Ensuring Regulatory Compliance Integrating Risk Advisory .
Ensuring RegulatoryComplianceIntegrating RiskAdvisory and Assurance
2
IntroductionIn an environment where the global economicrecession, demise of major financial institutionsand changing business landscape has led to stricterregulations in major industries and countries aroundthe world, the word “Regulatory Compliance” hasbecome an all-important language that can make ormar an organisation and its directors.Organisations are increasingly elevating the processesand structures they need to enhance compliancewith regulations. The awareness of existing and newlegislation applicable to an organisation as well asthe implication of compliance or otherwise with theprovision of each piece of legislation is a major focusarea for the board.In achieving effective Compliance RegulatoryManagement within an organization, the integratedroles of key management functions, mainly Legal,Compliance, Risk and Internal audit must beunderstood and enabled.Understanding the Regulatory Universe of theOrganisationWith over 300 pieces of legislation in South Africa,the legislation applicable to each organisation willvary from one to the other depending on the typeof industry and the nature of the organisation andits business imperatives. Every organisation hasa responsibility to identify existing and emerginglegislation relevant to its business and ensure that risksthat may arise from the compliance requirements arewell understood by the board and management.When new legislation ispromulgated, the inherent riskwill always be high (red) asoperational breakdowns have ahigh probability/ likelihood ofoccurring in the business.relevant structures and processes to effectively manageand monitor the compliance process to ensure thatthese are entrenched in a way that compliancebecomes “second nature”.The residual risk will also be high until the organisationis able to implement measures or controls thateffectively mitigate the new risks arising out ofcompliance requirements for the new legislation.The risks that may stem from non-compliance withkey legislative requirements can be very costly anddamaging to an organisation and the custodiansof governance within the organisation. Theconsequences of non-compliance range from penaltiesand fines, to imprisonment, withdrawal of licenses,lawsuits and reputational risk which may individuallyand or collectively have a fundamental impact onthe organisation’s sustainability as a going concern;as well as the impact that a lack of good corporategovernance at board and business levels can have onthe business.The impact and probability of the risks that thelegislation represents depend on the attention paidto the legislation and how well risk and compliancemanagement is entrenched within the organisation.It is therefore critical that an organisation implementsEnsuring Regulatory Compliance Integrating Risk Advisory and Assurance 1
Roles and Responsibilitiesaround Regulatory ComplianceManagementEmbedding compliance with all key legislation in theorganisation is a function of certain critical activitiesand stems from collaboration across key functionssuch as Legal, Compliance, Risk Management, Businessand Internal Audit. These functions all form part of the“three lines of defence”.st1defencelinenagsmentCAsse ontross m lentAs Contses rolsmRientskAsse ssmentInternal Aud itComplianceAssurance& MonitoringentFinancialControlAssuranceessmRisk AssesStatutorFin entiftrolConIdial mentcan essFin AssRiskAssurance &MonitoringfenceCombinedAssuranceline deControlAssuranceLegald itl Aunarktel Riscia onExan icatindRiskAssurance &Monitoring2ManagementAssuranceMaRisk AssessmentrdRisk&nt3Riskificationdenten tk In anagemsiR&MtrolnoCentessmAsseemeen cd efementgtennassm rtse poAs SupyActuaryMaelinIdentifying the three lines of defenceThe success of any compliance management andmonitoring programme depends on the existence,functioning and integration of these lines of defence inthe performance of their duties.These three lines of defence as well as an overview oftheir key responsibilities are depicted in the diagrambelow:ssk A rtRis ppoecuian & SCompl1st line of defence - Management Assurance Assists in setting and executing strategies. Provides direction, guidance and oversight. Promotes a strong risk culture & sustainable risk return thinking. Promotes a strong compliance culture and management of risk exposure. Ongoing monitoring and management of risks.2nd line of defence - Risk Management, Legal & Compliance Formal, robust and effective risk management within which the organisation’s policies and minimum standards are set. Objective oversight and the ongoing challenge of risk mitigation, management andperformance while reporting is achieved across the business units. Overarching risk oversight across all risk types.3rd line of defence - Internal Audit & other Independent Assurance Providers Independent and objective assurance of overall adequacy and effectiveness of governance, risk managementand internal controls within the organisation as established by the 1st and 2nd lines of defence. Ability to link business risks with established processes and provide assurance on theeffectiveness of mitigation plans to effectively manage organisational risks.2
