top of page


Pretty often, I have found that compliance monitoring programmes don't really ask the right question. Compliant? Perhaps there's a better question out there.

Compliance Monitoring Programmes, in my experience, tend, almost invariably, towards trying to answer the question, Are we compliant?

They most commonly reflect upon the regulatory obligations and assess if there’s evidence of compliance’.

What you’re getting then is nothing more than a ‘tick in the box’ against that regulatory requirement.

Little confidence.

Little value.

It’s very difficult, therefore, to really determine if you are getting any real return on investment from your compliance function.

Of course what boards really should be seeking is a level of assurance, because the question above actually can only be honestly answered with the response ‘No’.

The better question is,

What levels of assurance do we have that we have identified, suitably mitigated and are monitoring our regulatory risks?

Compliance assurance should be risk-based, aligned with the outputs from your business risk assessment and set on a recognised and validated framework, such as ISO or COSO.

Is yours?

Recent Posts

See All

Governance is not really about rules

Last year in the UK, 400 million GBP of fines and sanctions were issued to organisations as a result of corporate governance failings. Whilst on the surface, the reasons for these failings are regulat


Commenting has been turned off.
bottom of page