If the general view is true: that in the Netherlands compliance is ‘still in its infancy’, then it’s a child that has had to grow up very quickly. Because in the boardroom of the early ’90s, anyone mentioning the term ‘compliance’ would have been met with blank stares. So, what’s changed? And how can organisations comply with stricter rules without sacrificing agility? Before we can answer those questions, we need to go back in time.
In the financial sector, self-regulation was the motto until well into the 1980s. The establishment of the Securities Traffic Supervision Foundation (STE), the predecessor of the Netherlands Authority for the Financial Markets (AFM), was the first attempt in the Netherlands to regulate securities trading by the government. In 1992, the STE’s powers were laid down in the Securities Trading Supervision Act which, for example, prohibited company managers from buying securities in companies in which they themselves are active.
Driven by the increased complexity and globalisation, the main focus of the financial sector shifted from self-regulation to government supervision. Due to new legislation, compliance within organisations became more important. Although a specific compliance role was not required by law, the first Dutch compliance officers at financial institutions appeared around this time.
Compliance became essential
But the big change came that same year with the bankruptcy of the American energy giant Enron which manipulated profit margins and used underhand strategies to evade taxes. Over the next few years, corporate governance became a focus worldwide. In the US, the Sarbanes-Oxley Act was passed, which imposed internal auditing and financial reporting rules on listed companies. The Netherlands introduced the Corporate Governance Code in 2004 and the Financial Supervision Act (Wft) followed in 2007, which included the Securities Transactions Supervision Act.
In the Financial Supervision Act, an ‘independent and effective compliance function and independent audit function’ was made mandatory for certain financial institutions for the first time. Although this obligation did not apply to companies outside the financial sector, the role of compliance officer has since been widely introduced, and compliance and integrity have become a dire necessity for every organisation. Today, faster than ever before, failure to comply with legislation can mean a fine.
Compliance is not listed as an entry in the Dutch dictionary Van Dale, but the Dutch Compliance Institute (founded in 1999) defines it as ‘promoting and ensuring compliance with external and internal rules relevant to the integrity of the organisation’. Standards and rules that an organisation sets up itself, ‘are an integral part of this’, adds the institute.
Simultaneously with the emergence of stricter laws and regulations, another development was taking place that would change the world. The rise of the internet, data and new technologies brought additional risks and complexity in terms of compliance, as well as new legislation, such as the General Data Protection Regulation (GDPR) in 2018. Supervisors and the judiciary have also become more active in recent years. Resulting in various settlements worth millions.
We have entered a world where GRC appears to be an exact science on the one hand(organisations lose sight of the bigger picture and outsource compliance to specialist agencies), while on the other requires more than simply ticking all the boxes (the increased importance of integrity).
Continuous risk analysis
In any case, there’s no doubt that clarifying and managing risks is indispensable for any organisation of any size. Compliance issues nowadays usually focus on two areas: high costs and the lack of up-to-date insight. Checks are usually performed periodically (daily, weekly, monthly) and manually, which means they cost time and money, and are also prone to error. With all the associated risks involved.
Instead of periodical monitoring, todays legislation requires continuous monitoring. Continuous monitoring provides up-to-date insight and enables organisations to make adjustments swiftly. However, the biggest challenge is implementation. How do you arrive at an efficient GRC policy in which continuous risk analysis and monitoring are optimally guaranteed?
Introduce automation of control efforts
KPMG’s Sofy GRC solution is designed with one clear purpose: to simplify and improve risk and control activities. Sofy GRC is a cloud-based solution that provides organisations real-time insight into the degree of compliance in all areas. Whether it is risk, control, access, policy or control automation management, Sofy GRC enables companies to take control measures. Sofy Suite supports by detecting non-compliances or conflicts in time. With the control automation capabilities the insight and in-control state increases, while costs decrease.
Sofy GRC unites the knowledge and experience of KPMG with relevant international laws and regulations. This not only provides organisations insight into the degree of compliance (the facts), but the underlying context, too.