CHAPTER 3: COMPLIANCE MEASURES AND COMPLIANCE RISKS

3.3 General Approach to Compliance Risks

3.3.1 The Six Steps of Risk-Based Compliance

A risk-based compliance approach ensures that individuals or businesses which are not complying are identified, and those doing the right thing are not subject to unnecessary compliance fines. A risk-based compliance approach also enables resources to be targeted to the areas where they are most needed and will prove most effective. It involves a series of steps to identify and assess non-compliance risks and then apply appropriate compliance measures to control risks (Better regulation, 2008). The steps of risk-based compliance are as follows:

55 3.3.1.1 Identifying risks of non-compliance

The risks of non-compliance need to be identified and considered, and while identifying these risks, suppliers, retailers or other businesses should familiarize themselves with the following associated risk questions: what will happen? When and where? How and why? A failure to properly consider these risks can lead to the selection of inappropriate compliance measures and ineffective regulatory outcomes.

The following factors should be examined while identifying non-compliance risks:

The nature of the risk: what event or incident happens, when and where?

The source of the risk: what types of people or businesses will be involved?

The effect of the risk: what is the impact upon the regulatory outcome, and who will be adversely affected? Businesses should seek to identify the key areas of the business in which risks might arise. For example, sales and marketing departments that deal with consumers directly; staff who attend trade association meetings or have contact with competitors and new staff joining the organization. Businesses should also identify specific risks when engaging in mergers and acquisitions activity or entering a new geographic market (OFT, 2010:10; Better regulation, 2008).

3.3.1.2 Analysing risks of non-compliance

The identified risk of non-compliance has to be assessed as high, medium or low.

These risks should be analysed so that the level of the risk can be understood. The level of non-compliance risk is determined by consideration of the negative consequences of the likelihood. For example, risks arising from the arrival of new staff can be assessed as high if the new member of staff is joining from a competitor, is joining the sales and marketing department or will be undertaking a role requiring contact with competitors. Conversely the risk might be assessed as low if the new member of staff will have a back-room function with no contact with competitors or customers (OFT, 2010:10; Betterregulation, 2008).

56 3.3.1.3 Prioritizing risks of non-compliance

Businesses should set priorities for addressing the risks. Each non-compliance risk should be prioritized to ensure that compliance activities are focused on areas where they are most needed. The priority of the non-compliance risk should therefore reflect relevant Government policies, such as the Bills of Consumer Rights, National Credit Act, Companies Act and Consumer Protection Act (Betterregulation, 2008).

3.3.1.4 Identifying and selecting compliance measures

Compliance measures that can address the priority compliance risks should be identified and the most suitable compliance measures selected should be based on the costs and benefits to the business. Retailers should be able to examine the options and choose the most suitable actions and measures that have the greatest potential to address the priority of non-compliance risks. This ensures that compliance measures address non-compliance risks in the most effective manner. In addition, businesses should also use appropriate risk-mitigation strategies. These would generally include appropriate policies and procedures, and appropriate training activities. For example, if the business has identified a frequent high risk, arising from the new staff joining the organization, the business should establish procedures to train the new staff regarding compliance (OFT, 2010:10; Betterregulation, 2008).

3.3.1.5 Planning for implementation

Businesses should plan when and how the compliance measures will be carried out.

Once compliance measures have been chosen, it is necessary to identify when particular compliance measures should be used. This will ensure that compliance measures are appropriate to circumstances and that inconsistent compliance measures are not used. When considering alternative compliance measures there are a number of issues to be considered. For example, is non-compliance likely to be the result of inadvertent or deliberate actions? Here, businesses should be able to assess the behaviours of employees and customers, which can be subject to the compliance risks.

If it is identified that breaches are likely to be the result of a lack of information,

57 educative measures should be used, and strict enforcement measures should also be used to deter those who are resistant (Betterregulation, 2008).

3.3.1.6 Report and review

The final step is to report and review all the five steps mentioned above. It is important that businesses regularly review all stages of the process to ensure that there is unambiguous commitment to compliance from the top down, that the risks identified or the assessment of them have not changed and that the risk mitigation activities are appropriate and effective. Businesses should know that reporting and reviewing is one of the key factors that measures how far things have been implemented, and how near they are to completing the remaining tasks. Applying these concepts to retail businesses would be very helpful as they reduce the probability of non-compliance risks (OFT, 2010:10; Betterregulation, 2008).