Amid growing pressures from corporate boards and top management for a strong compliance posture, massive regulatory fines and penalties continue to make the headlines.
Earlier this year, the US Securities and Exchange Commission (SEC) slapped more than $81 million in penalties against 16 firms for their failure to maintain and preserve electronic communications. In August 2023, the regulator imposed $289 million in penalties on 11 Wall Street firms for “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.”
The first question that comes to my mind is: Could this have been avoided? Yes, of course!
For a successful and robust compliance program, it is important to level up the three core elements – people, process, and product. These are the critical building blocks of not only compliance but also the overarching governance, risk, and compliance (GRC) program.
Let’s look at how organizations can improve these three elements:
For a compliance program to be effective, it is essential that not only the compliance team but also employees across departments and business units are aware of the different compliance mandates, regulatory updates, and actions that can potentially lead to compliance violations.
It is important to note here that the “people” element is also crucial from a regulatory standpoint. In the US, laws and regulations such as the Sarbanes-Oxley Act (SOX), Dodd-Frank Wall Street Reform and Consumer Protection Act, and others hold compliance officers and executives accountable for non-compliance or compliance violations. Earlier this year, the Financial Crimes Enforcement Network (FinCEN) imposed a civil penalty of $100,000 on a former compliance officer for “willful violations” of the Bank Secrecy Act (BSA) and its implementing regulations.
Here are some of the key measures that organizations can take to build a compliance-first workforce:
Establishing and reinforcing robust, well-defined processes—compliance framework, strategy, policies and procedures, and more—are critical for a successful compliance program. In today’s rapidly evolving regulatory landscape marked with frequent new regulations and regulatory updates, the agility of the compliance program is particularly important. Organizations must embrace a responsive and agile approach that enables them to easily revise corporate policies and controls in line with regulatory changes.
An important process of compliance management is implementing and monitoring organizational controls. Controls could range from regular fire drills for employee safety and hotlines for reporting abuse or discrimination to due diligence of third-party vendors to ensure their adherence to compliance. Organizations should have well-defined processes to regularly test and monitor these controls to proactively identify and address any gaps or weaknesses.
Technology-based software products are the most important element for ensuring continuous compliance in today’s complex regulatory environment. Technological breakthroughs have triggered a paradigm shift towards automated, autonomous compliance. Organizations should embrace and adopt technological advancements and automate compliance processes wherever possible. Automation enables compliance managers to eliminate cumbersome administrative tasks and instead focus their time and attention on more value-added activities, such as analyzing audits to identify areas of improvement.
Here are some areas where organizations can benefit from technology-based software products:
Simplified Relationship Mapping
A strong compliance program is supported by a well-mapped-out view of various regulations and regulatory requirements, policies and procedures, risks, assets, controls, and business functions. Organizations can leverage technology-based software solutions that enable them to establish the relationships between these elements in a centralized repository for a holistic, 360-degree view of the compliance posture.
Optimized Control Environment
The effectiveness of a compliance program is directly related to the efficacy of organizational controls. Organizations today need to adhere to multiple regulations, which often result in duplicate, overlapping, and even conflicting controls. While managing such a complex control environment is already daunting, the challenges are exacerbated when organizations rely on a manual, excel sheets-based approach that inevitably results in oversight and blind spots.
Strengthening the compliance program requires streamlining the control environment. This can be achieved by harnessing the power of automation and AI-powered tools, which help perform automated, continuous testing and monitoring of controls, and gain insights into duplicate and redundant controls, patterns of under- and over-testing of controls, and more. These actionable insights are critical for optimizing the control environment and enabling better-informed and timely business decisions.
Efficient Regulatory Horizon Scanning
Today’s global organizations are required to be compliant with various laws, regulations, and standards from regulatory authorities worldwide. Given the rising number of new regulations and frequent regulatory updates, staying on top of the fast-evolving regulatory landscape has become extremely challenging. AI-powered tools help organizations simplify the process by regularly scanning the regulatory horizon to capture relevant updates and alert concerned personnel. These solutions further accelerate the compliance process by providing insights into the impacted policies, controls, and business functions.
Systematic Issue and Action Management
Technology-based solutions help streamline capturing, investigating, and resolving all non-compliance issues. It accelerates issue management and reduces the repeat occurrence of issues through a closed-loop remedial action process. AI-powered capabilities can enhance the process by providing recommendations for categorizing similar issues and action plans based on past issues. Automatic alerts and notifications, delivered to the appropriate personnel, keep the process on track and ensure that all issues are taken through timely investigation and remediation.
Timely Reporting
Organizations need to regularly provide comprehensive reports to the board, regulators, investors, and other stakeholders to demonstrate their strong compliance posture. Technology-based solutions can standardize and automate the reporting process by enabling organizations to generate reports based on key compliance metrics and powerful dashboards that provide real-time visibility into the overall compliance status.
For a deeper dive into the key strategies that can help you avoid compliance fines, download our eBook “How Strong Is Your Compliance Program?”
MetricStream Compliance Management helps organizations adopt an integrated approach to ensure compliance with cross-industry regulations in a manner that minimizes redundancies and costs while strengthening visibility into compliance posture. It streamlines various compliance activities and processes, including:
Want to see it in action? Request a personalized demo today!
