Risk & Compliance: rapid emergence and new challenges

August 30, 2019
KPMG

If the general view is true: that in the Netherlands compliance is ‘still in its infancy’, then it’s a child that has had to grow up very quickly. Because in the boardroom of the early ’90s, anyone mentioning the term ‘compliance’ would have been met with blank stares. So, what’s changed? And how can organisations comply with stricter rules without sacrificing agility? Before we can answer those questions, we need to go back in time.

In the financial sector, self-regulation was the motto until well into the 1980s. The establishment of the Securities Traffic Supervision Foundation (STE), the predecessor of the Netherlands Authority for the Financial Markets (AFM), was the first attempt in the Netherlands to regulate securities trading by the government. In 1992, the STE’s powers were laid down in the Securities Trading Supervision Act which, for example, prohibited company managers from buying securities in companies in which they themselves are active.

Driven by the increased complexity and globalisation, the main focus of the financial sector shifted from self-regulation to government supervision. Due to new legislation, compliance within organisations became more important. Although a specific compliance role was not required by law, the first Dutch compliance officers at financial institutions appeared around this time. In 2001, the Association of Compliance Officers was founded.

Compliance became essential

But the big change came that same year with the bankruptcy of the American energy giant Enron which manipulated profit margins and used underhand strategies to evade taxes. Over the next few years, corporate governance became a focus worldwide. In the US, the Sarbanes-Oxley Act was passed, which imposed internal auditing and financial reporting rules on listed companies. In the Netherlands, the Corporate Governance Code was drawn up in 2004 and the Financial Supervision Act (Wft) followed in 2007, which included the Securities Transactions Supervision Act.
In the Financial Supervision Act, an ‘independent and effective compliance function and independent audit function’ was made mandatory for certain financial institutions for the first time. Although this obligation did not apply to companies outside the financial sector, the role of compliance officer has since been widely introduced, and compliance and integrity have become a dire necessity for every organisation. Today, faster than ever before, failure to comply with legislation can mean a fine.

New technologies

Compliance is not listed as an entry in the Dutch dictionary Van Dale, but the Dutch Compliance Institute (founded in 1999) defines it as ‘promoting and ensuring compliance with external and internal rules relevant to the integrity of the organisation’. Standards and rules that an organisation sets up itself, ‘are an integral part of this’, adds the institute.

Simultaneously with the emergence of stricter laws and regulations, another monumental development was taking place that would change the world. The rise of the internet, data and new technologies brought additional risks and complexity in terms of compliance, as well as new legislation, such as the General Data Protection Regulation (GDPR) in 2018. Supervisors and the judiciary have also become more active in recent years. Resulting in various settlements worth millions.

We have entered a world where GRC appears to be an exact science on the one hand(organisations lose sight of the bigger picture and outsource compliance to specialist agencies), while on the other requires more than simply ticking all the boxes (the increased importance of integrity).

Continuous risk analysis

In any case, there’s no doubt that clarifying and managing risks is indispensable for any organisation of any size. Compliance issues nowadays usually focus on two areas: high costs and the lack of up-to-date insight. Checks are usually performed periodically (daily, weekly, monthly) and manually, which means they cost time and money, and are also prone to error. With all the risks that involves.
Instead of periodical monitoring, todays legislation requires continuous monitoring. Continuous monitoring provides up-to-date insight and enables organisations to make adjustments swiftly. However, the biggest challenge is implementation. How do you arrive at an efficient GRC policy in which continuous risk analysis and monitoring are optimally guaranteed?

Automated audits

KPMG’s Sofy GRC solution was designed with one clear purpose: to simplify and improve internal audits. Sofy GRC is a cloud-based platform that gives organisations real-time insight into the degree of compliance in all areas. Whether it is GRC, access management, data management, process monitoring or finance, Sofy GRC enables companies to continuously keep a finger on the pulse so they can take effective control measures.
Sofy GRC unites the knowledge and experience of KPMG with all the relevant international laws and regulations. This not only gives organisations insight into the degree of compliance (the facts), but the underlying context, too. Sofy Suite can support solutions and alternatives when the system detects non-compliances or conflicts. By largely automating the compliance function, insight and reliability increases, while costs decrease.

Compliance still in its infancy? With Sofy GRC, it’s reached adulthood. But without losing any of its youthful agility.

Do you want to see Sofy GRC in action?

Request a demo