Starting from the premise that a compliance program must be implemented according to the size and characteristics of the organization, we will now make some recommendations for its implementation in a large company, which, due to its focus and complexity, varies significantly from that of a small company.
Firstly, and considering that large companies usually have greater resources available, we recommend that, in addition to dedicating financial, technological and human resources, through the participation of specialized teams during its implementation, the governing body and senior management demonstrate a commitment to the culture of compliance, sufficiently visible to generate awareness at all levels of the organization, through awareness-raising, sensitization and training programs.
Likewise, considering that a large company could have a higher degree of exposure to risk, as a consequence of the volume or complexity of its operations, it is recommended that, as a starting point, and prior to the identification of the activities, operations and/or processes exposed to risk, the following methodologies be developed ad hoc for the organization:
Risk assessment: which takes into account the risks inherent to the organization’s activities, and the criteria for determining the level of impact and probability consider the nature of the business, its economic environment and the influence on the fulfillment of strategic objectives.
Control evaluation: which measures the level of control strength, considering, for example, the degree of automation (manual or automatic), the nature of the control (preventive or detective), the ability to circumvent the control (vulnerability) and the frequency of execution of the control.
Review of controls: to ensure an adequate control environment, through guidelines that allow the development of control monitoring plans that contain specific actions and lines of defense aimed at properly managing the supervision of previously identified controls.
As you can see, large companies will not only have a higher degree of sophistication during the implementation stage of a compliance program , but also during its operation, since, compared to a small company:
The frequency of review of risks and controls will be less spaced.
Higher levels of reporting of the results of the different model reviews will be established.
More frequent and more specialized communication programs will be required.
Codes, policies, procedures, action guides, manuals, protocols and/or instructions will be developed for specific risk areas.
Increased internal controls will be implemented.
The use of technologies for monitoring the program and access to the reporting channel will be assessed.
Compliance programs will be integrated into the organization’s various processes.
The model will be flexible enough to grow with the organization (scalable).
The appointment of an internal auditor will be evaluated.
The governing body or senior management, as appropriate, will need to appoint a compliance program officer with autonomy, authority and independence .
In conclusion, the implementation of a compliance program in large companies must be adapted to the specific characteristics and dimensions of the organization, considering aspects such as operational volume, exposure to risks and complexity of its structure.
For this, the involvement of corporate governance is key, since it must lead and promote the implementation and supervision of the compliance program, in addition to ensuring compliance by acting in an ethical and responsible manner.
In addition, it is essential to create customized methodologies to evaluate risks, controls and their constant review, thus ensuring a solid control environment.
By Jorge Luis Hurtado, Deputy Manager of Legal and Regulatory Management at Redinter.
Fifth installment of the “Rule The Rules” Podcast, our conversation where the Director of the Compliance Group at az, Yoab Bitran, welcomed Donald Dillman, Compliance Director at Diebold Nixdorf.
Donald shared his experience in different companies and organizations, and provided recommendations to improve internal investigation processes.
Fourth chapter of the az t Podcast of “ Rule The Rules ”, our conversation where the Director of the Compliance Group of az, Yoab Bitran , received Gabriela Gutiérrez, Chief Compliance Officer of VEON.
Gabriela shared her experience in different industries and her vision on the state of compliance in the region.
AI governance transcends regulatory frameworks and enters into business strategies. It covers a wide spectrum of elements ranging from financial planning to risk management. Responsible AI governance can strengthen a company’s reputation and attract customers and talent. AI governance can foster an environment of responsible innovation, enabling companies to develop AI solutions that create a positive impact on society. Companies that adopt strong AI governance will be better positioned to compete in an increasingly digitalized market.
In this regard, ethical principles will always be key when considering the development and implementation of AI systems. The importance of transparency in AI algorithms and the need to explain the decisions made by these systems, as well as the need to train employees in the responsible use of AI, are fundamental aspects.
Supreme Decree No. 016-2024-JUS was published in the Official Gazette El Peruano, approving a new Regulation of Law No. 29733 – Personal Data Protection Law (hereinafter, the “Regulation”). Through this regulation, new obligations are imposed on the holders of personal data banks and/or those responsible for their processing, such as:
Notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that causes the exposure of large volumes of personal data or serious harm to its owners. This must also be notified to the affected owners within the same period, unless the incident has been resolved or such damage has not occurred. Likewise, any security incident that occurs must be duly documented and a record kept.
Appoint a Personal Data Protection Officer when large volumes of personal data or sensitive data are processed, who will be responsible for supervising compliance with the obligations and being the point of contact with the Authority. In the case of business groups, only one officer may be appointed per group.
Have a security document, which must be formally approved and must be complied with by personnel with access to information systems. It must be up to date and contain at least the access management procedures, privilege management and periodic verification of assigned privileges regarding information systems.
Likewise, proactive responsibility mechanisms are established, of an optional nature, which represent the commitment of the person responsible to comply with the regulations and may be considered mitigating circumstances of liability in a possible administrative sanctioning procedure, such as:
Conducting Personal Data Protection Impact Assessments, especially when it involves sensitive data, data for the purpose of creating personal profiles, data of people in particularly vulnerable situations, among others.
The implementation of Codes of Conduct, which establish specific rules for compliance with regulations within the entity or business group, such as procedures that facilitate the exercise of rights, supervisory mechanisms, clauses for obtaining consent, among others.
On the other hand, the new Regulation establishes new features such as the recognition of portability as a manifestation of the right of access to the personal data of its owners, which implies the transfer of the data to another controller or owner of personal data banks, when requested and technological possibilities allow it, as well as the possibility of establishing a first contact to obtain the express consent of the owner for advertising and commercial prospecting purposes (if this is not obtained, a new contact cannot be made).
Finally, the registration of personal data banks is established free of charge and the creation of the platform “I take care of my personal data” for citizen attention.
The new Regulation will come into force 120 calendar days after its publication in the Official Journal. Specifically, the obligations regarding the appointment of a Compliance Officer will come into force progressively over a 4-year timeframe, depending on the sales volume of the responsible companies. Regarding the right to Portability, this will take effect 6 months after the Regulation comes into force.
For more information or in case of any questions on the subject, contact us at the following email: innovacion@cpb-abogados.com.pe
