Design and implementation of compliance risk closed -loop management

Tao Guanghui/Wen

Recently, the State -owned Assets Supervision and Administration Commission of the State Council issued the "Administrative Measures for the Compliance of the Central Enterprise" (the State -owned Assets Supervision Commission Order No. 42. Compared with the previous "Guidelines for Compliance Management (Trial)" issued, there are five major changes in the "Measures".

Among them, the third largest change is: "comprehensive regulatory compliance management process. It puts forward clear requirements for compliance risk identification evaluation and early warning, compliance review, risk response, problem rectification, accountability, etc.

This change has once again emphasized the concept of an important mechanism and process of "compliance risk closed -loop management".

1. What is a closed -loop management of compliance risk

Compliance risk closed -loop management is not a new concept. From the technical level, the entire management, including risk management, is actually closed -loop management. Closed loop refers to the continuous improvement of management and effectiveness through continuous PDCA (Plan-DO-Check-ACT) cycle. As early as 2012, China Telecom and other companies proposed models such as "closed -loop operation implementation of comprehensive risk management".

The closed -loop management of compliance risks is also a statement of using the principle of PDCA mechanism to have a statement of compliance risk management control process model. It is a supplement and upgrade of the saying of the mechanism of "before, in the event, and afterwards. Earlier, events, and afterwards are defined in accordance with the time of compliance management (including the leading department) to intervene in compliance affairs. Prevention, control in the event, and response afterwards are the basic principles of the mechanism. The key difference between it and the closed -loop management of compliance risks is that it is missing the emphasis on "closed loop". "Closed loop" is indispensable for "compliance risk management", which is still in the new business of exploration.

According to the provisions of the 4th chapter of the Measures, compliance risk closed -loop management includes compliance risk assessment early warning, compliance review, risk response, rectification of violations, and accountability. Of course, according to the logic of closed -loop management, after accountability, the "compliance risk re -warning and warning" must be added after accountability.

Compliance risk closed -loop management is the formal proportion of current regulatory compliance management processes. However, it should be noted that its essence is a result of the operation of the compliance mechanism, and it is the systemic arrangement of compliance management control processes in a certain period of time. In other words, the closed -loop management of compliance risks is not a single type, which is the same as a dimension operating mechanism with the same dimension as the compliance review and compliance survey. Furthermore, it should be the combination of the entire compliance control process. As a result, the specific practice of the compliance risk of each enterprise should be "one enterprise, one policy" and "adapt to local conditions."

2. How to design compliance risk closed -loop management

From the perspective of the entire compliance management affairs, compliance risk closed -loop management should be synchronized with the construction of the compliance management system. Each mechanism or process in the closed -loop management of compliance risks should theoretically have a corresponding compliance management system or specification. In this way, the compliance mechanism is "well -based" and can be implemented. This is the first priority of design compliance risk closed -loop management.

Compliance risk identification evaluation constitutes the starting point of closed -loop management of compliance risk. By comprehensively sorting out the compliance risks in the business management activities of the enterprise, establish and update the compliance risk database regularly, and analyze and evaluate the possibility, impact, and potential consequences of risks. , Risk response, problem rectification, etc. are necessary. Compliance risk assessment is the process of actively discovering risks. From the perspective of risks, risks can also be found through acceptance of reports. Therefore, through the establishment of an illegal reporting platform, publish report telephones, mailboxes or mailboxes, accept illegal reports in accordance with responsibilities and authorization, and investigate and deal with reporting issues. It should also belong to the same type of compliance mechanism.

The risk warning is a risk of typical, universality or possible consequences. Through the selection of early warning indicators and the provisions of the risk values, the warning alert is issued in a timely manner when the actual risk value breaks through the threshold. It can be said that the key to compliance risk warning lies in the design of early warning indicators and risk values. Because compliance risks are a risk of violation of compliance obligations, and compliance obligations require certain professional knowledge and experience judgments, the design of compliance risk warning is not easy. It may only be possible to set a practical compliance risk early warning mechanism only in specific scenarios. In addition, in the "Measures", compliance risk early warning and compliance risk identification and evaluation are tied together. Personally, this may be inappropriate. The main reason is that compliance risk assessment is based on inherent risks, and compliance risk warning is based on the remaining risks.

Compliance review may be the most important part of the closed -loop management of compliance risks. The compliance censorship can prevent most compliance risks from the source. In this regard, higher requirements are put forward in the "Measures". The compliance review should be embedded in the business and management process of the enterprise as a required procedure. The compliance review opinions of major decision -making matters must also be signed by the chief compliance officer. The business and functional departments and compliance management departments put forward opinions and suggestions on the review standards, processes, and key points of the compliance review in accordance with their duties, and regularly conduct follow -up evaluations of the review situation. During the compliance review session, a "small closed -loop management" of compliance review should be formed.