In 2022, the number of regulatory events monitored by Thomson Reuters across 190 countries was 61,228, equivalent to an average of 234 daily alerts. This is a staggering number, indicating not just the volume of regulations that companies have to keep pace with, but also the rate at which they are evolving. The risk landscape today is undoubtedly more complex than ever before, leaving regulators with no choice but to introduce new policies and modify existing ones to safeguard businesses and consumers. For organizations operating in highly regulated industries like healthcare, banking, energy, and financial services, keeping pace with regulatory changes is a significant challenge. For those that have capable and scalable regulatory change management practices in place, the concept of agile risk and compliance management extending into adaptable and effective resiliency strategies should be a natural progression.
Organizations today are navigating a tumultuous world. The risk landscape is constantly evolving with new threats emerging every day. And businesses themselves are in a state of flux. An organization can have the best legal and compliance team and can educate its existing employees about regulations and compliance, but there are people leaving and new people joining every day. The changing dynamics and awareness levels within a business constantly change, keeping compliance professionals on their toes. Regulations keep changing as well, adding an additional dimension to the challenges compliance teams face.
And to add to the complexity, many have come to realize that risks of all types are increasingly interconnected. As an example, COVID-19 started as a health and safety risk, but its impact on global business practices soon morphed into escalated IT compliance, cybersecurity, and privacy risks, extensions of compliance and behavioral risks, and third-party management risks. As borders closed, and production slowed, risks associated with shipping, transportation, and delivery delays grew, while the potential for bribery and corruption along the supply chain flourished. All of this required compliance programs to upscale and adapt, as well as build compliance resilience, standards, and expectations as challenges grew.
The scale and velocity of risks related to the initial healthcare challenges of COVID-19 accelerated much faster than many had anticipated. And now, many industries around the world are paying more attention to and seeking proactive clarity on internal and external risks of all sorts – before they disrupt entire industries. And compliance practices are central to how any business manages its risks associated with and stays aligned to its values, practices, and regulatory environment.
Compliance risk and resilience strategies are comprised of two key elements, each a reflection of the other, like the two sides of the same coin. Compliance risk program agility allows a business to quickly gauge a situation, risk, or compliance challenge and enact defenses, controls, policies, and issue management to respond to it. A compliance resilience strategy is a predefined set of triggers, processes, people, systems, sequences, and measures that are designed to enable a rapid recovery from a compliance failure or business disruption. Together, they define an organization’s ability to build programs that can minimize compliance damage and enable as much recovery as possible with minimal chaos or disruption.
In most cases, a full risk and resiliency program necessitates a strategic shift from legacy compliance management practices that have been periodic and segmented. Too many compliance programs have traditionally conducted risk assessments monthly, quarterly, or even less often, and have separated functional roles within the department across teams and regions. Yet, in an interconnected risk environment, as we have today, this approach is no longer sufficient. Thankfully, many organizations are breaking down those silos today, and joining functions to create a single, integrated compliance approach that is unified, collaborative, and includes strategy, processes, and technologies. Especially where organizations in highly regulated industries may have held on to separate functional compliance departments, the urgency of a unified and strategic approach to compliance risk, remediation, and resiliency is clear.
At the same time, we see a greater focus on accountability for performance, awareness, informed decision making and reporting in compliance teams from stakeholders across the business and among global regulators. As within businesses, the risk events in the last few years have increased awareness of the importance of capable organizational risk and compliance management – and resiliency initiatives – across markets, governments, and global regulators. Therefore, it should come as no surprise that risk and resiliency management is becoming a more commonly regulated obligation. Many of these emerging and evolving risk and resiliency regulatory actions define specific program requirements, standards, structures, validation, and practices to ensure compliance teams are actively pursuing assertive, holistic, and adaptable risk and resiliency programs that can best weather evolving risks, events, and challenges.
A modern and resilient compliance function that aligns to emerging regulations includes a well-defined, well-executed, and agile risk management strategy that allows for program adaptation as risk factors change. It also necessitates defined roles, tasks, and robust, tested processes and measures in a resiliency program. To best centralize access to compliance-related information, controls, testing, and aggregate results, a technology platform that includes automated processes, data sharing and integration, and intuitive analytics is essential.
As a critical element to ensuring compliance programs are effective, awareness of anticipated and current changes to enacted regulations is indispensable. An active regulatory change management program that enables horizon scanning – alerts on proposed and anticipated legislation – and change updates on relevant regulations helps enable compliance programs to adapt to shifting market expectations, standards, and rules.
Further, compliance technology platforms often include advanced analytics capabilities that capture, curate, integrate, and interpret disparate and distributed relevant datapoints. They can enable the ability to draw usable insights from these data and ideally, use AI to recommend the most appropriate courses of action to reduce risk impact and recovery requirements. And to be truly resilient, a compliance management platform must ensure risk and resiliency automation and tracking, reporting, clear workflows and tasks, collaboration tools, controls and policies, and protocols that allow for the acceleration of any recovery processes. Ideally, an organization can acquire all of this in one cohesive platform that integrates with other enterprise systems like HRMS, that can facilitate new employee onboarding, training, and attestation, or ensure employees moving to different roles can stay updated on applicable regulations and their roles in ensuring compliance risk and resiliency effectiveness.
Most importantly, a compliance platform must ensure a defensible and accurate system of records that can be accessed easily to demonstrate compliance processes, aberrations, exceptions, and approvals. This is invaluable during program audits, investigations, or investigations.
