We are often asked which is best compliance approach? Particularly regards IT legal compliance. Also what constitutes legal compliance and non-compliance? The King Report and King Code says that the governing body should provide strategic direction on compliance. Few topics in IT have garnered more attention during the last few years than compliance. Through a combination of:
- new laws (such as the ECT Act, Companies Act and more recently POPI),
- well-publicised fines overseas, and
- the threat of criminal penalties – as well as the fear, uncertainty and doubt created by vendors
compliance has created real interest and concern within organisations.
The word “compliance” can have several meanings, depending on the context in which it is used. When used by lawyers, the context is one of law, and that they are expressing a view on “legal compliance” – i.e. obeying the law. Here, a person generally wants to know whether or not he will get fined or go to prison if he does not obey the law. However, this is not the only approach to compliance. There are three more:
- a compliance with law approach
- a risk-based,
- a best practice approach or
- a combination of the three.
Compliance with “law” approach
This approach is usually associated with “legal compliance” or compliance with an Act promulgated by Parliament, subordinate legislation and applicable binding industry requirements (such as the JSE listing requirements). Very often there is a sanction for failure to “comply” with the Act, normally in the form of a fine or imprisonment. This is the definition which most people often associate with the term “compliance”. According to King III™ companies must comply with the law and regulations. Where there are exceptions permitted in law and shortcomings in the law, these should be handled in a responsible manner.
Here the process of compliance is like a “funnelling process”: identifying applicable legislation out of a ‘legal universe’ of all laws, identifying relevant sections, interpreting the sections and then applying your interpretation.
Weakness: It is not always easy or possible to identify what the relevant “compliance criteria” are. For example POPI does not specify what technical security requirements a company has to meet before it can be said to have taken “appropriate, reasonable technical and organisational measures” to “secure the integrity and confidentiality of personal information”.
Risk based approach
The term “compliance” is capable of having a wider interpretation: “to act in accordance with any accepted standard or criteria”. The “accepted standard” can refer to any kind of criteria subjectively determined by an organisation, such as business goals, performance measurements (and can include laws and regulations as well). The objective here is to give specific focus to “compliance risk” within a broader risk management framework (ideally as part of operational risk). Under this approach, risk management programs are typically developed with the objective of identifying the risks that an organisation faces, evaluating the potential for damage presented by each risk and addressing these threats in a systematic manner.
Under this approach the concept of “legal risk” is recognised. Legal risk generally refers to the risk that the organisation may lose legal rights, incur liabilities or become entangled in a legal dispute on account of anything that was done or not done in the course of the organisation’s business.
Weakness: It depends not only on the ability of the organisation to identify all possible risks, but to then gauge the likelihood that a particular risk will occur and how often, and determine the appropriate amount of time and energy that should be spent protecting each risk. Making these judgments can be very difficult, particularly when addressing “soft” risks such as the chance that an employee might indiscriminately destroy documents related to a court case.
Best practice approach
Here, compliance programs typically implement a series of recommendations and practices that are generally accepted as highly effective, yet not inordinately costly – “best practices”.
Weakness: Generally no single set of best practices that are applicable to all organisations. They are sometimes costly to implement.
Combination compliance approach
As lawyers, we tend to favour a combination approach with a strong “legal risk” flavour. This approach often informs our thinking to the various ICT legal audits we perform. Most recently, we have applied our thinking to data protection and the privacy impact assessments we perform.