×
Blogs

What Compliance Isn't: Debunking 6 Common Myths

What is Compliance
4 min read

Intoduction

In the fast-paced and ever-evolving business landscape, compliance has become a critical factor that can either propel organizations to success or leave them vulnerable to severe risks and penalties. However, the many challenges in compliance management-44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates--often cause compliance to be viewed as a burdensome cost to the business or simply a checklist item to be ticked off. 

In this blog, we debunk common myths about compliance, highlighting its true value and importance in today's dynamic business landscape.

6 Common Myths About Compliance

  • Myth: Compliance is a Burden to the Business 

    Contrary to popular belief, compliance should not be viewed as a burdensome cost but as a critical component of business success that strengthens consumer confidence and helps mitigate risks before they materialize. While it does involve investments in resources, time, and training, compliance ultimately helps businesses establish trust with stakeholders, mitigate risks, and safeguard their reputations. By adhering to regulatory requirements, organizations demonstrate their commitment to ethical practices and ensure the well-being of their customers and employees. 

  • Myth: Compliance is Just Another Checklist Item 

    Effective compliance goes beyond being a mere item on a checklist. It encompasses valuable activities that help improve financial safety, protect assets, and drive growth and should be approached as an integral part of a company's operations, policies, and culture. Risk-based compliance programs are designed to identify, assess, and mitigate risks proactively, rather than simply fulfilling regulatory obligations. By adopting a comprehensive approach, businesses can prevent potential violations and drive sustainable growth. 

  • Myth: Compliance is an Internal Policing Mechanism 

    Although compliance involves enforcing policies and procedures, it is not solely focused on penalizing policy violators. The primary objective of compliance is to be a guiding force focused on helping, training, and supporting employees by establishing a framework that encourages ethical behavior, promotes transparency, and prevents misconduct. It aims to create a culture of compliance where employees are educated, empowered, and motivated to make the right decisions. 

  • Myth: Compliance is a Reactive Exercise 

    While some organizations choose to prioritize compliance only during audits or regulatory exams, this approach is flawed. Compliance should be proactive, i.e., ingrained in the fabric of a company's operations and decision-making processes from the start. By being proactive, businesses can identify potential risks, implement appropriate controls, and continuously monitor compliance to prevent violations before they occur. This proactive stance ensures that compliance is an ongoing effort rather than a reactive response to external pressures or during times of crisis. 

  • Myth: Compliance Belongs to a Single Team 

    Compliance is an enterprise-wide endeavor. To establish an effective compliance program, collaboration across departments is crucial. Compliance should not be limited to a specific team or function; instead, it requires involvement and cooperation from all levels of the organization. By fostering a culture of compliance throughout the company, businesses can ensure that everyone understands their role in upholding ethical standards and meeting regulatory requirements. 

  • Myth: Compliance is a Stand-Alone Process 

    Rather than being added to existing business functions, compliance works best when it’s made part of existing processes so that it becomes part of the organization’s DNA. Integrating compliance seamlessly into existing business functions is essential for its effectiveness. When compliance is treated as a stand-alone process, it becomes disconnected from the core operations and often fails to address the unique risks faced by the organization. To overcome this, businesses should incorporate compliance considerations into their day-to-day activities, policies, and procedures, aligning them to the broader goals and values of the company.

Position Compliance as a Strategic Enabler with MetricStream

Businesses are increasingly viewing compliance as a valuable tool that enhances efficiency, credibility, and long-term value creation. When compliance is approached as an enabler rather than a chore, it becomes intertwined with strategic decision-making processes—and can be integrated into business plans, product development, and operational activities.

MetricStream Compliance Management simplifies and enhances organization-wide compliance programs that govern your business, enabling you to navigate through a complex network of regulations and regulatory changes effortlessly. By aligning policies, standards, regulations, and controls, you can eliminate inefficiencies and unnecessary duplication. It also enables you to identify risks at an early stage and foster improved collaboration and communication across teams.

Want to learn more?

Download our new eBook: Why Compliance Matters Both in Good and Bad Times: 10 Steps to Build an Always-On Approach to Compliance

Request a demo now!

Mabel

Mabel M Jesudian Manager – Content Marketing

Mabel M Jesudian, Manager – Content Marketing at MetricStream, works closely with the product and digital marketing teams to create compelling content and actionable marketing assets that help drive conversations. Mabel has over 13 years of experience with leading marketing communication and PR agencies where she crafted engaging narratives for diverse B2B and B2C clients. She holds an M.A. and M.Phil. in English and Communication from the University of Madras. In her spare time, she loves to read fiction and try her hand at new dishes.