Modern organizations exist in an evolving risk and compliance landscape. Agile and adaptable risk management and resiliency programs are no longer an option. As compliance program expectations escalate, building risk and resiliency programs defined by risk profiles, adaptable to ever-changing risk environments, and designed to trigger automated and proportionate responses is ideal. Technologies built specifically to enable adaptable compliance program effectiveness and efficiency, compliance risk and resiliency management, regulatory change management, and comprehensive reporting are available today to help organizations get ahead of emerging challenges, regulations, and organizational demands.
Learn how MetricStream’s BusinessGRC can help you achieve a connected, intuitive, and holistic approach to risk and compliance management. Leverage MetricStream’s Regulatory Compliance management to effectively manage a wide range of compliance requirements, including cross-industry regulations, regulatory engagements, cases, and surveys.
Request a demo now.
Find out more on how to master compliance in highly regulated industries.
In the fast-paced and ever-evolving business landscape, compliance has become a critical factor that can either propel organizations to success or leave them vulnerable to severe risks and penalties. However, the many challenges in compliance management-44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates--often cause compliance to be viewed as a burdensome cost to the business or simply a checklist item to be ticked off.
In this blog, we debunk common myths about compliance, highlighting its true value and importance in today's dynamic business landscape.
Contrary to popular belief, compliance should not be viewed as a burdensome cost but as a critical component of business success that strengthens consumer confidence and helps mitigate risks before they materialize. While it does involve investments in resources, time, and training, compliance ultimately helps businesses establish trust with stakeholders, mitigate risks, and safeguard their reputations. By adhering to regulatory requirements, organizations demonstrate their commitment to ethical practices and ensure the well-being of their customers and employees.
Effective compliance goes beyond being a mere item on a checklist. It encompasses valuable activities that help improve financial safety, protect assets, and drive growth and should be approached as an integral part of a company's operations, policies, and culture. Risk-based compliance programs are designed to identify, assess, and mitigate risks proactively, rather than simply fulfilling regulatory obligations. By adopting a comprehensive approach, businesses can prevent potential violations and drive sustainable growth.
Although compliance involves enforcing policies and procedures, it is not solely focused on penalizing policy violators. The primary objective of compliance is to be a guiding force focused on helping, training, and supporting employees by establishing a framework that encourages ethical behavior, promotes transparency, and prevents misconduct. It aims to create a culture of compliance where employees are educated, empowered, and motivated to make the right decisions.
While some organizations choose to prioritize compliance only during audits or regulatory exams, this approach is flawed. Compliance should be proactive, i.e., ingrained in the fabric of a company's operations and decision-making processes from the start. By being proactive, businesses can identify potential risks, implement appropriate controls, and continuously monitor compliance to prevent violations before they occur. This proactive stance ensures that compliance is an ongoing effort rather than a reactive response to external pressures or during times of crisis.
Compliance is an enterprise-wide endeavor. To establish an effective compliance program, collaboration across departments is crucial. Compliance should not be limited to a specific team or function; instead, it requires involvement and cooperation from all levels of the organization. By fostering a culture of compliance throughout the company, businesses can ensure that everyone understands their role in upholding ethical standards and meeting regulatory requirements.
Rather than being added to existing business functions, compliance works best when it’s made part of existing processes so that it becomes part of the organization’s DNA. Integrating compliance seamlessly into existing business functions is essential for its effectiveness. When compliance is treated as a stand-alone process, it becomes disconnected from the core operations and often fails to address the unique risks faced by the organization. To overcome this, businesses should incorporate compliance considerations into their day-to-day activities, policies, and procedures, aligning them to the broader goals and values of the company.
Businesses are increasingly viewing compliance as a valuable tool that enhances efficiency, credibility, and long-term value creation. When compliance is approached as an enabler rather than a chore, it becomes intertwined with strategic decision-making processes—and can be integrated into business plans, product development, and operational activities.
MetricStream Compliance Management simplifies and enhances organization-wide compliance programs that govern your business, enabling you to navigate through a complex network of regulations and regulatory changes effortlessly. By aligning policies, standards, regulations, and controls, you can eliminate inefficiencies and unnecessary duplication. It also enables you to identify risks at an early stage and foster improved collaboration and communication across teams.
Want to learn more?
Download our new eBook: Why Compliance Matters Both in Good and Bad Times: 10 Steps to Build an Always-On Approach to Compliance
Cybersecurity and data privacy, ESG and climate change, operational resilience, artificial intelligence (AI), and so on. The focus areas of regulatory authorities worldwide are constantly growing both in number and in scope with the evolving risk landscape and stakeholder expectations. Still, recent developments, innovations, and risks seem to outpace regulatory efforts. The good news is that this is starting to change now.
In the past couple of months, we have seen significant regulatory activity around the world. From the US to the EU, the UK, Singapore, India, and beyond, authorities are relentlessly striving to establish the regulatory perimeters on cybersecurity, risk management, business continuity and operational resilience, ESG and sustainability, and other areas for critical industry verticals.
The spiraling number of high-impact cyber incidents in recent years, including the Colonial Pipeline ransomware attack, the SolarWinds hack, WannaCry ransomware, and the Microsoft Exchange Server hack, among others, has underscored the need for stringent cyber laws and regulations.
