Compliance Maturity for Risk Management

Compliance Maturity for Risk Management

Building Strong Privacy and CASL Compliance Programs

In a business climate where organizations are overwhelmed by increasing regulation, it is extremely helpful to look at how good governance can help achieve compliance goals. This article will use privacy and CASL compliance as examples of programs that are supported by a strong organizational governance framework.

Privacy Accountability Framework

Getting Accountability Right with a Privacy Management Framework is a guidance document that was jointly developed by the federal, B.C. and Alberta privacy commissioners. It highlights the building blocks for an effective privacy management program. These are discussed under two main categories – organizational commitment and program controls.

Organizational commitment includes:

  • Senior management support (buy-in to the importance of privacy from the top);
  • Having a responsible point person (the privacy officer) who takes responsibility for the organization’s privacy commitment, and who also has a team to implement and enforce privacy best practice across the organization; and
  • An effective reporting program that clearly defines the reporting structures with respect to assessments of compliance activities, and with respect to escalating privacy complaints and breaches.

Program controls include:

  • Examining personal information holdings – is this reflective of what the organization actually needs?
  • Policies that address how the organization gives effect to the principles of privacy;
  • Conducting regular risk assessments and addressing risks identified;
  • Up-to-date training and education requirements that are tailored to specific needs and involve active engagement by staff;
  • Having a protocol in place to manage privacy breaches, including when to report a breach to the privacy commissioner and when to notify affected individuals; and
  • Ensuring service providers are protecting privacy and securing the data you entrust them with.

Building a CASL Compliance program

Compliance and Enforcement Information Bulletin CRTC 2014-326 was released by the CRTC to “provide general guidance and best practices for business on the development of corporate compliance programs” under CASL and the CRTC’s Unsolicited Telecommunications Rules (Rules), which regulate communications by telephone, fax and automatic dialing-announcing devices.

The CRTC has made it clear that the existence and implementation of a corporate compliance program would be taken into consideration when enforcing CASL, including in determining whether an administrative monetary penalty is warranted and whether a violation constitutes an isolated incident or forms part of a more systemic problem.

The key components include:

  • Senior management involvement to foster a culture of compliance;
  • Conducting risk assessments;
  • Having a written corporate compliance policy in place;
  • Implementing good record keeping practices to identify possible non-compliance issues, investigate and respond to complaints, and demonstrate that corrective actions were implemented;
  • A training program on what constitutes prohibited conduct an what should be done if they witness prohibited conduct; and
  • Having auditing and monitoring mechanisms in place to prevent and detect misconduct, and assess the effectiveness of the corporate compliance program.

Common Themes for Compliance

Note that there are common themes of what the regulators expect in a privacy or CASL compliance program:

  • Oversight by someone with seniority and decision making power.
  • Policies and procedures that are enforced and regularly reviewed.
  • Controls in place to address areas of risk (that is, key controls are identified and implemented based on a sound understanding of the key risks.
  • An interactive training program (on-boarding and refreshers). Remember, a risk based perspective means assessments, controls and training go hand-in-hand.
  • Monitoring compliance.
  • Record keeping to demonstrate due diligence

These are the critical components that make a compliance program effective and move an organization towards increased maturity.

The Maturing of Regulatory Compliance

A Governance Perspective

Governance is a continuous process to manage and mitigate risk. When regulatory compliance programs drive down acceptable risk, we move towards a strategic discipline within the organization. KPMG’s advisory entitled Governance, Risk and Compliance: Driving Value through Controls Monitoring discusses compliance maturity. Our goal is to move towards enhanced compliance (#4) but it take time and commitment to get there. Here are the 4 stages that organizations go through:

  1. Fragmented: Compliance is achieved through disconnected and/or inconsistently applied efforts throughout the credit union. Extensive coordination and work are required by a centralized project management function.
  2. Implemented: Compliance is achieved via the oversight of a new, overarching, stand-alone program that oversees the hiring of dedicated personnel whose main focus is coordinating and communicating the compliance activities.
  3. Embedded: Compliance is achieved by building compliance activities and procedures into existing business processes and technology so that business owners can start to share responsibility for compliance.
  4. Enhanced: Compliance is achieved as part of how business is done and is inherently part of organizational culture. The enhanced state implies a change in mindset in which compliance is performed not solely for the sake of complying with different laws but also to gain business process improvement.

Contact PRIVATECH to discuss options for improving your organization’s privacy and CASL compliance maturity.

And check back next week for a blog article on the Board’s role in privacy and CASL compliance from a governance perspective.