Managing compliance risk is tricky, as seen in high-profile compliance risk failures that have made headlines recently. As a result, the Australian Prudential Regulation Authority (APRA) has shared some tips on managing this type of risk.
According to APRA, compliance risk is an organisation's ability to comply with the laws, rules, regulations, and standards – whether internal or external – that govern its operations, including voluntary industry standards and codes of conduct that it elects to comply with.
APRA warned organisations that lacking systems to property manage compliance risk could lead to significant fines and reputational damage. Examples of these failures include:
In some instances, the organisations in question admitted to shortcomings in their processes, systems, and monitoring to avoid or provide early detection of breaches.
Read more: APRA releases 2021 Year in Review
APRA said organisations can maintain people's trust in the Australian financial services industry by pushing senior management and boards to prioritise compliance risk management.
While other regulators supervise and enforce different elements of entities' compliance management practice, APRA focuses on entities' ability to demonstrate and monitor compliance with prudential standards, and to consider APRA’s guidance. It considers their ability to meet non-prudential obligations and laws as a way of gauging the adequacy of their risk frameworks, and their risk management processes and practices.
“When there's a breach of a prudential standard, APRA focuses on the people, systems, and processes that have contributed to the incident to ensure the underlying cause has been identified and addressed,” APRA said.
APRA advised entities to:
In addition, APRA asked regulated entities to give the same attention to compliance risk management that they give to cyber risk, operational risk management, and other risk classes.