To secure the US digital ecosystem, the White House released the National Cybersecurity Strategy in March 2023, which focused on defending critical infrastructure, addressing threat actors, and strengthening resilience. It was closely followed by the Securities and Exchange Commission (SEC) proposing new cybersecurity rules for public/listed companies and other selected financial entities, which, if adopted, would require them to dramatically level up their cybersecurity risk management approach.
The proposed rules are likely the first of many to be aligned with the National Cybersecurity Strategy. Considering the acute focus on safeguarding critical infrastructure, other industry regulators are expected to soon follow suit.
[For a deeper dive, read the blog on SEC’s Proposed Rules on Cybersecurity Risk Management by MetricStream’s Agnishwar Banerjee.]
Unsurprisingly, the SEC noted that the “interconnectedness” of market entities amplifies cyber risk. A cyber incident at any organization can impact several other connected organizations, resulting in a systemic failure. This holds true for organizations operating in any industry. Businesses today operate as a complex ecosystem of third-party suppliers, technology providers, and partners, with growing digital dependencies.
Similar regulatory initiatives are also in the works in other countries. European regulators are focusing on strengthening the “digital operational resilience” of the financial services sector. In 2022, the European Council adopted the Digital Operational Resilience Act (DORA) to bolster the IT security of financial entities such as banks, insurance companies, and investment firms. The act will come into force in January 2025.
Likewise, in the UK, the supervisory authorities – the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) – are focusing on critical third parties in the UK financial sector. In the discussion paper (DP) 3/22, the regulators have laid out potential measures to strengthen the resilience of critical third parties (CTPs) services to the UK financial sector.
This is just the beginning. From the current focus primarily on financial institutions, soon there will be similar efforts for other industries and sectors – not just limited to public/listed companies but more comprehensive and inclusive of all participants.
And not just IT and cyber, businesses across industries and geographies are bracing themselves for a regulatory deluge on multiple fronts – diversity, equality, and inclusion (DEI), ESG and climate change, cryptocurrency regulations, AI regulations, and many more.
Which brings us to the question – Are you prepared?
According to a recent Ponemon Institute study, the average annual cost of non-compliance is around $14.82 million. The ever-increasing number of regulations and regulatory updates warrant a technology-driven approach to compliance. The regulatory change management process – scanning the regulatory horizon, capturing the latest updates, analyzing the impact on internal policies and controls, identifying and remediating issues, reporting, and more – is a continuous process and requires a continuous approach. Think automated compliance, if you will.
Manually carrying out these processes is not only labor and time-intensive but also prone to errors. Today, organizations can leverage cutting-edge tools and technologies that can do these tasks for you in a more efficient and accurate way, allowing you to better focus on areas that require human expertise. By facilitating an integrated and centralized approach through seamless mapping of regulations with organizational processes, business units, controls, assets, policies, etc., these software solutions provide contextual information in a timely manner and help accelerate the compliance process.
The time to act is now. Including compliance and regulatory change management in the organizational digital transformation strategy is a must today. Businesses need to identify compliance areas and processes that could be automated to improve efficiency, relieve the burden on overwhelmed compliance teams, and enhance preparedness for the next and future wave of regulatory changes.
We understand the importance of demonstrating strong compliance for building trust and confidence with the board, customers, regulators, and other stakeholders. We also understand how organizations can leverage technology as an enabler of compliance automation and resilience. MetricStream Compliance Management and Regulatory Change Management products are purpose-built to help organizations stay on top of evolving compliance requirements.
To learn more about MetricStream Regulatory Change Management, request a personalized product demo.
The cost of non-compliance is rising. In a recent study, the Ponemon Institute found the average cost of non-compliance to be around $14.82 million per offending business. And while the practice of compliance continues to expand, organizations are finding that they cannot afford to rely on a traditional approach to compliance. For many organizations, there are two compliance practices, with some overlap – corporate compliance that focuses on the conduct at the organization and includes creating, distributing, training on, and getting employee (and third-party) attestation to a code of conduct, behavioral policies, and relevant processes and procedures, and regulatory compliance that focuses on organizational alignment with applicable regulations, standards, and frameworks. Corporate and regulatory compliance best practices are essential to a well-run business. Yet changes in compliance expectations, its position in an organization’s approach to holistic risk management, and the influence well-run compliance programs can have on the success of a business are driving changes in compliance best practices.
Globally, the narrative is gradually shifting from simply managing compliance requirements and meeting obligations to building dependable programs that deliver organizational compliance resilience. But what does it mean?
Compliance resilience refers to the ability of an organization to weather rapid changes and respond to them without compromising the compliance function or the integrity of the business. These changes could be either external to the organization, such as regulatory updates requiring recalibrating of regulatory requirements and obligations, or internal to the organization, such as changes in business practices – working from home or the office – changes in personnel, partnerships, and processes, that challenge compliance norms.
According to Thomson Reuters’ Cost of Compliance report, financial services firms across 190 countries saw an average of 246 regulatory alerts every business day in 2021. This equated to more than 64,000 alerts annually, marking the second-highest annual volume of regulatory alerts since 2008. Keeping up with this flurry of regulatory updates is no ordinary feat and requires a multi-pronged approach. Here, compliance management technology plays a key role.
