Anyone starting or running a small business needs to address compliance. Tax, data protection, HR matters, and regulatory requirements all need to be considered and managed. Shareholders, clients, and partners need to be assured that the business is not just compliant today but has sound processes in place to make sure it stays compliant.

Establishing a lightweight but effective compliance management system early on will help keep things on track as the business changes and expands. There is even an international standard for compliance management systems: ISO 19600.

This article will give you an idea of how to set up your compliance management to be effective, efficient, and aligned to the international standard to give confidence to you, your shareholders, partners, and clients. As a small business or start-up, you are in the perfect position to get started on approaching your compliance in a structured way. Things are still simple enough to set up quickly but getting it right will put you on track to scale them up effectively as your business grows. If you haven’t already, this approach will also get you started with managing risks, which is one of the most important concepts in corporate governance.

In part 1, we will look at what compliance is and how to establish compliance in an easy, structured way.
In part 2, we will then build on the work done in part one and how to turn a one-off compliance exercise into a regular compliance management system to ensure you stay compliant as easily and effectively as possible.

Part 1: Establishing Compliance

The basic idea behind a compliance management system

Compliance is about meeting obligations. Someone (a regulator, government, client, or you) sets a requirement, and you need to put in place actions (also called controls) to meet it. Not just that, you also need to make sure everyone in your organisation knows what the obligations are on them and that they in turn comply, so transparency to your employees is key.

Note that the person setting the requirement may well be yourself. You may for example want your company to be as environmentally friendly as possible (due to your own or societal expectation) and need to make sure that everyone pulls in the same direction.

This means that you have to consider both external compliance (your organisation complying with external obligations) and internal compliance (your staff complying with the processes, procedures, etc. you put in place to meet your external obligations). These two are linked – internal compliance is the only way to achieving overall compliance.

To be compliant, you, therefore, need to be clear about what your company and employees need to comply with, establish internal compliance, maintain it, and adjust to changing requirements. This is where a compliance management system comes in.

The basic idea behind a compliance management system (and system here does not mean IT, but a system of procedures and policies) is to have a simple, robust process that ensures you meet your goal by

  • identifying your obligations and evaluating the compliance risks,
  • planning how you want to address these risks,
  • implementing the measures you have identified to control the risks,
  • evaluating and reporting on your compliance performance, and
  • managing noncompliance and taking steps to continuously improve.

However, the system is not just about doing these 5 things once, the key is that a compliance management system will establish a way to ensure they are done continuously, effectively, and consistently. This is what builds a culture of compliance in your organisation and keeps you compliant in the future.

Where compliance obligations come from

Compliance obligations come in many flavours:
The most obvious is mandatory compliance. These are legal, contractual, or regulatory requirements you MUST address. This includes taxes, employment, privacy, advertising, intellectual property, insurance, antitrust, regulatory matters, and health and safety. Non-compliance in this area poses the highest risks to your company.
The next level down is best practice compliance. These are things you don’t HAVE to do, but probably should as it’s what is best for your company and may prevent incidents that could cause damage. It should be aligned to what your peers are doing and what clients may expect. This can include quality management, aspects of information security (if not covered by mandatory compliance), and compliance with relevant internal policies. Speaking in risk terms, these are activities where non-compliance carries a high to medium risk.
Lastly, we have voluntary compliance, which includes everything you want your company and employees to do because you believe it would have a benefit. The risk from individual non-compliance is usually low and examples could include going ‘green’, establishing a specific company culture, etc.

Understanding where your obligations come from, what they are, and what risk non-compliance would pose to your organisation is important. You can only comply with what you are aware of. At the same time, multiple obligations may overlap – you may have IT security requirements from client contracts, privacy legislation, etc. and a good compliance management system will allow you to address these as efficiently as possible without duplicating effort.

Identifying your compliance obligations

This takes a bit of work but is essential if you want to run a compliant business. You need to speak to your accountants, lawyers and other advisers, who will be able to point them out to you and may assist you in meeting some of them.

The first step is to understand the environment your company operates in. Ask yourself: What are you trying to achieve with your compliance management? What resources do you have available? Who are your stakeholders and what are their requirements? What are your internal priorities and rules?

Then you will need to systematically go through and record your compliance obligations.

