The UK Modern Slavery Act (MSA) was passed into law in March 2015, to tackle, among other offences, the use of slave labor by scrutinizing and regulating the working conditions in all parts of UK companies’ global supply chains.
The MSA comes amid a broader indication that governments in countries around the world are taking an increasingly active role in regulating the impact companies have on the societies they operate in. While this is a laudable aim and should certainly be encouraged, many companies find it a challenge to comply with the MSA and similar laws.
Firstly, companies with global operations must deal with multiple jurisdictions and multiple timetables when implementing new regulations. Secondly, new regulations affect multiple functions within a company, so determining which department should oversee the risk is also a challenge.
When it comes to coordination across different corporate functions, MSA has major implications for companies with UK-based operations. For instance, many companies divide oversight of MSA between HR, which is responsible for updating policies relating to workplace safety; Procurement and Legal, which are responsible for updating supply chain agreements and due diligence procedures; and Enterprise Risk Management, which must update the risk assessment process to account for modern slavery risk.
But this cross-functional approach can lead to gaps or duplication in risk management efforts. For instance, one function may mistakenly assume another department is overseeing a particular risk, while in other cases, multiple functions end up overseeing the same risk.
Three Steps to Take
Heads of compliance should take three steps (see chart 1) to eliminate these gaps and establish an integrated risk oversight framework.
Chart 1: Establish a formal process for assigning risk ownership Source: CEB analysis
Identify the cross-functional implications of the risk: Heads of compliance are responsible for determining how a new regulation affects a company, particularly what corporate functions would be affected by the regulation and how data should be used to track compliance.
In cases where multiple functions in a company are affected, compliance teams have to engage with general counsel, legal teams and other risk management stakeholders to figure out how to divide risk ownership and track compliance.
Select the appropriate risk owner: For most risks such as anti-corruption, anti-trust/competition law, compliance culture, and conflicts of interest, companies have already settled the question of ownership.
But when it isn’t clear which function should manage a particular risk, it falls to compliance managers to select the most appropriate risk owner. This means that compliance gaps are less likely as the risk owner has visibility and control of the compliance process for a particular regulation.
Establish accountability for risk oversight: Assigning responsibility for risk oversight is not enough. Compliance managers are responsible for auditing and monitoring the risk so that there are no compliance gaps and there is transparency into the risk management process.
To stay on top of these risks, compliance teams track risk reports, compliance data, oversight initiatives and other information across the company. They do this in three ways:
Creating a shared risk tracking tool.
Developing a central risk monitoring dashboard.
Compiling a quarterly cross-functional risk report.