Establishing a systematic process for staying on top of pending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. Awareness of legislation and regulations in development can help organizations prepare for and anticipate changes. For example, it is not uncommon for one regulatory body to release an update only to be followed by another agency with similar jurisdiction and stricter demands. A business that is made aware of the proposed legislation can more easily adapt their programs to the anticipated stricter code once, rather than having to adapt their approach twice. Tracking relevant regulatory development from around the world, across hundreds of jurisdictions and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of human error and compliance violations. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.
There are a number of solution providers that offer regulatory horizon scanning capabilities – tools that regularly scan the regulatory environment, such as government and regulatory bodies, enforcement agencies, supervisory authorities, etc., for updates, and capture and relay it to relevant personnel in a streamlined and automated manner. This helps the compliance team save a lot of time and effort, which they can now utilize to analyze the regulatory alert and assess its impact.
Learn how a Leading UK Financial Institution is leveraging MetricStream’s integration with CUBE to identify, capture, and manage regulatory changes in a simple and automated manner. Click here.
Establishing a systematic process for staying on top of impending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. However, capturing these alerts from around the world, hundreds of jurisdictions, and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of compliance violation. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.
Software designed to streamline regulatory change management can reduce the time and resources required to ensure the organizations is aware of, identifying, and aligning to evolving regulatory requirements. AI tools that can help identify applicable regulations, curate those regulations so only relevant regulations are reviewed, and extract requirements from relevant regulations can save even more resources, time, and costs. Systems that establish a centralized repository that maps regulatory requirements to organizational risks, controls, processes, and policies can help accelerate the process. Software that enables the identification of specific sections of policies that are impacted due to a regulatory update, save significant effort, allow for a more adaptable, agile, and resilient compliance approach.
Effective obligation management, i.e., identifying, extracting, and meeting compliance obligations from regulations, contracts, policies, etc., is essential to strengthening compliance resilience. Given the sheer volume and complexity of regulatory requirements and the tendency to bury actual obligations within large documents, organizations can no longer justify manual methods. Leveraging AI-powered capabilities and automation can enable organizations to quickly and easily identify and extract relevant regulatory obligations from relevant regulations at scale, including tagging it, classifying it, and surfacing it for a faster, easier, and more accurate review.
AI-driven obligation management is a game changer for many, with an ability to accelerate regulatory change management processes and accuracy immeasurably. And an easily and rapidly aligned organization is going to be able to adapt to changes in compliance requirements with less effort.
It is imperative for organizations to proactively manage compliance risks, i.e., the risk of non-compliance with regulations, frameworks, and standards, which can jeopardize an organization's financial standing, legal position, and brand reputation. To improve compliance posture and resilience, organizations need to continuously assess compliance risks and mitigate them in a timely manner.
Performing compliance risk assessments requires identifying relevant federal, state, and local regulations, determining if internal controls and policies are in compliance with the identified regulatory requirements, identifying if there are any gaps, and taking necessary risk mitigation steps. That said, it is critical to constantly draw from cross-industry best practices to enhance an organization’s compliance risk assessment, and to effectively manage compliance expectations.
Software solutions can help streamline the entire process with well-defined workflows around creating surveys to reviewing, approving, and distributing them, and collaborating with various business units and teams to gather and update responses, etc. Technology-based solutions not only help organizations save time and effort but also enable them to manage compliance risks proactively and effectively prioritize risk mitigation efforts, ensuring optimum allocation of resources.
The centerpiece of implementing a compliance program and executing the workflows is the compliance team. From the chief compliance officer (CCO) to compliance managers, analysts, and associates – everyone plays a crucial role in strengthening compliance resilience. Organizations need to properly define and document roles, responsibilities, and accountabilities for each of the compliance personnel; provide comprehensive training on the laws, regulations, and company policies that apply to their day-to-day job responsibilities; and ensure seamless collaboration within the team and externally with risk, security, and other functions. That said, it is critical to have a business continuity plan in place – the course of action if there is an expected or unexpected unavailability of a team member due to retirement, a departure from the firm, management restructuring, etc. While having well-documented standard operating procedures (SOPs) in place definitely helps, organizations must also deliberately encourage a culture that promotes performing at the next level. Running mentorship programs can help employees easily step into the shoes of a senior team member if need be.
Anti-corruption and competition laws, data and privacy regulations, prevention and control of fraud, cybersecurity regulations, anti-money laundering (AML) and counter-terrorist financing (CFT), sanctions policies, ESG regulations, and more – the list goes on. Regulatory scrutiny and oversight will only amplify going forward, making it exceptionally challenging for organizations to build trust and credibility with regulators, particularly in the uncertain business environment. It underscores the need for building compliance resilience in line with business goals and objectives.
Companies that fail to broaden their outlook and approach face greater possibilities of penalties, litigation, loss of contract, negative publicity, loss of reputation, and in some cases, complete corporate collapse. Organizations need to create an environment that reflects transparency and efficiency in the management of regulatory requirements and obligations. Compliance resilience – centered around the principles of proactive and agile approach and business continuity – can empower organizations to withstand internal and external changes.
To explore how MetricStream can help you stay on top of regulatory change and boost compliance resilience, click here.
Last year, just when summer was abruptly ending, I decided to buy a bike. The timing could not have been worse. At best I accomplished one week of what I classified as proficient riding, and that was navigating a flat path, as anything else in my vicinity would have been uphill and painful.
A week later I locked my bike up in a well-weathered shed that had a secure padlock. If anyone wanted my bike, they would have had to break the padlock.