1.1. Legal / ComplianceAn organisation may decide to have its Legal andCompliance functions integrated or operating as twoseparate units. This is usually done with considerationfor the complexity, size and structure of the business.A Compliance Officer does not necessarily need tohave a legal background, while this is a prerequisite fora Legal Officer, he/she will also handle litigation.It is the responsibility of the Legal/Compliance functionto stimulate and train the board and management onlegislation pertinent to the organisation. The Legaland/or Compliance function should undertake thefollowing: Compile and maintain a legislativeuniverse for the organisation. Facilitate the risk prioritisation of all piecesof legislation in the regulatory universe. Thisshould be done working together with theRisk Management division and using theorganisation’s risk management framework. Initiate new legislative requirements within theorganisation. Review the legislation to confirmwhether it affects the organisation, and how. Analyse and send out alerts on the new law toinform the organisation of the new requirements. Facilitate an executive review of thelegislation by Legal analysts. Facilitate the completion of the ComplianceRisk Management Plan (“CRMP”) – Interpretkey legislation in plain language on theCRMP and ensure the identification of issues,controls, risk exposure, responsible partiesand monitoring plans by other participatingparties such as Business and Internal Audit. Update compliance monitoring plans on the CRMP. Escalate compliance matters to management. Undertake quarterly compliance reporting.1.2. Risk ManagementThe Risk Management function should support theCompliance Office with the risk rating of the relevantlegislation once such legislation becomes operational inthe business. A compliance risk register for the regulatoryuniverse, showing both the inherent and residual ratingsof each piece of legislation, based on impact andlikelihood, should be the product of this process.The penalties - financial, imprisonment, etc - and otherbusiness risks associated with key provisions of thelegislation should be identified and captured on thecompliance risk register for the regulatory universe asmanagement should know if a piece of legislation willaffect shareholder value.The knowledge of associated penalties triggersmanagement to provide the resources and budgetneeded for the implementation of compliancerequirements.1.3. Business Operational ComplianceOnce the Legal / Compliance function has effectivelyidentified and interpreted compliance requirementsand facilitated the risk ratings on the ComplianceRegister, Business is responsible for ensuring theimplementation of such compliance requirements.The Business should identify anykey issues that may arise fromthe compliance requirements andcapture these on the CRMP formonitoring and report-back torelevant structures and theboard.Business should have its own Business OperationalCompliance Officer / Champion who, upon receiptfrom the Legal / Compliance Officer, the informationpack containing the executive review, compliancealert, CRMP and presentation material, will commencethe operational monitoring of the compliance ofbusiness processes to the legislative requirements.Again, depending on the size and maturity of theorganization, the roles of Legal / Compliance Officercan be combined with that of the Business OperationalCompliance Officer, even that of the Risk Officer. This,of course, should be with due consideration of thenature and magnitude of business operations, the riskprofiles as well as the cost and benefits of combiningor separating the functions.Business should readily be able to provide InternalAudit with the legislative universe of the organisationfor the commencement of a compliance audit.Ensuring Regulatory Compliance Integrating Risk Advisory and Assurance 3
1.4. Internal AuditInternal Audit, as the assurance provider, is responsiblefor reviewing the adequacy and effectiveness of thefunctioning of controls implemented by managementto ensure compliance with legislative requirements.In conducting a review of compliance within theorganisation, Internal Audit should ask the followingquestions: What are the pieces of legislationthat should be reviewed? What new processes are being put in placeas a result of compliance requirements? What new systems are being put in placeto support and monitor compliance?The span of the internal audit review will be:Legislation – Policy – Procedures – Systems / Processes.Internal Auditors should be able to map the legislationto the existence of a policy and a risk map. They needto substantiate and audit compliance risk ratings that Maintain and update legislative universe Educate management and board onlegislative interpretation & requirements Facilitate legislative risk prioritisation Maintain CRMP Assist business with implementationof operational compliance Monitor & report compliance mattershave changed, especially where residual ratings showimproved controls. For example, if the organisationhas had many complaints escalated to an ombudsman,it is a likely indication of non-compliance and hencethe applicable residual rating cannot be acceptable(green); it should probably be yellow or red.From their review, Internal Auditors should be able tovalidate or provide the following inputs to the CRMP: Impacted Areas – processes, systems and policies Existing Controls Additional Controls – arising fromamendments to, or new, legislation Risk Exposure – High, Medium, Low Responsible Party – Affected Parties Monitoring Plan – Business Unit ComplianceA short interpretation of the integrated role of thefunctions is shown in the diagram below:LegalOperationalComplianceRiskManagement Conduct legislativerisk prioritisation Facilitate completion ofcompliance risk register withratings and mitigating actions Ensure awareness on thepart of management &board on risk consequencesof non-compliance4Internal Audit Assess adequacy and effectivenessof compliance processes,systems & structures Highlight key weaknesses andassociated risks noted and makerecommendations to management& board on corrective actions
Compliance CertificationsAs mentioned above, a legal background is notmandatory for a Compliance Officer but he/she shouldpossess the relevant competence to effectively managecompliance with the relevant pieces of legislation forthe organisation. Acquiring the relevant compliancecertification may be a good start and an addedadvantage.An internal Auditor is ideally well positioned to assessthe adequacy and effectiveness of management’scontrols over regulatory compliance; however,some organisations may decide to further upskilltheir internal auditors on specific compliance areasby requiring them to undergo particular relevantcertification programmes.Ensuring Regulatory Compliance Integrating Risk Advisory and Assurance 5
A view of the Regulatory Universeof Key IndustriesBelow is an overview of key pieces of legislation,relating to specific industries: Auditing Profession Act 26 of 2005 Banks Act 94 of 1990 Basic Conditions of Employment Act 75 of 1997 Broad-Based Black EconomicEmpowerment Act 53 of 2003 Companies Act 71 of 2008 Compensation for Occupational Injuriesand Diseases Act 130 of 1993 Constitution of the Republic of SouthAfrica of no 108 of 1996 Consumer Protection Act 68 of 2008 Customs and Excise Act 91 of 1964 Deeds Registries Act 47 of 1937 Development Bank of SouthernAfrica Act 13 of 1997 Electronic Communications Act 36 of 2002 Employment Equity Act 55 of 1998 Environment Conservation Act 73 of 1989 Exchange Control Amnesty and Amendmentof Taxation Laws Act 12 of 2003 Financial Advisory and IntermediaryServices Act 37 of 2002 Financial Institutions (Protectionof Funds) Act 28 of 2001 Financial Intelligence Centre Act 38 of 2001 Financial Services Board Act 97 of 1990 Hazardous Substances Act 15 of 1973 Income Tax Act 58 of 1962 Labour Relations Act 66 of 1995 Liquor Act 59 of 2003 Municipal Finance Management Act no 56 of 2003 Municipal Systems Act 32 of 20006 National Environmental ManagementAct 107 of 1998 Occupational Health and Safety Act 85 of 1993 Patents Act 57 of 1978 Preferential Procurement PolicyFramework Act 5 of 2000 Prevention of and Treatment forSubstance Abuse Act 70 of 2008 Promotion of Access to Information Act 2 of 2000 Public Audit Act, no 25 of 2004 Public Finance Management Act no 1 of 1999 Public Investment Corporation Act 23 of 2004 Reinsurance of Damage and Losses Act 56 of 1989 Securities Services Act 36 of 2004 Short-term Insurance Act 53 of 1998 Skills Development Act 97 of 1998 Tobacco Products Control Act 83 of 1993 Unemployment Insurance Act 63 of 2001 Value-Added Tax Act 89 of 1991
ConclusionWith the current business landscape, where legislationemerges and changes continuously with increasingrequirements to keep business on the right track, it iscritical for every organisation to implement adequateand effective structures to embed a culture ofcompliance.Internal Auditors must take responsibility tobecome familiar with the legislative universe of theirorganisations and assist in providing assurance thatstructures and processes are adequate and effective tomitigate compliance risks.Ensuring Regulatory Compliance Integrating Risk Advisory and Assurance 7
ContactsDave KennedyService Line Leader – Risk AdvisoryDeloitte South AfricaCell: 2782 780 9812Email: dkennedy@deloitte.co.zaBukkie AdewuyiSenior Manager – Risk AdvisoryDeloitte South AfricaCell: 2776 4050 465Email: aadewuyi@deloitte.co.zaRegional ContactsPramesh BhanaDirector – Risk AdvisoryDeloitte South AfricaCell: 2782 303 2227Email: pbhana@deloitte.co.zaMunier DamonDirector – Risk Advisory(Cape Town)Deloitte South AfricaCell: 2783 2342 336Email: mdamon@deloitte.co.zaMark VictorDirector– Risk AdvisoryDeloitte South AfricaCell: 2782 772 3003Email: mvictor@deloitte.co.zaNavin SingDirector – Risk Advisory(Kwazulu Natal)Deloitte South AfricaCell: 2783 304 4225Email: navising@deloitte.co.zaKriba MoodleyAssociate Director – Risk AdvisoryDeloitte South AfricaCell: 2783 327 4500Email: kmoodley@deloitte.co.zaJens KockDirector – Risk Advisory(Namibia)Deloitte NamibiaCell: 2648 1124 5457Email: jkock@deloitte.co.zaDean ChiversDirector – Risk AdvisoryDeloitte South AfricaCell: 2782 415 8253Email: dechivers@deloitte.co.za8