 
Blogs

Incoming! Are You Prepared for What’s Next in Regulatory Compliance?

blog-banner-2259211615
4 min read

Introduction

Cybersecurity and data privacy, ESG and climate change, operational resilience, artificial intelligence (AI), and so on. The focus areas of regulatory authorities worldwide are constantly growing both in number and in scope with the evolving risk landscape and stakeholder expectations. Still, recent developments, innovations, and risks seem to outpace regulatory efforts. The good news is that this is starting to change now.  

In the past couple of months, we have seen significant regulatory activity around the world. From the US to the EU, the UK, Singapore, India, and beyond, authorities are relentlessly striving to establish the regulatory perimeters on cybersecurity, risk management, business continuity and operational resilience, ESG and sustainability, and other areas for critical industry verticals.  

Cyber Risk and Financial Sector: Top Focus Areas

The spiraling number of high-impact cyber incidents in recent years, including the Colonial Pipeline ransomware attack, the SolarWinds hack, WannaCry ransomware, and the Microsoft Exchange Server hack, among others, has underscored the need for stringent cyber laws and regulations.  

To secure the US digital ecosystem, the White House released the National Cybersecurity Strategy in March 2023, which focused on defending critical infrastructure, addressing threat actors, and strengthening resilience. It was closely followed by the Securities and Exchange Commission (SEC) proposing new cybersecurity rules for public/listed companies and other selected financial entities, which, if adopted, would require them to dramatically level up their cybersecurity risk management approach.

  The proposed rules are likely the first of many to be aligned with the National Cybersecurity Strategy. Considering the acute focus on safeguarding critical infrastructure, other industry regulators are expected to soon follow suit. 

[For a deeper dive, read the blog on SEC’s Proposed Rules on Cybersecurity Risk Management by MetricStream’s Agnishwar Banerjee.]   

Unsurprisingly, the SEC noted that the “interconnectedness” of market entities amplifies cyber risk. A cyber incident at any organization can impact several other connected organizations, resulting in a systemic failure. This holds true for organizations operating in any industry. Businesses today operate as a complex ecosystem of third-party suppliers, technology providers, and partners, with growing digital dependencies.   

Similar regulatory initiatives are also in the works in other countries. European regulators are focusing on strengthening the “digital operational resilience” of the financial services sector. In 2022, the European Council adopted the Digital Operational Resilience Act (DORA) to bolster the IT security of financial entities such as banks, insurance companies, and investment firms. The act will come into force in January 2025. 

Likewise, in the UK, the supervisory authorities – the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) – are focusing on critical third parties in the UK financial sector. In the discussion paper (DP) 3/22, the regulators have laid out potential measures to strengthen the resilience of critical third parties (CTPs) services to the UK financial sector.  

This is just the beginning. From the current focus primarily on financial institutions, soon there will be similar efforts for other industries and sectors – not just limited to public/listed companies but more comprehensive and inclusive of all participants.  

And not just IT and cyber, businesses across industries and geographies are bracing themselves for a regulatory deluge on multiple fronts – diversity, equality, and inclusion (DEI), ESG and climate change, cryptocurrency regulations, AI regulations, and many more.  

 Which brings us to the question – Are you prepared?  

The Answer Lies in Technology and Automation

 According to a recent Ponemon Institute study, the average annual cost of non-compliance is around $14.82 million. The ever-increasing number of regulations and regulatory updates warrant a technology-driven approach to compliance. The regulatory change management process – scanning the regulatory horizon, capturing the latest updates, analyzing the impact on internal policies and controls, identifying and remediating issues, reporting, and more – is a continuous process and requires a continuous approach. Think automated compliance, if you will.

 Manually carrying out these processes is not only labor and time-intensive but also prone to errors. Today, organizations can leverage cutting-edge tools and technologies that can do these tasks for you in a more efficient and accurate way, allowing you to better focus on areas that require human expertise. By facilitating an integrated and centralized approach through seamless mapping of regulations with organizational processes, business units, controls, assets, policies, etc., these software solutions provide contextual information in a timely manner and help accelerate the compliance process. 