I am reminded of this story as I recently had a conversation with the head of a security and risk management division, who told me that not that long ago to secure your documents you would physically place them in a filing cabinet, put a key in, turn it, and lock it-- job done.
Well naturally this still exists, but now we have more secure, efficient, and quicker ways to safeguard documents and data. The advances of digitalization have brought us so many reasons to be cheerful. Look how we can work remotely, store terabytes of files in one click, and send relevant photos, media, and documents across the world in seconds.
Just to set the record straight: when I say things have become more secure – it depends on who you ask! Cyber security is all the rage and making front news in national papers: it’s not just companies that need to secure themselves, it is even countries that are worried about their IP domains and distributed denial of service (DDoS) attacks. Networks, organizations' infrastructure, passwords, and even mobile devices have to ringfence themselves against these attacks. The stakes are high, and risk has to be managed, be it systemic or reputational.
Recently, MetricStream partnered with the International Compliance Association (ICA) on a webinar titled: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
I was fortunate to be part of this discussion.
Some of the topics we delved into were:
Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
It’s great to see how innovation and technology can help solve so many things. Unfortunately, there is a darker side. There are cybercriminals who are trying to steal your online data and cause as much havoc as possible. It’s not just a job for CISOs or CROs to manage this. It falls to all teams including compliance professionals.
Cybercriminals may try a thousand times to infiltrate the same organization and unfortunately, it takes only one attack to be successful, and if you are breached, the results are catastrophic and you will have to re-think your entire business and cyber strategy.
There is a significant difference between information security and cyber security, the first protects your classified information whereas the latter is a component of information security and protects your networks and computer systems. You need to be in control of both.
Another cybercrime that has dominated the headlines recently is ransomware. It is the most profitable form of cybercrime and with the current geopolitical landscape, cyber-attacks and ransomware are dominating the Eastern Europe region and the world stage.
Organizations need to show their customers that their data is secure. Being compliant is important to give your customers confidence that you are protecting their data, but it is not the same as being cyber secure. By understanding your risks, mitigating the right risks for you, and transferring residual risks, organizations can start to make and prioritize decisions based on their profile. Compliance professions should be connecting with the cyber and security professionals as in real terms the cost of compliance continues to rise and if you think compliance is expensive, then try non-compliance!
Companies don’t have to try and work this out in isolation, and sometimes using spreadsheets to manage this will not give you the breadth, depth, or real-time view that you need. To really get in front of risk you need a governance, risk, and compliance (GRC) solution that has a federated data model, meaning whether organizations need to understand their ESG score, their cyber threat vulnerabilities, and risk quantification they can have one amalgamated solution that is connected and seamless. They can thrive on risk!
Every organization will be at a different stage in its cyber maturity and development, but what if you can actively manage cyber risk through an IT and cyber risk and compliance framework that aligns with established security standards so you can pass IT audits more efficiently and obtain buy-in from top management.
MetricStream is here to help you with pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53. We can map policies to IT controls and policy exceptions so you can be set up for success. You can learn more by visiting our website or booking a demo.
The compliance professional is so much more than just compliance, they hold the integrity of the client’s data as well as the ethics of an organization. In many ways, we must go back to basics. Having a solid governance structure that considers your third-party risks and builds a threat intelligence framework is critical.
“Don’t forget it takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Stay safe.
In my next blog I will discuss what cyber means for the resilience of an organization and how you need to think three or four steps ahead of the game.
Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk’ ’blogs:
An Ounce of Prevention is Worth a Pound of Cure
Don’t Aim To Be Perfect, Aim To Be Anti-Fragile
At the recent European Compliance Week event, as well as interviewing compliance professionals, I was fortunate enough to moderate a panel session. Below are the highlights of my discussions.
On the backend of such a devasting pandemic, one that arrived so quickly and unfortunately continues to mutate, compliance professionals catapulted into the limelight by proactively updating compliance programs. For it to work, there needed to be clear communication, outstanding cross-function cooperation, and a strong element of business resilience.
Successful compliance departments create an environment where the right channels are fostered and compliance policies which include the encompassing code of conduct document are regularly updated.
Organizations have found it challenging to track third-party vendors, who although can be strategic partners and play a pivotal role in an organization’s supply chain, still need to be managed delicately. Compliance assessments, control testing, policy, and process updates have all been challenging at a time when remote working is a permanent fixture for millions of us.
Compliance teams have shown agility. They are pushing for C-suite representation and asking for support to cope with the stress and additional work burden.
CEOs have to steer the ship and address the pressures of results and the overall performance, but what is equally important is promoting the right culture. Although it might start from the top, all employees need to take responsibility. Compliance and the value associated with it should not be sidelined. It needs strong representation and respective departments should stay close to their compliance teams.
The compliance lens needs to marry up with the commercial lens. Once you show commercial benefits, you have senior management buy-in. Again, a point that is strongly correlated with fostering the right culture and promoting the right conversations.
Compliance officers need to recognize the organization’s business needs and challenges. They should take an interest in their colleagues’ priorities and build relationships (even if it needs to be done remotely).
Data is of particular concern. Today, companies gather, create, and store an eyewatering amount of it. Most probably, this data will be saved for a rainy day. However, without the right technology, data can do more harm than good. Technology has the prowess to identify, manage, and evaluate the data so strategic decisions can be executed.
