The need to establish a compliance function will depend on, amongst other things, the industry and the organization, although typically the drivers are regulatory requirements and/or exposure to the risk of violating laws and regulations. Examples of this can be corruption risk or reputational risk. For some industries/organizations, it is a legal requirement to have a compliance function.
In this guidance we have tried to describe «best practice» for compliance functions regardless of industry, regulation and size. It does not cover the legal requirements to which compliance functions may be subject, rather it introduces the basic principles of the function. Individual adaptations will naturally depend on each organization’s nature, size and risk profile.