The time to act is now. Including compliance and regulatory change management in the organizational digital transformation strategy is a must today. Businesses need to identify compliance areas and processes that could be automated to improve efficiency, relieve the burden on overwhelmed compliance teams, and enhance preparedness for the next and future wave of regulatory changes. 

We understand the importance of demonstrating strong compliance for building trust and confidence with the board, customers, regulators, and other stakeholders. We also understand how organizations can leverage technology as an enabler of compliance automation and resilience. MetricStream Compliance Management and Regulatory Change Management products are purpose-built to help organizations stay on top of evolving compliance requirements.  

To learn more about MetricStream Regulatory Change Management, request a personalized product demo. 

Shampa-mani

Shampa Mani Assistant Manager – Marketing

Shampa Mani, Assistant Manager - Marketing, at MetricStream, has over 9 years of experience in content writing and editing. Prior to joining MetricStream, she worked in the news and media industry, covering news on fintech, blockchain technology, and digital currencies. Academically, she has an MBA in Business Economics and an MA in Economics. In her free time, she loves to cook, read, and delve into the world of UFOs and extraterrestrials.

 
Blogs

Navigating Change: Leveraging Technology to Strengthen Compliance Resilience

blog-banner-1363383836
7 min read

Introduction

The cost of non-compliance is rising. In a recent study, the Ponemon Institute found the average cost of non-compliance to be around $14.82 million per offending business. And while the practice of compliance continues to expand, organizations are finding that they cannot afford to rely on a traditional approach to compliance. For many organizations, there are two compliance practices, with some overlap – corporate compliance that focuses on the conduct at the organization and includes creating, distributing, training on, and getting employee (and third-party) attestation to a code of conduct, behavioral policies, and relevant processes and procedures, and regulatory compliance that focuses on organizational alignment with applicable regulations, standards, and frameworks. Corporate and regulatory compliance best practices are essential to a well-run business. Yet changes in compliance expectations, its position in an organization’s approach to holistic risk management, and the influence well-run compliance programs can have on the success of a business are driving changes in compliance best practices.

Globally, the narrative is gradually shifting from simply managing compliance requirements and meeting obligations to building dependable programs that deliver organizational compliance resilience. But what does it mean?

Compliance resilience refers to the ability of an organization to weather rapid changes and respond to them without compromising the compliance function or the integrity of the business. These changes could be either external to the organization, such as regulatory updates requiring recalibrating of regulatory requirements and obligations, or internal to the organization, such as changes in business practices – working from home or the office – changes in personnel, partnerships, and processes, that challenge compliance norms.  

External Changes: New Regulations and Updates

According to Thomson Reuters’ Cost of Compliance report, financial services firms across 190 countries saw an average of 246 regulatory alerts every business day in 2021. This equated to more than 64,000 alerts annually, marking the second-highest annual volume of regulatory alerts since 2008. Keeping up with this flurry of regulatory updates is no ordinary feat and requires a multi-pronged approach. Here, compliance management technology plays a key role.

  • Regulatory Horizon Scanning

Establishing a systematic process for staying on top of pending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. Awareness of legislation and regulations in development can help organizations prepare for and anticipate changes. For example, it is not uncommon for one regulatory body to release an update only to be followed by another agency with similar jurisdiction and stricter demands. A business that is made aware of the proposed legislation can more easily adapt their programs to the anticipated stricter code once, rather than having to adapt their approach twice. Tracking relevant regulatory development from around the world, across hundreds of jurisdictions and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of human error and compliance violations. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.

There are a number of solution providers that offer regulatory horizon scanning capabilities – tools that regularly scan the regulatory environment, such as government and regulatory bodies, enforcement agencies, supervisory authorities, etc., for updates, and capture and relay it to relevant personnel in a streamlined and automated manner. This helps the compliance team save a lot of time and effort, which they can now utilize to analyze the regulatory alert and assess its impact.

Learn how a Leading UK Financial Institution is leveraging MetricStream’s integration with CUBE to identify, capture, and manage regulatory changes in a simple and automated manner. Click here.

  • Regulatory Change Alerts

Establishing a systematic process for staying on top of impending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. However, capturing these alerts from around the world, hundreds of jurisdictions, and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of compliance violation. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.