The importance of technology has taken center stage. We are in a phase where agility and adoptability are strong contenders to disrupt the old ways of thinking. Implementing the right technology does not take as long as you think. Organizations are realizing the rationale of a solution that works for them, albeit to replace their existing technology or supersede their in-house functionality. Compliance teams need structure, they need to understand the ever-changing regulatory environment, demonstrate how policy management will influence their markets, and provide solutions for observations and whistle blowing.
Companies that adopt, implement, and embrace the right technology will significantly notice improvements across the spectrum and align their business objectives with their compliance needs.
Examples of where technology has helped these teams include:
With an increase in business risk, social unrest, and climate change, compliance is not an easy task, and without fully digitized platforms and processes, organizations may be left behind.
As we step into a new year, there are several points for consideration:
To build effective compliance programs, organizations need robust, automated compliance tools that make it easier to identify and manage regulatory changes, assess and test controls, and improve visibility into compliance across the enterprise. With the right technology, processes, and teams, organizations can transform compliance into a strong competitive advantage, strengthening trust and credibility with stakeholders, customers, and regulators.
“Life is either a daring adventure or nothing at all.” Compliance officers, you are doing a great job.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London and the Oct 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
I recently had the privilege to sit down with Tom Fox. Tom is the author of the award-winning FCPA Compliance and Ethics blog, 18 best-selling books on compliance, including the just-published 2nd Edition of the Compliance Handbook, and publisher of the Compliance Podcast Network – the only network of podcasts for compliance leaders. A renowned expert across all aspects of compliance – corporate, regulatory, ESG, you name it – he’s known by the well-earned names “the Compliance Evangelist” and the “Voice of Compliance.”
As we all contemplate what’s next as we recover from the pandemic, navigate multiple regulations, and adapt to the ever-changing demands of our organizations, I asked Tom his thoughts on what’s trending in compliance today and tomorrow. As always, he had thought-provoking insights to share, including:
Here’s a lightly edited transcript of our conversation. Thank you, Tom!
TF: Let’s speak about both compliance and risk management. I started a podcast last year called “Compliance and Coronavirus” because I really wanted to focus on what the COVID-19 pandemic meant for people in our profession and really everyone in the corporate world.
Probably the two most propitious things I learned in that about 50 podcast series were one, a gentleman said, I think in October, “We've had five years of change in six months of coronavirus.”
The second was the risk management part, where another guy said, “We've gone from disaster recovery to business continuity to businesses as usual.” Now the risk management world is business.
You have to prepare for risks from a worldwide pandemic to the Suez Canal being shut down, to riots at the U.S. Capitol, and everything in between. That’s just business now.
So, the types of services that you and I bring to the compliance community have only become more important in all of the things that we used to talk about. They are exponentially more important now. So that's part one, but part two is where is all of this going down the road? And that part is largely around data and the use of data.
In June 2020, the Department of Justice released an update to the Evaluation of Corporate Compliance Programs. And for the compliance professional, they specifically said a couple of very important things.
And -- your risks are going to change. You must put a risk management model in place and then you monitor that risk, all the time. And the data that you garner from that monitoring is looped back into your risk management solution through an ongoing/continuous approach to risk management -- risk assessment, continuous monitoring, continuous improvement-- all tied by data.
Everyone -- from the compliance professional to the risk management professional -- now has to utilize data to manage risks. That's how business is going to survive and thrive going forward.
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
And that's just one area from the regulatory sphere. The U.S. Securities and Exchange Commission (SEC) has made it clear that they expect companies to not only have ESG programs in place, but also report on those programs accurately. That is not only a regulatory requirement that could lead to regulatory enforcement, but would also help to meet investor expectations, stakeholder expectations, shareholder lawsuits, and everything in between.
The second perhaps most ubiquitous phrase is SPACs: Special Purpose Acquisition Corporations. Those are utilized to bring a privately held company and make it public. But it's different than the typical IPO process where you go 12 to 18 months, you have regulatory approval, you have filings with the regulator, you have investors like you, and may have the opportunity to review those filings, to determine if we want to invest in it. And you have an opportunity to put your Sarbanes Oxley or SOX controls in place.
When you're a SPAC, you don't have an 18-month run-up. You have “today's Tuesday, tomorrow's Wednesday. Go!” You now have all the obligations of a U.S. public company. Are your internal controls in place? Are they effective? Have you tested them? The answer is no.
It’s incredibly important for the risk management professional to think about those things. And if you think you may be acquired by a SPAC you have to be moving towards those.
Those are just a couple of areas that the regulators have made clear that they are going to look at SPACs very closely. If on the day, you become a U.S. public company, you don't have Sarbanes-Oxley 404 controls in place, the SEC may take a very dim view of that. And certainly, you open yourself up to potential investor and shareholder lawsuits.
But I think that as important as those are, they actually pale beside public opinion. And I think the greatest danger to a corporation now, certainly from a financial perspective, is negative publicity.
The social amplification and speed of social media make it mandatory that you have policies and procedures in place to detect anything and then prevent it. And if not remediate as quickly as possible, then at least be able to communicate that to all of the stakeholders that are now seen as a part of a corporation.
TF: In the past, I’ve always said the three most important things are: document, document, document.
I've amended that out to data, data, data.
You need to have a data expert, a data scientist, or someone who can work with data on your compliance team because either you're going to have to work with the data or more importantly, have someone who can work with the data. You can help shape the story that the data tells.