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited byguarantee, and its network of member firms, each of which is a legally separate and independent entity.Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte ToucheTohmatsu Limited and its member firms.“Deloitte” is the brand under which tens of thousands of dedicated professionals in independent firmsthroughout the world collaborate to provide audit, consulting, financial advisory, risk management, andtax services to selected clients. These firms are members of Deloitte Touche Tohmatsu Limited (DTTL), a UKprivate company limited by guarantee. Each member firm provides services in a particular geographic areaand is subject to the laws and professional regulations of the particular country or countries in which itoperates. DTTL does not itself provide services to clients. DTTL and each DTTL member firm are separate anddistinct legal entities, which cannot obligate each other. DTTL and each DTTL member firm are liable onlyfor their own acts or omissions and not those of each other. Each DTTL member firm is structured differentlyin accordance with national laws, regulations, customary practice, and other factors, and may secure theprovision of professional services in its territory through subsidiaries, affiliates, and/or other entities. 2012 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu LimitedDesigned and produced by Creative Services at Deloitte, Johannesburg. (0000/dbn)
1.2. Risk Management The Risk Management function should support the Compliance Office with the risk rating of the relevant legislation once such legislation becomes operational in the business. A compliance risk register for the regulatory universe, showing both the inherent and residual
Page 1 of 9 Rapid Regulatory Courses in HealthStream Getting Started Tip Sheet Please note: Everyone is required to take two compliance trainings titled: Rapid Regulatory Compliance: Non-clinical I Rapid Regulatory Compliance: Non-clinical II Depending on your position at CHA, you may have more courses on your list. One must complete them all.File Size: 1MBPage Count: 9Explore furtherRapid Regulatory Compliance: Clinical II - KnowledgeQ .quizlet.comRapid Regulatory Compliance: Clinical I - An HCCS .quizlet.comRapid Regulatory Compliance: Non-clinical II-KnowledgeQ .quizlet.comThe Provider Compliance Tip fact sheets are now available .www.cms.govRapid Regulatory Compliance - Non-Clinical - Part Istudyres.comRecommended to you b
A formal Regulatory Management System [RMS] can help with: reduction of regulatory burden on citizens and firms improvement of regulatory quality identification of best choice of policy options Comprised of four elements: 1. regulatory quality tools 2. regulatory processes 3. regulatory institutions 4. regulatory policies 16
regulatory issues. It's vital that you have the trust of regulatory agencies, so let our Strategic Risk and Compliance Management team help. They can guide you through remediation and data integrity audits, and help shift compliance responsibilities from regulatory agencies to drug manufacturer, to give you
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
Financial risk Risk that the third party cannot continue to operate as a financially viable entity Regulatory and compliance risk Risk that a third party fails to comply with a required regulation, thus causing the organization to be out of compliance Digital risk Risk that is associated with the third party's digital business processes
Integrating Cisco CallManager Express and Cisco Unity Express Prerequisites for Integrating Cisco CME with Cisco Unity Express 2 † Configuration Examples for Integrating Cisco CME with Cisco Unity Express, page 33 † Additional References, page 39 Prerequisites for Integrating Cisco CME with
3.1 Integrating Sphere Theory 3 3.2 Radiation Exchange within a Spherical Enclosure 3 3.3 The Integrating Sphere Radiance Equation 4 3.4 The Sphere Multiplier 5 3.5 The Average Reflectance 5 3.6 Spatial Integration 5 3.7 Temporal Response of an Integrating Sphere 6 4.0 Integrating Sphere Design 7 4.1 Integrating Sphere Diameter 7
The Icecast Anatomy pressure casting system allows the clinician to produce a reliable, repeatable and well-fitting TSB socket. DESIGN Icecast Anatomy is a single chamber pressure casting system, which provides pressure to shape the soft tissue. The single chamber pressure system is designed to provide optimal pressure distribution. The chamber is reinforced with matrix, for durability and to .