Software designed to streamline regulatory change management can reduce the time and resources required to ensure the organizations is aware of, identifying, and aligning to evolving regulatory requirements. AI tools that can help identify applicable regulations, curate those regulations so only relevant regulations are reviewed, and extract requirements from relevant regulations can save even more resources, time, and costs. Systems that establish a centralized repository that maps regulatory requirements to organizational risks, controls, processes, and policies can help accelerate the process. Software that enables the identification of specific sections of policies that are impacted due to a regulatory update, save significant effort, allow for a more adaptable, agile, and resilient compliance approach.

  • Obligation Management

Effective obligation management, i.e., identifying, extracting, and meeting compliance obligations from regulations, contracts, policies, etc., is essential to strengthening compliance resilience. Given the sheer volume and complexity of regulatory requirements and the tendency to bury actual obligations within large documents, organizations can no longer justify manual methods. Leveraging AI-powered capabilities and automation can enable organizations to quickly and easily identify and extract relevant regulatory obligations from relevant regulations at scale, including tagging it, classifying it, and surfacing it for a faster, easier, and more accurate review.

AI-driven obligation management is a game changer for many, with an ability to accelerate regulatory change management processes and accuracy immeasurably. And an easily and rapidly aligned organization is going to be able to adapt to changes in compliance requirements with less effort.

  • Compliance Risk Assessments

It is imperative for organizations to proactively manage compliance risks, i.e., the risk of non-compliance with regulations, frameworks, and standards, which can jeopardize an organization's financial standing, legal position, and brand reputation. To improve compliance posture and resilience, organizations need to continuously assess compliance risks and mitigate them in a timely manner.

Performing compliance risk assessments requires identifying relevant federal, state, and local regulations, determining if internal controls and policies are in compliance with the identified regulatory requirements, identifying if there are any gaps, and taking necessary risk mitigation steps. That said, it is critical to constantly draw from cross-industry best practices to enhance an organization’s compliance risk assessment, and to effectively manage compliance expectations.

Software solutions can help streamline the entire process with well-defined workflows around creating surveys to reviewing, approving, and distributing them, and collaborating with various business units and teams to gather and update responses, etc. Technology-based solutions not only help organizations save time and effort but also enable them to manage compliance risks proactively and effectively prioritize risk mitigation efforts, ensuring optimum allocation of resources. 

Internal Changes: Compliance Team and Workflow

The centerpiece of implementing a compliance program and executing the workflows is the compliance team. From the chief compliance officer (CCO) to compliance managers, analysts, and associates – everyone plays a crucial role in strengthening compliance resilience. Organizations need to properly define and document roles, responsibilities, and accountabilities for each of the compliance personnel; provide comprehensive training on the laws, regulations, and company policies that apply to their day-to-day job responsibilities; and ensure seamless collaboration within the team and externally with risk, security, and other functions. That said, it is critical to have a business continuity plan in place – the course of action if there is an expected or unexpected unavailability of a team member due to retirement, a departure from the firm, management restructuring, etc. While having well-documented standard operating procedures (SOPs) in place definitely helps, organizations must also deliberately encourage a culture that promotes performing at the next level. Running mentorship programs can help employees easily step into the shoes of a senior team member if need be. 

What’s Next

Anti-corruption and competition laws, data and privacy regulations, prevention and control of fraud, cybersecurity regulations, anti-money laundering (AML) and counter-terrorist financing (CFT), sanctions policies, ESG regulations, and more – the list goes on. Regulatory scrutiny and oversight will only amplify going forward, making it exceptionally challenging for organizations to build trust and credibility with regulators, particularly in the uncertain business environment. It underscores the need for building compliance resilience in line with business goals and objectives.

Companies that fail to broaden their outlook and approach face greater possibilities of penalties, litigation, loss of contract, negative publicity, loss of reputation, and in some cases, complete corporate collapse. Organizations need to create an environment that reflects transparency and efficiency in the management of regulatory requirements and obligations. Compliance resilience – centered around the principles of proactive and agile approach and business continuity – can empower organizations to withstand internal and external changes.

To explore how MetricStream can help you stay on top of regulatory change and boost compliance resilience, click here.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

If You Think Compliance is Expensive, Then Try Non-Compliance

Instagram of Risk Blog 3
5 min read

On Your Bike

Last year, just when summer was abruptly ending, I decided to buy a bike. The timing could not have been worse. At best I accomplished one week of what I classified as proficient riding, and that was navigating a flat path, as anything else in my vicinity would have been uphill and painful.

A week later I locked my bike up in a well-weathered shed that had a secure padlock. If anyone wanted my bike, they would have had to break the padlock.

