In our first and second articles in this series, we introduced the concept of risk silos and what you can do about them and then discussed an integrated approach to risk management. In this article, we will take a closer look at compliance silos.

Are there compliance silos in your organisation?

• Individual business units have their own systems and processes, including training and record keeping for managing their compliance requirements.
• Some areas of operation have well-developed compliance activities while other aspects of the business lack awareness of, and fail to have any structure for, managing compliance requirements in their operations, identifying non-compliance and implementing corrective actions.

If you have answered yes to any of the above, then it is possible that you, like many other organisations, have compliance silos in your organisation.

What is compliance?

The Compliance Management Standard ISO 37301: 2021 (Compliance Standard) defines compliance as “an ongoing process and the outcome of an organisation meetings its obligations”.

The Compliance Standard also defines compliance obligations as “requirements that an organisation mandatorily has to comply as well as those the organisation voluntarily chooses to comply with”. This is an important definition as compliance encompasses more than just frontline legal compliance but broader compliance requirements arising from partnerships, contracts and industry standards.

There are several benefits to be gained when compliance is managed effectively. These include, as covered in the Compliance Standard:

• improving business opportunities and sustainability
• protecting and enhancing reputation and credibility
• ensuring that the expectations of others are considered
• demonstrating a commitment to managing compliance risks effectively
• increasing confidence of third parties in the organisation
• minimising risks of contravention and costs and damage caused by non-compliance.

What exactly is a compliance silo?

Like a risk silo, a compliance silo means that compliance activities and tasks are done in isolation (autonomously) rather than in an integrated way. Compliance silos can happen within any type and at any level of an organisation.

What types of factors lead to compliance silos developing?

As organisations grow, so does the risk that compliance silos will develop. For example, the more business units and locations that are created, the more likely it is that localised compliance activities will take place with information failing to flow to other areas and levels in the organisation. Additionally, without a centralised approach, organisations are forced to rely on the competence of individual managers in managing compliance activities and in giving sufficient priority to ensuring compliance and dealing effectively with any non-compliance.

The development of compliance silos can also be exacerbated by the following factors:

• if a culture of compliance is not obvious and not led or influenced by top management
• if there is no coordinated system, software or process for identifying compliance requirements across the entire ­­­organisation
• if there aren’t technology solutions for compliance to enable organisation-wide visibility of compliance activities
• compliance activities are purely focused on frontline activities with managers at the frontline taking responsibility for compliance without leadership oversight or leadership visibility of compliance activity
• if there are distinct and specific compliance requirements related to an aspect of a business (e.g. chemical use and health and safety).

What can you do to help break down compliance silos?

A useful way of breaking down compliance silos is to approach compliance management in an integrated way. Some simple steps to get you started are:

1. Identify compliance requirements across the organisation. This step is essential to begin managing compliance related risks. To start, look at the compliance obligations that arise from your business operations, as well as any legal and regulatory compliance requirements in each operational area. You should also include any non-mandatory compliance requirements that arise from contracts and partnerships with key stakeholders.
2. Develop a centralised system and processes to manage compliance requirements so that there is a consistent approach to where information is available, records are kept, and the types of implementation steps required (training, reporting, etc). This may include a register of obligations including the source, the area of the business the obligation applies to, who will keep that information up to date, and the last time the source was reviewed to ensure currency of obligation.
3. Provide training to managers across the organisation, so that they are familiar with the compliance management systems and processes required to be followed, where information is available, what records they should keep, and how to report any new obligations or compliance breaches along the way.

Conclusion

Compliance silos can easily occur, especially as organisations experience growth in teams and locations. If you start to recognise compliance silos developing in your organisation, consider some of the steps that you can take to bring compliance management back to an integrated approach.