The functions and responsibilities of the Compliance Officer
In the last #ComplianceKeys (ComplianceKeys17) a brief introduction was made to one of the basic characteristics of Compliance bodies: their possible configuration as single-person bodies (for example, through the figure of the Compliance Officer) or as collegiate bodies (for example, as an Ethics and Compliance Committee).
Delving deeper into the characteristics of this relevant figure for any Compliance System or Compliance Programme, in this ComplianceKeys18 we will offer a brief outline of the main functions and responsibilities that this body must assume, bearing in mind that it will be up to each organisation to define its specific functions.
This basic issue is somewhat complex to put into practice. This is due to the fact that the regulatory framework makes little pronouncement on the matter. In this sense, article 31 bis .2 of the Criminal Code only establishes that: “the supervision of the functioning and compliance of the prevention model implemented has been entrusted to a body of the legal person […]”.
With regard to this brief reference, it is worth highlighting a fundamental aspect: the Compliance body is in charge of supervising and promoting the operation and observance of the Compliance Programme or System, but not of crime prevention or the Compliance System itself.
In this context, different members of the organisations must participate in the Compliance function, that is, in the functioning of the prevention and control mechanisms that make up the Compliance Programmes or Systems (for example, in the purchasing or payment circuits, by carrying out audits, among others).
Thus, the Compliance body is not in charge of observance in practice with the Compliance Programme or System, only of its supervision and of promoting its proper functioning. In this sense, the observance falls to each and every one of the members that make up an organisation (regardless of their hierarchical position or their functions in the entity).
As is usual in Compliance matters, self-regulation, technical standards and professional practice have filled the regulatory gap regarding the question of what functions and responsibilities Compliance bodies should assume.
Thus, without being exhaustive, some of the main functions and responsibilities that, according to standards and best practices in the field, Compliance bodies should assume are the following (and which in many cases can be outsourced in whole or in part):
- Analysing the risks that, in the abstract, may affect an organisation (through what are generally known as Risk Reports, whether these are criminal -most frequently- or cover other Compliance matters such as money laundering, tax, etc.).
- Directing the development and implementation of the Compliance Programme or System (leading the development of internal regulations taking into consideration the characteristics and risks of the organisation).
- Managing the Ethics or Whistleblowing Channel and, where appropriate, directing the internal investigations that may have to be carried out (it should be noted that this issue is likely to vary greatly in each different organisation).
- Ensuring that the Compliance Programme or System is adapted to the organisation (analysing legislative changes, responding to changes in the organisation’s own activity, etc.).
- Training, awareness-raising and communication activities in the area of Compliance (with the aim of ensuring, creating or maintaining the ethical business culture and the effectiveness of certain organisational controls).
- Among other functions (such as the execution of certain controls, representation of the legal entity before authorities, representation within the framework of legal proceedings, etc.).
On the other hand, in order to guarantee its impartiality, and in relation to the responsibilities that may arise from the performance of its activities, it is not usually advisable for the Compliance body to assume decision-making functions (for example, with regard to the sanctioning of a certain member of staff as a result of an internal investigation).
In conclusion and recapitulation of the above, it can be established that the scarce regulatory framework regarding the functions of the Compliance body makes it necessary to resort to self-regulation standards (such as UNE 19601 or ISO 37301 standards), as well as best practices in the field. Furthermore, it should be borne in mind that no two Compliance bodies will perform exactly the same functions: these must be adapted to the specific reality of the organisations of which they form part.