As the chief compliance officer, you can certainly see the trends, but you have to be able to work with data. If you don't have that training and you can't really pick up those skills in this part of your professional life, you're going to need to bring those skills into your compliance program.
I see compliance really moving towards a business process and a business function. And that means data and using data to determine if a potential violation is on the horizon and using that same data to tell your story to all of the stakeholders of a corporation--your shareholders, your employees, your third parties, those who you do business with, localities where you may be doing business.
And most importantly, if the government comes knocking, that's where the “document, document, document” part comes in because you can tell your story to the government as well.
TF: Well, about a year ago, I was contacted by LexisNexis, the preeminent legal publisher in the United States and the world. I was very honored that they selected me to be their first author to lead their compliance library that they make available. I'm extraordinarily pleased to announce that in June Lexis Nexis published my latest book, the 2nd Edition of Compliance Handbook.
I'm going to continue to grow the Compliance Podcast Network. We’ll have 70 podcasts on the network by the end of summer and I'm looking to grow the network. The thing I love about podcasting is I get to interview the top experts in every form of compliance: IT compliance, HR compliance, anti-corruption compliance, AML compliance, environmental compliance, you name it. I've learned so much by interviewing people.
So, I'm going to continue to learn and grow and hopefully be a resource to the compliance community going forward.
Thanks, Tom, for sharing your insights about what’s now in compliance – and what’s next. To learn more about Tom, visit his Compliance Podcast website.
To learn how MetricStream can help you address your compliance needs and help you manage what’s next, click here.
What’s happening with risk management and compliance professionals as they manage today’s vast wave of changes – from increased regulatory pressures and a skyrocketing number of legislations to master? How are they managing what’s next in the COVID-19 era?
To understand the current state of compliance programs and processes as well as the impact of the pandemic on compliance management, MetricStream conducted a comprehensive survey of compliance professionals across industries and geographies.
We learned a lot, including:
Managing third-party risk compliance is a huge challenge. Nearly half -- 48% -- of organizations found it challenging to track third-party compliance while 44% stated that their biggest challenge was to manually conduct compliance assessments.
Staying ahead of regulatory changes remains a key issue. Regulatory authorities worldwide keep regulations at par to protect the interests of businesses, customers, and relevant stakeholders, leading businesses to cope with a tsunami of ongoing changes. As just one example, banking sector companies alone cope with an average of 220 regulatory alerts a day, compared to just 10 back in 2004.
In the survey, we found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business. That’s neither efficient nor effective – how can you possibly keep up?
Engaging the front line is essential. 57% of respondents said that they engage with the frontline to respond to queries related to policies, regulations, processes, and controls. Frontline employees are the eyes and ears of the business and can often spot important trends and risks before the rest of the business. It’s encouraging that more than half are incorporating frontline feedback – a trend we hope to see continue.
The use of technology is not yet where it needs to be. Just 19% of organizations use standalone compliance management platforms. That’s shockingly low! And, only 19% of respondents said they use compliance management software as a component of a larger GRC platform – implying 80%+ are not managing compliance in a consistent, integrated way.
Combined with the manual scanning of regulatory changes, we’re seeing a key theme: automation and technology drive effectiveness and enable you to move valuable resources to strategic work, yet so few are taking advantage of it. There is work to be done. Enhancing regulatory and internal compliance assessments and improving employee awareness with more compliance training emerged as the top future priority areas. Training is key to creating a culture of compliance and coping with today’s fast-changing demands. Unless combined with more strategic technology, however, they are not enough.
In the words of the report: “As the world gears up for a post-COVID economy, organizations must also focus on fully integrated technology platforms that can automate and improve compliance with an ever-evolving regulatory framework. The post-COVID future will bring about greater uncertainties and greater changes in regulations and organizations must prepare for this now.” Only by getting ready now will we be empowered for what’s next.
To navigate today’s regulatory landscape efficiently and effectively, organizations need to embrace digitization and automation. Technology-based compliance management solutions can help streamline and automate the entire process—establishing a centralized repository of regulatory obligations and mapping them to policies, risks, controls, and processes; identifying, tracking, and analyzing regulatory changes; identifying and prioritizing high-risk areas; creating, updating, and aligning policies; managing various regulatory engagement activities, and more.
[Read more: 3 Best Practices for a Proactive Approach to Compliance (eBook)]
MetricStream can help you power what’s next. We offer a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products help structure and streamline various aspects of the compliance function, enhancing overall efficiency. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.
Here’s a case in point: A leading health insurer was seeking to integrate all regulatory compliance processes so that the insights that ultimately rolled up to the senior management and board would provide a complete, accurate, and real-time view of enterprise-wide compliance. It embarked on a GRC journey with MetricStream and implemented an integrated GRC solution beginning with compliance issue management, followed by compliance risk management, policy management, case management, and audits. Today, an efficient and standardized compliance program is in place with timelier visibility into risks and other areas of concern.
[Read more: Leading Health Insurer Integrates Regulatory Compliance Efforts, Saves Time and Costs (Case Study)]
What’s next is never sure – but what’s certain is that what got us here won’t move us forward. The compliance function must adapt, automate, streamline, and collaborate with technology to power the future and turn risk into a strategic advantage.
Read more of what the compliance professionals had to say. To download the State of Compliance report, click here.
Want to see MetricStream in action? Request a demo by clicking here.