At the Circle of trust, which took place on 13 February 2017, EICE members exchanged some concrete dilemmas in a confidential environment and talked about existing practices and possible solutions. According to the “Mastermind” methodology: “The bridge of success is never crossed alone”, each of us found at least a part of the answer to his question and gave at least a part of the solution for colleagues. To illustrate, we also wrote down some of the exchanged thoughts.

Position of compliance vis-à-vis the supervisory board (direct delegation of tasks, reporting, tasks beyond compliance, etc.) and the location of the DPO (inside or outside compliance)?

Despite “independence” and “direct access to the supervisory board”, we are aware that in practice reports on the work of compliance (regular or ad hoc) are submitted to the supervisory board either through the management board or with the management's knowledge (open communication). Exceptions are at most “borderline situations” when it comes to possible very important matters of the company or even irregularities of the management, which it ignores or hides (as an extreme measure, it is also possible to waive compliance). As a rule, compliance with the tasks of the Supervisory Board is received through its resolutions and through the Management Board (if everyone agrees or trust is established, it can also be obtained directly from the Supervisory Board). Care must be taken that the supervisory board does not cross the line of supervision and begins to interfere in operations (management problem) and that compliance does not perform tasks that jeopardize its independence. As compliance compliance with the supervisory board is limited in most companies, compliance even wants more direct communication with the supervisory board, which in some cases can lead to excessive reliance on compliance (especially if internal audit may be passive). The fact is, however, that compliance does not have the same position as internal audit through an audit committee.

The protection of personal data is a detailed / extensive area, so the appointment of a DPO in the context of compliance could take away too much attention / resources for only one area (neglect of other areas). A possible solution is that the DPO is an independent person (similar to, for example, the prevention of money laundering), but the question arises if all companies have as many resources as with replacement, etc. It is a perfectly acceptable solution that the DPO is within the framework of compliance (especially if more than one person works in this field), has its own independence (especially that it is not involved in the processes, that a specific person is authorized, etc.). There is also a lot of talk about “collective bodies” due to interdisciplinarity, which can also be ensured by appointing a DPO + advisory group (DPO + security engineer or IT + lawyer + representative of an important process).

Giving opinions and recommendations to the management regarding compliance and compromises, in case 100% compliance is not realistic / possible to ensure?

Compliance provides, in particular, a risk assessment, proposals and recommendations for achieving compliance, and assists process operators. We are aware that 100% compliance is almost a utopia, we operate on the principle of risk assessment and plan. We do not avoid making concrete suggestions (the best choice in terms of compliance and normal operation of processes). When looking for possible compromises, we listen to the arguments of the process managers and rely on a defined “appetite for risks” (CRO help is also welcome). Colleagues are made aware that compliance in particular advises that the final decision or responsibility regarding compliant operations is borne by the process holders (first line).

The role of vis-à-vis compliance to supervisory / inspection bodies, especially in cases of “softer areas” where it is more difficult to define unambiguous positions?

In principle, the role of the (first) legal adviser (or lawyer) of the company must be separated from the role of compliance. We also distinguish the role of compliance if it acts as an entry point for communication with regulators or only as an interviewee in the audit process. If we are too proactive (or combine compliance and legal service) we are careful not to exceed our powers (authority). The role of compliance is not to “argue” with the supervisory body, but to be able to (especially internally) explain why a certain situation / solution is an appropriate / sufficient measure in accordance with the risk assessment, or how it could be upgraded. In communicating with external bodies, Coherence seeks to harmonize arguments with internal audit, the legal service and the administration (and does not bear the full burden alone).

KPI (performance indicators) of compliance - do we even have time for such things?

Management is accustomed to monitoring KPIs in all other areas and if we want to show the added value of our work, we need to do so in a way that they understand. We can start with simple indicators and upgrade them later (we can cooperate with controlling, risks). Examples of KPIs are e.g. number of complaints, number of reports received, irregularities detected, number of lectures given to employees or published articles, number of internal compliance controls introduced, monitoring of progress in preparations for the GDPR, etc. Through positive KPIs, it is also easier to propose and argue investments in resources, IT support for compliance, etc.

Andrej Šercer