In various fields of business, numerous laws and regulations apply. In many respects, these rules have become more complex than before; technology, operations, and commerce have evolved, alongside many other changes.
At the same time, the regulatory framework has become more intricate. A significant portion of the applicable regulations comes through the EEA Agreement, where we have little say in whether we adopt these rules into national legislation.
Opinions may differ on the usefulness or even the necessity of the regulations in force at any given time. However, this discussion focuses on the challenges associated with understanding and complying with applicable regulations in business operations—commonly referred to as "compliance." To illustrate the diversity of these challenges, a few areas of regulation frequently encountered in daily corporate operations will be mentioned, such as tax laws, competition laws, financial sector regulations, stock exchange rules, sustainability legislation, data protection regulations, employee rights and safety, production-related rules, and many more.
It is assumed that everyone involved in running businesses is committed to adhering to the rules governing their operations. Achieving this goal can involve various challenges, but ensuring compliance is crucial. The consequences of non-compliance can vary widely, depending on the specific regulations and the nature of the violation.
Consequences can range from receiving comments from oversight authorities to incurring substantial administrative fines. Such incidents can lead to public scrutiny, divert the time and attention of managers and employees from daily operations, potentially result in individual liability, and in some cases, create obligations for compensation.
These are situations everyone aims to avoid and minimize the risk of such deviations as much as possible. But what can be done, and how can this risk best be mitigated?
Firstly, knowledge of the regulatory framework and the laws and rules on the horizon is essential. It is crucial to ensure that relevant employees and managers possess the necessary knowledge and have opportunities to acquire it, as well as to consider this aspect during new hires.
Secondly, management must lead by example regarding regulatory compliance. A corporate culture emphasizing the importance of adhering to applicable rules serves as a strong incentive for employees.
Often, having internal processes and guidelines for employees to rely on is helpful. Some companies choose to develop specific compliance programs for certain legal areas, such as competition law. This involves conducting an assessment of the relevant operations to evaluate the risk of legal violations and implementing necessary improvements.
Part of such improvement work may include introducing systems or solutions aimed at ensuring compliance. External experts have also been brought in for unannounced visits to assess specific aspects of operations.
It can also be beneficial if employees have the opportunity to report internally if something has gone wrong or if there is an imminent risk of non-compliance, whether these reports are made openly or anonymously. Some regulations even mandate processes for specific areas.
For example, the EU sustainability directive mandates due diligence on customers and partners to ensure compliance with key human rights and environmental standards (CSDDD directive). This directive will be incorporated into Icelandic law.
Another example is the EU's DORA regulation, which will also be adopted into Icelandic law. This regulation includes rules and processes for the financial sector aimed at enhancing data and information security.
Much of what has been mentioned here does not require significant expense or effort. If the knowledge is not available in-house, it is possible to seek advice from those with the expertise. It is essential to keep in mind that any effort, no matter how large or small, is better than none.
Failure to ensure compliance with applicable regulations can have serious and far-reaching consequences—outcomes no manager or business owner wants to face. Therefore, it is vital to take preventive action before problems arise.