The recent regulatory findings on Crown's governance and compliance culture have led to significant changes to its management and board structure, and unwanted press coverage. With regulators looking over the shoulder, companies in general understand the importance of regulatory compliance.
Yet, the maturity of a compliance program varies across the industry. The differences are sometimes due to the lack of appreciation of the compliance requirements and what it will take for an organization to fulfill the regulations.
To truly appreciate the compliance requirements, companies should first understand compliance as risk management (i.e. what is the regulator’s expectation and what risks are we trying to manage). The next step is to contemplate the worst scenario and quantify the cost should the company fail to manage the risk. Now, having understood the size of a problem, we can work backward to think about the funding, headcount, technology, and processes required to manage the risk and fulfill the obligations.
The challenge to the tone at the top of an organization is not the failure to recognize the need for compliance but to truly appreciate the impact on the organization if it fails to manage the risks properly. The Guardian's recent report on VCGLR's enquiries into Crown Resorts has helpfully highlighted the governance and compliance culture issues, and more importantly, the consequence of compliance failure.