GRC Tuesdays: Having to Deal with Multiple Regulatory Requirements? Investigate SHERLOC(K)
After publishing the blog GRC Tuesdays: Enforcement of Anti-Corruption Worldwide, a Complex Regulatory Landscape in June 2020 that introduced the initiative from the French Anti-Corruption Agency (AFA) in partnership with the Council of Europe’s Group of States against Corruption (GRECO), the Organisation for Economic Co-operation and Development (OECD), and the Network of Corruption Prevention Authorities (NCPA) to survey and map the national anti-corruption authorities (ACAs), I received many questions from smaller organizations or even departments of large organizations that didn’t have subscribed content from specialised legal firms to help them navigate the regulatory landscape. The query was regularly the same: what do we have to comply with precisely?
Of course, since I am no legal expert I am not able to advise on this matter, but I thought that this wasn’t a good enough answer so I decided to investigate and see what information I could find to at least point the organizations in the right direction.
Whilst searching for the best answer here, I stumbled upon SHERLOC. Not BBC’s crime series with a “K” – though I highly recommend it, but United Nations Office on Drug and Crime’s online platform for Sharing Electronic Resources and Laws on Crime.
What is SHERLOC?
As stated on the site, the SHERLOC portal is an initiative to facilitate the dissemination of information regarding the implementation of the United Nations Convention against Transnational Organized Crime.
This portal is actually the result of article 9 of resolution 7/1- Strengthening the implementation of the United Nations Convention against Transnational Organized Crime and the Protocols thereto from 2014 that “Invites States parties and, on a voluntary basis, other interested Member States, to provide information on the relevant legislative tools to be included in the knowledge management portal known as Sharing Electronic Resources and Laws on Crime”.
Albeit not an exhaustive resource, this portal includes 7 well populated databases:
- Case Law Database containing jurisprudence, which allows users to see how Member States are tackling criminal cases in their courts;
- Competent National Authorities (CAN) Directory of parties designated to receive, respond and process requests pertaining to mutual legal assistance, extradition and transfer of sentenced prisoners, smuggling of migrants, trafficking in firearms and trafficking in cultural property;
- Legislative Guide to assist States seeking to ratify and implement the United Nations Convention against Transnational Organized Crime (UNTOC);
- Strategies Database that contains plans of actions and strategies, adopted at national and regional level;
- Bibliographic Database consisting of an annotated bibliography providing synopses of key articles that are searchable by country, research methods and keywords;
- Treaties Database containing the ratification status of international, regional and bilateral agreements and treaties;
And last but not least:
- Database of Legislation which is an electronic repository of national laws relevant to the topics covered by the fifteen crime types and searchable by country, UNTOC article, crime type and cross-cutting issues.
- This is precisely the part of the portal that this blog will focus on.
There are currently 15 types of crime that are covered in SHERLOC’s regulatory database:
For the purpose of this blog, we’ll only focus on the ones relevant to the national Anti-Corruption Authorities (ACAs) mentioned above. These categories are: Corruption, Cybercrime, Participation in an organized criminal group, Money laundering, Terrorism and Trafficking in firearms.
Of course, the other categories from SHERLOC are also crucial and, as a matter of fact, as mentioned in 2 other GRC Tuesdays blogs: Combating Modern Slavery – It’s More Than Compliance, It’s Ethics! and Modern Slavery – What Is Expected of Organizations?, public policies and legislations around Smuggling of migrants and Trafficking in persons are increasing thanks to intensification of public pressure and regulatory scrutiny.
I am of course not at all suggesting not focusing on these as I am sure you understand. I would simply like to illustrate below the countries that have anti-corruption legislative requirements listed by the United Nations Convention against Transnational Organized Crime to help respond to the question I received.
A world map of these legislative requirements
Albert Einstein is credited for the quote “You can’t use an old map to explore a new world” so I decided to apply this and create a new map. Not changing the countries of course, but simply overlaying SHERLOC’s information on a world map to be able to identify where national regulators were issuing legislations to address these risk categories.
The result is a coloured map where, the darker the green, the more crime categories are addressed by specific legislation as listed in SHERLOC:
How to manage all these regulatory requirements?
There’s actually 2 ways to go about this: the time and resource consuming approach and the optimized one.
Option 1: a company could decide to create one control per regulatory requirement for each of the countries it operates in. Since most countries in the map have at least one legislative text – and sometimes multiple, this could mean setting up disparate teams to deal with local regulations, that would end up duplicating controls, but also duplicating the testing, monitoring, reporting, etc. so this could quickly become unsustainable for any large organization that operates in various geographies.
Option 2: and I am sure you guessed that it was my preferred one – involves setting up a multi-compliance framework. By this strategy, organizations can document, test, and report across multiple regulations and company initiatives, thus reducing effort, increasing visibility, and moving towards more streamlined and harmonized processes. As an example, a company would document a control covering anti-bribery requirements once and assign it to as many regulations and initiatives as required where it operates in, while still ensuring that the company captures needed data that might be specific to each local requirements via regulation-specific attribute.
The company would therefore document once but re-use the control documentation many times. Then the compliance department would schedule the evaluations (assessment and/or testing) to be shared as well if appropriate. This would then result in performing the control once with results being used many times. You can imagine the savings in time and effort – but also of how much easier it will make expanding into new geographies or applying new regulations.
At the same time, this still establishes clear accountability by control or subprocess, by regulation or even initiative.
What about you, how do you manage multiple related regulatory requirements? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard