Building Compliance Resilience in the Changing Regulatory LandscapeCompliance Management | 6 Min Read |22 September 22|by Loren Johnson
Organizations across 190 countries reported an average of 257 regulatory alerts every day in 2020. This is a staggering number, indicating not just the volume of regulations that companies have to keep pace with, but also the rate at which they are evolving. The risk landscape today is undoubtedly more complex than ever before, leaving regulators with no choice but to introduce new policies and modify existing ones to safeguard businesses and consumers. For organizations operating in highly regulated industries like healthcare, banking, energy, and financial services, keeping pace with regulatory changes is a significant challenge. For those that have capable and scalable regulatory change management practices in place, the concept of agile risk and compliance management extending into adaptable and effective resiliency strategies should be a natural progression.
Compliance resilience was the subject of a recent webinar organized by OCEG. Michael Rasmussen, GRC Analyst &Pundit, GRC 2020 Research LLC, and I discussed the challenges and strategies for managing compliance in highly regulated industries. Here are my key takeaways.
Watch the Webinar: Compliance Resilience: Managing Compliance in Highly Regulated Industries
The Changing Face of Risk and Compliance
Organizations today are navigating a tumultuous world. The risk landscape is constantly evolving with new threats emerging every day. And businesses themselves are in a state of flux. An organization can have the best legal and compliance team and can educate its existing employees about regulations and compliance, but there are people leaving and new people joining every day. The changing dynamics and awareness levels within a business constantly change, keeping compliance professionals on their toes. Regulations keep changing as well, adding an additional dimension to the challenges compliance teams face.
And to add to the complexity, many have come to realize that risks of all types are increasingly interconnected. As an example, COVID-19 started as a health and safety risk, but its impact on global business practices soon morphed into escalated IT compliance, cybersecurity, and privacy risks, extensions of compliance and behavioral risks, and third-party management risks. As borders closed, and production slowed, risks associated with shipping, transportation, and delivery delays grew, while the potential for bribery and corruption along the supply chain flourished. All of this required compliance programs to upscale and adapt, as well as build compliance resilience, standards, and expectations as challenges grew.
The scale and velocity of risks related to the initial healthcare challenges of COVID-19 accelerated much faster than many had anticipated. And now, many industries around the world are paying more attention to and seeking proactive clarity on internal and external risks of all sorts – before they disrupt entire industries. And compliance practices are central to how any business manages its risks associated with and stays aligned to its values, practices, and regulatory environment.
Building Compliance Resilience is a Top Priority
Compliance risk and resilience strategies are comprised of two key elements, each a reflection of the other, like the two sides of the same coin. Compliance risk program agility allows a business to quickly gauge a situation, risk, or compliance challenge and enact defenses, controls, policies, and issue management to respond to it. A compliance resilience strategy is a predefined set of triggers, processes, people, systems, sequences, and measures that are designed to enable a rapid recovery from a compliance failure or business disruption. Together, they define an organization’s ability to build programs that can minimize compliance damage and enable as much recovery as possible with minimal chaos or disruption.
In most cases, a full risk and resiliency program necessitates a strategic shift from legacy compliance management practices that have been periodic and segmented. Too many compliance programs have traditionally conducted risk assessments monthly, quarterly, or even less often, and have separated functional roles within the department across teams and regions. Yet, in an interconnected risk environment as we have today, this approach is no longer sufficient. Thankfully, many organizations are breaking down those silos today, and joining functions to create a single, integrated compliance approach that is unified, collaborative, and includes strategy, processes, and technologies. Especially where organizations in highly regulated industries may have held on to separate functional compliance departments, the urgency of a unified and strategic approach to compliance risk, remediation, and resiliency is clear.
At the same time, we see a greater focus on accountability for performance, awareness, informed decision making and reporting in compliance teams from stakeholders across the business and among global regulators. As within businesses, the risk events in the last few years have increased awareness of the importance of capable organizational risk and compliance management – and resiliency initiatives – across markets, governments, and global regulators. Therefore, it should come as no surprise that risk and resiliency management is becoming a more commonly regulated obligation. Many of these emerging and evolving risk and resiliency regulatory actions define specific program requirements, standards, structures, validation, and practices to ensure compliance teams are actively pursuing assertive, holistic, and adaptable risk and resiliency programs that can best weather evolving risks, events, and challenges.
Technology—A Must for Agile Compliance Risk and Resiliency Management
A modern and resilient compliance function that aligns to emerging regulations includes a well-defined, well-executed, and agile risk management strategy that allows for program adaptation as risk factors change. It also necessitates defined roles, tasks, and robust, tested processes and measures, in a resiliency program. To best centralize access to compliance-related information, controls, testing, and aggregate results, a technology platform that includes automated processes, data sharing and integration, and intuitive analytics is essential.
As a critical element to ensuring compliance programs are effective, awareness of anticipated and current changes to enacted regulations is indispensable. An active regulatory change management program that enables horizon scanning – alerts on proposed and anticipated legislation – and change updates on relevant regulations helps enable compliance programs to adapt to shifting market expectations, standards, and rules.
Further, compliance technology platforms often include advanced analytics capabilities that capture, curate, integrate and interpret disparate and distributed relevant datapoints. They can enable the ability to draw usable insights from these data and ideally, use AI to recommend the most appropriate courses of action to reduce risk impact and recovery requirements. And to be truly resilient, a compliance management platform must ensure risk and resiliency automation and tracking, reporting, clear workflows and tasks, collaboration tools, controls and policies, and protocols that allow for the acceleration of any recovery processes. Ideally, an organization can acquire all of this in one cohesive platform that integrates with other enterprise systems like HRMS, that can facilitate new employee onboarding, training, and attestation, or ensure employees moving to different roles can stay updated on applicable regulations and their roles in ensuring compliance risk and resiliency effectiveness.
Most importantly, a compliance platform must ensure a defensible and accurate system of records that can be accessed easily to demonstrate compliance processes, aberrations, exceptions, and approvals. This is invaluable during program audits, investigations, or investigations.
A Resilient and Agile Compliance Strategy is Now a Business Imperative
Modern organizations exist in an evolving risk and compliance landscape. Agile and adaptable risk management and resiliency programs are no longer an option. As compliance program expectations escalate, building risk and resiliency programs defined by risk profiles, adaptable to ever-changing risk environments, and designed to trigger automated and proportionate responses is ideal. Technologies built specifically to enable adaptable compliance program effectiveness and efficiency, compliance risk and resiliency management, regulatory change management, and comprehensive reporting are available today to help organizations get ahead of emerging challenges, regulations, and organizational demands.
Learn how MetricStream’s BusinessGRC can help you achieve a connected, intuitive, and holistic approach to risk and compliance management. Leverage MetricStream’s Regulatory Compliance to effectively manage a wide range of compliance requirements, including cross-industry regulations, regulatory engagements, cases, and surveys.
Request a demo now.
Check out more resources:
Product Overview: Optimize and Strengthen Compliance with an Integrated Approach