Insights
Understanding, experience and technology for success

The Next Generation of Compliance Systems and GRC Platform for Global Corporations

"Compliance has evolved from an isolated quality initiative within a department to an enterprise level challenge, based on passage of acts like 21 CFR part 11, Sarbanes-Oxley Act of 2002, and TREAD Act. The shift requires new organizational models, new processes and controls, and a new approach to the technology. In the past, point systems were adequate to address isolated compliance efforts, but as the number and scope of compliance requirements grows' isolated efforts become a business risk and increase costs." - AMR Research

Companies are governed by a complex web of regulations, laws, voluntary codes, industry codes, and corporate policies. Compliance with these intricate regulations, mandates and policies is not an easy task. Maintaining ongoing compliance is even more difficult due to continuous changes, amendments and overlaps. Inability to comply with the regulations can lead to large penalties or even temporary suspension of operations. Hence, compliance is about protecting an organization's license to operate - lack of compliance introduces a substantial financial and operational risk to an organization. As a result, compliance is very closely related to risk management.

Let us take the example of a $700 million manufacturer who has three divisions - one sells electronic components to the medical device industry, another division designs and sells devices to the automotive industry and the third division custom designs electronic boards for the industrial machinery. This company needs to implement 21CFR Part 11 requirements to comply with the FDA regulations within its medical device components division. The company also needs to be compliant with QS9000 and TREAD act to do business in the automotive industry. It also needs to be ISO9000-2002 certified to ensure that it continues to be listed as a preferred supplier by its industrial machinery customers. In addition, the company needs to comply with OSHA regulations within its plants and with the EPA regulations regarding the industrial waste generated in its plants. The company also needs to comply with the Sarbanes-Oxley Act of 2002. Non-compliance with some of these regulations introduces significant financial and operational risk to the company. In order to have comprehensive and clear visibility into the status of compliance with some of these regulations and any issues related to it, the executive team needs to identify key measures of compliance and have continuous visibility into those metrics. Such a "compliance risk" dashboard will go a long way in ensuring that the management is on top of all compliance-related issues.

In addition, the underlying process for compliance management is nearly the same for every regulation

  • Use assessments, audits, inspections or incoming complaints to identify non-conformance
  • Identify which non-conformance needs remedial action
  • Provide a mechanism for defining, tracking and implementing corrective actions to address non-conformance
  • Use change control techniques such as document management or training to ensure that the corrective action is implemented.
  • Provide visibility into the entire process through reporting and dashboards

By deploying a separate point solution for compliance with every regulation or mandate or policy, companies deploy multiple redundant systems to follow the same process. As a result cost of acquisition, deployment, training and upgrade/maintenance of redundant technology dramatically adds to the cost of compliance.

The current practice of deploying a separate point solution for every regulatory compliance initiative not only dramatically increases the cost of compliance for an organization but also does not provide the management team with a clear and comprehensive view into risk associated with non-compliance, which in turn leads to poor governance- see figure below. For example various point solutions for regulatory compliance can help you identify compliance-related status and issues for a certain regulation at a specific plant; however, such a silo-approach fails to provide comprehensive view into compliance with one or more regulations across all plants, divisions and operating entities within a company. As a result, organizations don't have a good early-warning mechanism for potential risk from regulatory non-compliance and are caught by surprise when they are required to make disclosures that materially affect future earnings. And without a comprehensive visibility into risk, implementing good corporate governance becomes very difficult,

Compliance Systems

Innovative companies are rationalizing the number of compliance systems by implementing compliance applications that manage multiple regulations, rather than deploying a separate point solution for each compliance initiative. This not only reduces the cost of compliance, but also provides Chief Compliance Officers with a composite view of enterprise risk due to non-compliance. As companies choose their next compliance system, it is highly recommended that they choose a system that supports multiple regulations. Over time, the company can implement other compliance initiatives using this common system and begin their journey to reduce their cost of compliance and gain a very clear and comprehensive visibility into risk of non-compliance.

"For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings" - Gartner

 Team-Oriented Problem Solving, 8 Disciplines (TOPS-8D)
Step 1 Form an appropriate cross-functional team
The team should include a champion who has the resources and authority to implement the team's solution.
Step 2 Define the problem.
Step 3 Contain the problem.
Protect the customer from the problem. This step can be omitted when 8D is used for a proactive improvement because there is no "problem" (like defective parts).
Step 4 Identify the root cause.
Step 5 Select a permanent correction.
Step 6 Implement the corrective action and verify its effectiveness
Step 7 Make the change permanent (standardization).
Also share the solution with similar operations. This is best practice deployment.
Step 8 Recognize the team's achievement