions expressed in this site are of the author(s) only and do not necessarily represent the opinions of Blackadders LLP.
Blackadders takes all reasonable steps to ensure that the content of this site is accurate and up to date. The site is not, however, intended as a substitute for seeking legal or other professional advice but rather as an informative guide to the services provided by Blackadders and topical legal developments. Site visitors should always seek advice tailored to their specific situation. Consequently, Blackadders accepts no responsibility for any loss or damage suffered by anyone acting or failing to act on the basis of information contained on this site. Downloading of material contained on this site is at the user’s own risk and all necessary virus checks must first be carried out by the user. Blackadders is not responsible for the material found on any web sites linked to this one and links to this site may only be made with Blackadders prior consent.
Blackadders owns the copyright in this blog and all material contained on it. The material on this site may be downloaded for personal use only and must not be altered. Otherwise, Blackadders’ written consent is required before any material on this site is reproduced, copied or transmitted in any way.
Information passed to us via this site is kept confidential and will not be disclosed to third parties except if authorised by you or required by law.
© Blackadders LLP 2011
Members of the Law Society of Scotland. Authorised to conduct Investment Business under the Financial Services & Markets Act 2000 by the Financial Services Authority.
Blackadders Solicitors is a trading name of Blackadders LLP, a limited liability partnership, registered in Scotland No SO301600 whose registered office is 30 & 34 Reform Street, Dundee, DD1 1RJ. Reference to a ‘partner’ is to a member of Blackadders LLP.