Areas to consider are:

  • Taxes (Accountants will help)
  • Company law (Registering, office address, trading address, articles & memorandum of association, etc. – lawyers will be able to advise)
  • Employment (Accountants and pension / HR advisors may help)
  • Intellectual property
  • Insurance (is there mandatory insurance in your sector? What do clients expect?)
  • Privacy and data protection (the ICO has a lot of information on this)
  • Advertising and marketing (standards but also electronic marketing, the ICO is a good source here)
  • Health and safety (HSE has good information on this)
  • Contracts (clients may have very specific requirements on e.g. security and privacy, operational standards, reporting, or service levels. This is where being able to demonstrate how you comply is especially valuable)
  • Industry-specific and regulatory (if you work in a regulated industry or in an industry with very specific rules, like the finance industry or food safety, etc.)
  • Requirements from standards or other schemes you are (or want to be) certified to
  • Internal policies and procedures

You will need to identify the obligations themselves and the assets, processes, or groups in your organisation they apply to.
You may, for example, find that GDPR requires you to encrypt all personal data – that is the obligation. If your personal data is stored in databases A and B and is used in your recruitment and HR administration processes, then these are the assets and processes relevant to that obligation. Note that these can change and, as we will see in part 2, it is important to keep this up to date as assets and processes change or new assets and processes are added.

 

When doing this, try to keep the obligations specific but don’t mix obligations, assets/processes, and controls to meet your obligations. For the above example, “comply with GDPR” would be too unspecific as an obligation, and “encrypt databases A and B” is not an obligation but the control used to comply with the obligation.

We have prepared a simple spreadsheet – please feel free to modify it to meet your needs.

Evaluating the compliance risks

Once you understand your obligations, you need to think about the risks involved. This will help prioritise time and resources when addressing your compliance obligations.

Risk is seen as a combination of the impact of an event happening and the likelihood that it will.
The impact describes what would happen if you did not comply and could include fines, legal action, loss of a client or clients, reputational damage, loss of a certification or even the end of your company. While it would be very useful to look at the impact in detail, a classification of the impact as “None, low, medium or high” with a short rationale will suffice initially.
If you struggle with determining the likelihood, think of it as the level of compliance. Take, for example, the risk of non-compliance with tax laws: the impact would be high, but if you are already working with a reputable accountancy firm, the likelihood of that risk materialising is very low, which means this would be a low risk overall.

Planning action

The obligations and risks you have identified need to be addressed. Risk management typically uses four categories of actions:

  1. Treat, this means you implement a control to bring the risk down to an acceptable level,
  2. Terminate, this means you stop the risky activity and therefore eliminate the risk,
  3. Tolerate, here you decide that you can live with the risk and do nothing, and
  4. Transfer – you make the risk someone else’s problem. Insurance, for example, is one way some financial risk can be addressed.

With compliance risk, you will very likely want to treat or transfer the risk. Tolerating may be applicable to low-level risks or the remaining, acceptable risks after treatment/controls. Terminate can come into play where the compliance activity is not mandatory – you could decide to not take on a contract that would have too many compliance obligations associated with it.

Controls to treat risks come in a variety of shapes, for example as technical controls like a sprinkler system to reduce your fire risk or organisational controls like policies and procedures to address some of your privacy risks. If you have employees, awareness is an important control – it makes little sense to publish a policy or procedure if no one knows that (and how) they need to follow it.
Make sure controls are as easy as possible to implement, follow, and monitor. If your controls involve your employees, it can be very useful to include them in the process. Apart from raising awareness, this will help you ensure that controls are practical and employees can comply with the requirements.

When planning action, make sure you assign someone responsible for implementation and set a deadline.

Implementing controls

This phase requires you to work on the actions identified previously. This can mean instructing an accountant, setting up a process for dealing with tax matters (who does what when and how), writing a privacy notice, or publishing your anti-bribery policies and training staff on how to follow them.

The implementation of controls should be tracked and you should keep your company informed about what’s going on – this helps with awareness and staff compliance.

Speaking of awareness: This is an often overlooked area that needs to be addressed. It is impossible to achieve internal (and thus external) compliance without bringing everyone in the company on board. Awareness campaigns coupled with staff training and compliance as a focus of management will help bring that about. It’s important to see awareness as a two-way street: Make sure you take note of employee’s concerns and ideas – the best rules and procedures are the ones that are the easiest to follow while achieving the objective, and your employees may know how to best tackle a given problem. Getting everyone involved also helps build a culture of compliance which is essential in making your compliance management work in the long term.

Evaluating, monitoring and reporting on compliance

Compliance is not something you do once and then forget about it – processes and procedures only help reduce risk if they are effective. This means you need to make sure your technical controls work and that processes and procedures are actively being followed.
You should regularly (how regularly depends on your organisation and environment) review your risks and controls and ensure they are still fit for purpose. This typically includes reviewing the effectiveness of staff training, testing the operation of technical controls, and reviewing non-compliance incidents and indicators such as frequency of contact or complaints from clients, regulators, and other stakeholders. Having a safe and easy way for employees to raise issues can help identify problems early.