Risk response is the inevitable risk management. When an enterprise occurs, the relevant business and functional departments shall take response measures in a timely manner and report to the compliance management department in accordance with regulations. If a major compliance risk incident occurs, or may cause major asset losses or serious adverse effects, the response measures should be upgraded to the chief compliance officer, the compliance management department should coordinate and coordinate Essence At the same time, it shall report to the SASAC in a timely manner in accordance with relevant regulations. The risk of compliance must not only deal with it in time, but also after proper treatment, it is also necessary to rectify and rectify. Therefore, the rectification mechanism of illegal issues should also belong to the same type of compliance mechanism with risk response. Enterprises shall establish a rectification mechanism for violations of regulations. Through the improvement of rules and regulations, optimize business processes, etc., we will block management loopholes and improve the level of management and management in accordance with laws and regulations. After risk response and problem rectification, a link should be added, which is accountable. Enterprises should improve the accountability mechanism of illegal acts, clarify the scope of responsibility, refine the standards of accountability, and conduct investigations in a timely manner for problems and clues, and seriously investigate the responsibility of illegal personnel in accordance with relevant regulations. At the same time, it should be established to establish a system of operating management and employees' performance records of employees, and take the important basis for the nature, number of occurrence, and harm of illegal behavior as an assessment and evaluation.

The last ring of compliance risk closed -loop management should be compliance management evaluation. It includes the validity evaluation of the compliance management system and the timely evaluation of the compliance management of key business. Through evaluation, enterprises can inspect the design and implementation of compliance management, improve the lack of compliance management, and give rewards for excellent performance in compliance construction, thereby completing a PDCA loop. Only through evaluation can enterprises initiate a new round of compliance risk closed -loop management.

Third, the implementation of compliance risk closed -loop management difficult points and its solution

The closed -loop management of compliance risks is very clear and practical in logic. However, in practice, there are still some difficult problems.

In practice, the effect of compliance risk assessment is not very good. Personally, there are two reasons for this. The first is the lack of professional risk identification experts, and the other is that the existing laws and business experts have not played the use of collaborative effects. The compliance risk assessment work is considered to be the work of compliance personnel or external compliance consultants, which leads to the compiled compliance risk list content is thin, incomplete, and not in -depth. The direct solution is to strengthen the training of compliance risk assessment capabilities, and cultivate professional talents that can be installed in the head.

The processes such as compliance review and compliance risk assessment are not enough to embedded with business processes. In which links start a compliance survey, which are at all times to update the compliance risk assessment, these work requires a system judgment, and other business processes of the enterprise are required to support and guarantee. If it is excluded from the development of important businesses, the implementation of these compliance processes or mechanisms will not be targeted, or the business is outside the compliance control. The solution is to promote the use of compliance requirements into business processes.

Finally, the rectification and accountability of illegal issues are not thorough. If violations occur, there may be various main and objective reasons. In enterprises with weak and compliance culture, different voices may occur in "business priority", "compliance is for business, and violations are also for business." If the accountability is not in place, there may be hidden dangers of compliance. The solution is to clearly clarify the accounts in advance and implement the third defense line of compliance management. At the same time, it is supplemented by a strong co -law culture.

It can be said that compliance risk closed -loop management is the soul of effective compliance management, but currently the compliance construction of most enterprises is still preferred to the construction of the compliance management system. It is closely related to our understanding of where compliance management works. Looking forward to this situation in the future, with the promotion of strengthening the construction of the SASAC in 2022, it will change.

About the Author:

Tao Guanghui, senior partner of Beijing De and Heng Law Firm, a future leader of the Global High -end Dharma Talent Plan for Peking University, a visitor professor at the School of Law of Dalian University, arbitrator, senior economist, and the qualifications of independent directors of listed companies, enterprises Management consultant qualifications, securities/futures employees qualifications, etc. Attorney Tao Guanghui has 18 years of corporate legal work experience before and after. Among them, 8 years of corporate legal experience, he has served as the legal director of the top 100 groups in China, and has won the title of General Legal Counselor of the Best Enterprise of China in ALB2016; 3 years of legal entrepreneurship experience. (One Law Open) founder; 7 years of practice lawyer experience. He is the author of the "Ministry of Justice of the Company" (Legal Publishing House), the Law of the Legal Affairs (China Legal Press), and the "Ten theory of Compliance Management" (internal publishing). In the field of compliance management system construction, Lawyer Tao created the "DHH compliance internal control risk integrated construction of the five -ring model".

- END -