I am reminded of this story as I recently had a conversation with the head of a security and risk management division, who told me that not that long ago to secure your documents you would physically place them in a filing cabinet, put a key in, turn it, and lock it-- job done.

Well naturally this still exists, but now we have more secure, efficient, and quicker ways to safeguard documents and data. The advances of digitalization have brought us so many reasons to be cheerful. Look how we can work remotely, store terabytes of files in one click, and send relevant photos, media, and documents across the world in seconds.

Just to set the record straight: when I say things have become more secure – it depends on who you ask! Cyber security is all the rage and making front news in national papers: it’s not just companies that need to secure themselves, it is even countries that are worried about their IP domains and distributed denial of service (DDoS) attacks. Networks, organizations' infrastructure, passwords, and even mobile devices have to ringfence themselves against these attacks. The stakes are high, and risk has to be managed, be it systemic or reputational.

Recently, MetricStream partnered with the International Compliance Association (ICA) on a webinar titled: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional

I was fortunate to be part of this discussion.

Some of the topics we delved into were:

  • How are risk and compliance professionals tackling cyber risk?
  • How risk quantification helps with strategic decisions?
  • The role of the compliance professionals in cyber security risk management

Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
 

Cyber: The Dark Side of the Force

It’s great to see how innovation and technology can help solve so many things. Unfortunately, there is a darker side. There are cybercriminals who are trying to steal your online data and cause as much havoc as possible. It’s not just a job for CISOs or CROs to manage this. It falls to all teams including compliance professionals.

Cybercriminals may try a thousand times to infiltrate the same organization and unfortunately, it takes only one attack to be successful, and if you are breached, the results are catastrophic and you will have to re-think your entire business and cyber strategy.

There is a significant difference between information security and cyber security, the first protects your classified information whereas the latter is a component of information security and protects your networks and computer systems. You need to be in control of both.

Another cybercrime that has dominated the headlines recently is ransomware. It is the most profitable form of cybercrime and with the current geopolitical landscape, cyber-attacks and ransomware are dominating the Eastern Europe region and the world stage.

Cybersecurity is a Business Risk, Not Just a Technology One

Organizations need to show their customers that their data is secure. Being compliant is important to give your customers confidence that you are protecting their data, but it is not the same as being cyber secure. By understanding your risks, mitigating the right risks for you, and transferring residual risks, organizations can start to make and prioritize decisions based on their profile. Compliance professions should be connecting with the cyber and security professionals as in real terms the cost of compliance continues to rise and if you think compliance is expensive, then try non-compliance!

We Are in This Together

Companies don’t have to try and work this out in isolation, and sometimes using spreadsheets to manage this will not give you the breadth, depth, or real-time view that you need. To really get in front of risk you need a governance, risk, and compliance (GRC) solution that has a federated data model, meaning whether organizations need to understand their ESG score, their cyber threat vulnerabilities, and risk quantification they can have one amalgamated solution that is connected and seamless. They can thrive on risk!

Every organization will be at a different stage in its cyber maturity and development, but what if you can actively manage cyber risk through an IT and cyber risk and compliance framework that aligns with established security standards so you can pass IT audits more efficiently and obtain buy-in from top management.

MetricStream is here to help you with pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53. We can map policies to IT controls and policy exceptions so you can be set up for success. You can learn more by visiting our website or booking a demo.

The compliance professional is so much more than just compliance, they hold the integrity of the client’s data as well as the ethics of an organization. In many ways, we must go back to basics. Having a solid governance structure that considers your third-party risks and builds a threat intelligence framework is critical.

“Don’t forget it takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Stay safe.

In my next blog I will discuss what cyber means for the resilience of an organization and how you need to think three or four steps ahead of the game.

Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional

This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.

Check out Suneel’s other ‘Instagram of Risk’ ’blogs:

An Ounce of Prevention is Worth a Pound of Cure

Don’t Aim To Be Perfect, Aim To Be Anti-Fragile

Enforcements Will Come in All Directions

There is One Way Traffic – Downhill

Blogs

Enforcements Will Come in All Directions

Instagram of Risk Blog
4 min read

The Instagram of Risk Blog Series

At the recent European Compliance Week event, as well as interviewing compliance professionals, I was fortunate enough to moderate a panel session. Below are the highlights of my discussions.

 

What did we learn in the last 2 years?

