GRC Professional - February 2015 Edition | Page 14
Quick Tips
How to protect yourself from personal liability:
•
•
•
•
Griffin says that game has changed in the US,
and as a result, we are living in a much more aggressive enforcement environment. “It really took off
after the financial crisis. Following the criticism
directed at the SEC for failing to notice problems,
they started to take a much harder look at companies than they had in the past. They started to take
another look at who in the companies were responsible for these breaches, and the compliance officer
falls into that category.”
More generally, he says the enforcement regime
is tougher. “There are more investigations, more
actions and higher penalties. As a consequence, the
chances of a compliance officer who does not notify
of a problem being caught up in a case is higher.”
Australia
This trend has not reached Australia and New
Zealand yet, but that does not mean it will not in
the future. Randal Dennings of law firm Clayton
Utz says there is a danger of debate over mandatory
self-reporting starting up again in Australia too.
Mandatory self-reporting provisions would introduce greater personal risk for GRC staff and give
rise to debates around personal liability.
12 GRC Professional • February 2015
It is hard enough
for risk and
compliance
professionals to
grow trust and
to get people in
the business to
be transparent
in their dealings
with them.
Investigate problems thoroughly and aggressively
Do not rest until you have resolved a problem –
follow up
Document your investigations
Report problems to the board or to senior
managers
“In times where government is considering or
actually cutting back funding for regulators, while
at the same time these regulators are being pressured to get better results, there is an increased risk
that these sort of legislative-change debates might
start to rear again.”
He says such a debate would be counter-productive. “It is all about encouraging people to come
forward and cooperate and self-report breaches. No
reasonable compliance person would say there is no
place for self-reporting to regulators, but where it
becomes more complex is when you have a statutory-required obligation to come forward.”
“In the UK, for example you have a statutory
reporting obligation, independent of your obligations to your organisations.”
“I think it is corrosive of a robust compliance culture within an organisation. When you
are encouraging people to speak up, it would be
an incredible disincentive within an Australian
context if the consequences of speaking up would
be mandatory reporting. People are not going to
talk to you, if you have a statutory obligation to talk
to the regulator about it.”
The cases in the US and elsewhere have, understandably, heightened tensions in the profession.
It is an unnecessary distraction in what are already
very challenging conditions for many GRC professionals. While it is true that the best defence
against any possible civil penalties is a robust and
thoroughly-documented compliance program,
often these things are out of the control of the
compliance manager. Personal liability does loom
as one of the biggest issues facing the profession
•••
into the future.