Non-compliance and continuous improvement

Non-compliance needs to have consequences. If it is a technical matter, you need to find out what went wrong and why and then plan to correct it. If it is an organisational control that failed, ask whether the instructions and responsibilities were not clear enough, training was insufficient or processes/procedures too complex. Negligence or malice should have disciplinary consequences, but make sure they are proportionate and do not discourage people from coming forward about compliance problems in the future.

Also, think about where you would get updates about new or changed compliance obligations. Subscribing to regulatory newsletters, joining professional organisations, reading relevant publications, blogs, or visiting your regulator’s websites can all help in identifying changes.

Part 2: Bringing it all together

If you have completed the steps above, you should now have a good understanding of your compliance obligations and how you are going to meet them. You should also easily be able to explain to all departments or groups of staff what they need to do in order to be compliant. Now you need to build on your success and ensure it isn’t squandered. A compliance management system helps you ensure that things will continue to be updated and managed.

Please note that the steps below will not cover all aspects of ISO 19600, but will put you in the perfect position for achieving full alignment with that standard if you so wish.

Assign responsibility

Someone in your organisation needs to be responsible and accountable for the success of your compliance programme – and it may well be you! It is important to communicate who does what, so staff knows what their own duties are with regards to compliance and who to ask if they need help or guidance. Whoever you decide to make responsible for compliance in your organisation – your top management needs to be actively involved in supervising it. This means asking for regular compliance reports and taking action where required. You also need to make sure that enough time and resources are allocated to compliance activities – time is especially precious in small organisations, but compliance activities should not be pushed off the plate to make room for other things.

Compliance and your business processes

As a small business or start-up, your business processes are likely very light and flexible – and that is a good thing! Nevertheless, compliance is something you need to tackle, so think about how to best include it in your daily activities wherever it is needed. Involve your staff and decide these processes with them, they will be much more likely to be on board.
One important process to look at is change / new projects; this is where things can go wrong. It is easy to jeopardise your hard work by implementing a new project or any other type of change without regard for compliance. I would suggest you create a short checklist for new projects or major changes to existing processes, products, or services. This checklist should be used by the project manager or similar to check whether their project or change makes sense for your business – not just from a compliance point of view!

That checklist can include:

  • Financial feasibility (What is the cost and the expected ROI?)
  • Operational/technical feasibility (Can we make this work?)
  • Compliance (What do we need to look for?)
  • IT Security (Are we about to jeopardize security by putting a new database online?

The advantage of having gone through the compliance mapping in part 1 is that you can easily provide project managers (or others) with a definitive list of compliance obligations, so they will know exactly what to do – be it around privacy, marketing, financial compliance, etc.

Reporting Revisited

Your top management should expect regular reports on compliance. Even if top management and the compliance function are the same person, creating a regular report for stakeholders will be a useful exercise. When thinking about compliance reporting, consider reporting both on actual compliance and on the state of your compliance management system. For the former, you can report on the number and severity of risks in your compliance risk register, for the latter you can report on progress on addressing them. If risks are not regularly updated, reviewed, and actively managed, this should be flagged. A high risk you are actively working on mitigating may ultimately be less concerning than a medium risk that is sitting there without any attempt at fixing it.

Your Compliance Policy

Once you have decided what your processes will look like and how you will manage compliance, it makes sense to write this up in a policy. This document is useful internally to explain to (new) staff how you manage compliance, but also externally to show stakeholders or investors that you are taking compliance seriously.

Keep it brief, but explain all relevant aspects:

  • Why does your company need compliance and why should employees care?
  • What are the objectives you are trying to achieve?
  • How do compliance activities fit in with other things you may be doing, such as risk management, privacy, security, etc.?
  • Who is responsible for compliance? Think about mentioning both the compliance function and the responsibilities of every member of staff.
  • How is compliance integrated into your business processes?
  • How can compliance issues be reported?
  • Are there consequences to non-compliance?

If they are not covered elsewhere, add other important aspects such as your approach to risk management and project change (e.g. the checklist). Make sure to explain for each point where to get further advice or information.

Two important lessons learned from previous implementations

When working with small businesses and start-ups, two things have proven invaluable: Leadership engagement and continuity of staff.
Leadership engagement is key; without leadership positively reinforcing the compliance efforts, the company will not successfully implement a compliance programme. Managers need to be seen to follow the procedures and actively promote staff to do the same. If, for example, you have implemented a ‘new idea’ checklist, managers need to demand it is completed. Staff needs to understand that while every effort is made to keep the red tape to a minimum, the processes that do exists need to be followed.

Continuity of staff is the other important aspect of a successful implementation. If the same people who are going to run the compliance management system are the ones setting it up, you will have far less loss of information and the whole process will run much more smoothly. They are also in a great position to explain processes and adjust them as needed as they will have all the context behind decisions made.

Please feel free to contact us with any queries and best of luck with your compliance programme!