Throughout the last 10 years, compliance became—mainly for financial institutions—one of the biggest
risks. These days, corporations from all
industries invest in compliance programs
and acknowledge the significant risk. The
understanding that compliance is
an important issue is driven by two
Regulatory arena: Legislation
evolved, and regulators’ expectations
were clarified through new rules and
fines; standards and requirements
are published at a higher frequency
Industry standards: Banks and leading
corporations set their expectations through
contracts, questionnaires, audits, and reviews.
The message is clear and direct: Either you
can demonstrate compliance, or the business
relationship will be in danger.
While regulators seem to compete
with each other on the strictness of the
requirements, companies struggle to achieve
an effective compliance program that would be
strong enough to meet industry expectations.
What defines a compliance program as
“effective” or “strong”?
Measuring a compliance program can be
done using several methods/indicators:
1. Number of identified breaches
2. Audit/regulatory review findings
3. Assessment of residual risk and level
4. Adherence to adequate procedures
(e.g., standards published by regulators/
5. Indicators for a holistic compliance culture
Breach identification: Limitations of size
Large banks and corporations struggle
to identify all breaches that have
occurred. Stakeholders cannot be sure the
organization implemented a comprehensive
program that will identify all breaches
and that the risk of non-compliance is
Audit findings: Current programs
Internal and external reviews focus on the
design of the control environment and the
effectiveness of the critical controls. The
reviews are as good as the leading auditor’s
understanding of the matter, and they usually
focus on the same findings identified in other
business units/territories. In many cases,
Will compliance become the
» Industry‑driven standards raise the bar of compliance even higher than regulatory scrutiny.
» No identified breach does not mean your organization is compliant.
» Risk assessments are important but will not tell the complete story.
» Culture is the basis for appropriate behavior.
» An effective compliance program is one that would pass the investigation test.
by Yaron Hazan