“We are implementing a new approach to encourage greater transparency around the management of compliance with key legal and regulatory obligations (including generic areas such as competition law and Health & Safety at Work Act) and would be interested to hear of others’ experiences in this area”
I think your process depends on the maturity level of the organisation.
We manage compliance in these areas by asking all senior managers to sign and return a year-end “Management Confirmation Letter”. This requires that they have to state that there are no breaches (or to state what the breaches are) for the part of the business under their control.
For us as a relatively immature organisation, importantly, there are no consequences for telling us about non-compliance (we’d rather know than have it swept under the carpet). In a more mature company this would not be acceptable – and this is an aspirational position for us, and will only happen we we have improved management calibre and competence.
Our approach has been to (i) raise the issue / area of compliance via the Board or Audit Committee, (ii) understand and communicate the issue to the Board / Audit Committee, (iii) establish and record a simple plan of action / management, (iv) monitor the progress of the plan of action, including staff training, via Board / Audit Committee meetings, (vi) ensure incidents of known non-compliance and subsequent corrective action are notified to the Board / Audit Committee and (vii) seek to build a simple annual review of the matter in hand.
Experience has shown that we are most vulnerable in failing to meet an obligation when staff leave or are re-assigned internally, so having documented an approach to the issue at Board level ensures that (a) Directors are aware of the issue, (b) there is an audit trail showing that the issue has been considered and there is a process in place to address the matter and (c) internal changes can be made or accommodated fully appreciating the impact on the area of compliance being considered.
I am not entirely clear as to the purpose of the question, but, if this aspect helps, confirmation of compliance with relevant regulatory and statutory requirements is included in the regular risk management questionnaire. This means that either compliance is confirmed or non compliance is disclosed internally as part of the internal controls procedures.
we have a serie of computer based training packages which people do on line and have to pass tests.