On the backend of such a devasting pandemic, one that arrived so quickly and unfortunately continues to mutate, compliance professionals catapulted into the limelight by proactively updating compliance programs. For it to work, there needed to be clear communication, outstanding cross-function cooperation, and a strong element of business resilience.

Successful compliance departments create an environment where the right channels are fostered and compliance policies which include the encompassing code of conduct document are regularly updated.

Organizations have found it challenging to track third-party vendors, who although can be strategic partners and play a pivotal role in an organization’s supply chain, still need to be managed delicately. Compliance assessments, control testing, policy, and process updates have all been challenging at a time when remote working is a permanent fixture for millions of us.

Compliance teams have shown agility. They are pushing for C-suite representation and asking for support to cope with the stress and additional work burden.

It all starts with culture

CEOs have to steer the ship and address the pressures of results and the overall performance, but what is equally important is promoting the right culture. Although it might start from the top, all employees need to take responsibility. Compliance and the value associated with it should not be sidelined. It needs strong representation and respective departments should stay close to their compliance teams.

The compliance lens needs to marry up with the commercial lens. Once you show commercial benefits, you have senior management buy-in. Again, a point that is strongly correlated with fostering the right culture and promoting the right conversations.

Compliance officers need to recognize the organization’s business needs and challenges. They should take an interest in their colleagues’ priorities and build relationships (even if it needs to be done remotely).

Data is of particular concern. Today, companies gather, create, and store an eyewatering amount of it. Most probably, this data will be saved for a rainy day. However, without the right technology, data can do more harm than good. Technology has the prowess to identify, manage, and evaluate the data so strategic decisions can be executed.

If I am out of compliance, I will comply – Let’s talk about the technology

The importance of technology has taken center stage. We are in a phase where agility and adoptability are strong contenders to disrupt the old ways of thinking. Implementing the right technology does not take as long as you think. Organizations are realizing the rationale of a solution that works for them, albeit to replace their existing technology or supersede their in-house functionality. Compliance teams need structure, they need to understand the ever-changing regulatory environment, demonstrate how policy management will influence their markets, and provide solutions for observations and whistle blowing.

Companies that adopt, implement, and embrace the right technology will significantly notice improvements across the spectrum and align their business objectives with their compliance needs.

 

Examples of where technology has helped these teams include:

  • Moving training online
  • Facilitating compliance data gathering and digitalization
  • Facilitating roll-out of codes and policies
  • Managing remote hotlines investigation, including the use of forensic tools

With an increase in business risk, social unrest, and climate change, compliance is not an easy task, and without fully digitized platforms and processes, organizations may be left behind.

 

What’s going to keep us busy

As we step into a new year, there are several points for consideration:

  • Companies with more than 250 employees in the European Union will need to comply with the EU Whistleblower Protection Directive this month. They will have to implement their own internal policy. Organizations must provide safe and accessible reporting channels and protect the confidentiality of whistleblowers and those named.
  • New regulation will continue to be introduced and enforcement will come from all directions.
  • The volume of transitions that we do in a digital transaction today is not the same as pre-COVID. The numbers will continue to increase, and you have to allocate resources in the right places.
  • The role of ESG has exploded and the link between compliance and ESG will further unfold.
  • Ransomware, will unfortunately, continue to dominate the headlines.

To build effective compliance programs, organizations need robust, automated compliance tools that make it easier to identify and manage regulatory changes, assess and test controls, and improve visibility into compliance across the enterprise. With the right technology, processes, and teams, organizations can transform compliance into a strong competitive advantage, strengthening trust and credibility with stakeholders, customers, and regulators.

“Life is either a daring adventure or nothing at all.” Compliance officers, you are doing a great job.

This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.

Check out Suneel’s other ‘Instagram of Risk ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London and the Oct 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.

Blogs

Our European GRC Summit Roadshows and the Instagram of Risk

Blog 4
4 min read

Introduction

Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.

All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.

London Calling

 

London

The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.

Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.

It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.

Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.

Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.

Cycling through Denmark

CopenWe settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.

The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.

High-End Shopping in Zurich

ZurichAnd finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.

Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.

MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).

By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.

Until the next summit.

Blogs

Powering What’s Next in Compliance Management: Compliance Evangelist Tom Fox Breaks It Down

Blog
9 min read

Introduction

I recently had the privilege to sit down with Tom Fox. Tom is the author of the award-winning FCPA Compliance and Ethics blog, 18 best-selling books on compliance, including the just-published 2nd Edition of the Compliance Handbook, and publisher of the Compliance Podcast Network – the only network of podcasts for compliance leaders. A renowned expert across all aspects of compliance – corporate, regulatory, ESG, you name it – he’s known by the well-earned names “the Compliance Evangelist” and the “Voice of Compliance.”

Tom

As we all contemplate what’s next as we recover from the pandemic, navigate multiple regulations, and adapt to the ever-changing demands of our organizations, I asked Tom his thoughts on what’s trending in compliance today and tomorrow. As always, he had thought-provoking insights to share, including:

  • Nothing matters more than document, document, document – except data, data, data
  • Risk management is business today – and it’s no longer a once-a-year activity
  • ESG is the trend of the year
  • Reputation matters: Remember the court of public opinion!

Here’s a lightly edited transcript of our conversation. Thank you, Tom!

 

 

Q. Hi Tom, Great to see you! Let’s start with this idea of what's next. Obviously, we're all experiencing unprecedented volatility, a tsunami of change. When you think about what’s next for compliance, what are some of the trends and key things that are o

TF: Let’s speak about both compliance and risk management. I started a podcast last year called “Compliance and Coronavirus” because I really wanted to focus on what the COVID-19 pandemic meant for people in our profession and really everyone in the corporate world.

Probably the two most propitious things I learned in that about 50 podcast series were one, a gentleman said, I think in October, “We've had five years of change in six months of coronavirus.”

The second was the risk management part, where another guy said, “We've gone from disaster recovery to business continuity to businesses as usual.” Now the risk management world is business.

You have to prepare for risks from a worldwide pandemic to the Suez Canal being shut down, to riots at the U.S. Capitol, and everything in between. That’s just business now.

So, the types of services that you and I bring to the compliance community have only become more important in all of the things that we used to talk about. They are exponentially more important now. So that's part one, but part two is where is all of this going down the road? And that part is largely around data and the use of data.

In June 2020, the Department of Justice released an update to the Evaluation of Corporate Compliance Programs. And for the compliance professional, they specifically said a couple of very important things.

  • Number one, compliance and the chief compliance officer have to have access to all of the data in your corporation. If it's siloed, if it's not structured, it doesn't matter. Compliance has to have access to it. And even more important is that you use that data.
  • Number two, we used to talk about a risk assessment being done every two or three years, and then you plan it out as one, three, and five-year plans to mitigate those risks. But now risk assessment must be conducted not every three years, not even every year, but when your risks change.

And -- your risks are going to change. You must put a risk management model in place and then you monitor that risk, all the time. And the data that you garner from that monitoring is looped back into your risk management solution through an ongoing/continuous approach to risk management -- risk assessment, continuous monitoring, continuous improvement-- all tied by data.

Everyone -- from the compliance professional to the risk management professional -- now has to utilize data to manage risks. That's how business is going to survive and thrive going forward.

Q. What about regulations? Are there other specific areas of regulatory compliance or regulations that compliance pros in that area need to be thinking about when it comes to what's next?

TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.

Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.

Q. What about regulations? Are there other specific areas of regulatory compliance or regulations that compliance pros in that area need to be thinking about when it comes to what's next?

TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.

Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.

And that's just one area from the regulatory sphere. The U.S. Securities and Exchange Commission (SEC) has made it clear that they expect companies to not only have ESG programs in place, but also report on those programs accurately. That is not only a regulatory requirement that could lead to regulatory enforcement, but would also help to meet investor expectations, stakeholder expectations, shareholder lawsuits, and everything in between.

The second perhaps most ubiquitous phrase is SPACs: Special Purpose Acquisition Corporations. Those are utilized to bring a privately held company and make it public. But it's different than the typical IPO process where you go 12 to 18 months, you have regulatory approval, you have filings with the regulator, you have investors like you, and may have the opportunity to review those filings, to determine if we want to invest in it. And you have an opportunity to put your Sarbanes Oxley or SOX controls in place.

When you're a SPAC, you don't have an 18-month run-up. You have “today's Tuesday, tomorrow's Wednesday. Go!” You now have all the obligations of a U.S. public company. Are your internal controls in place? Are they effective? Have you tested them? The answer is no.

It’s incredibly important for the risk management professional to think about those things. And if you think you may be acquired by a SPAC you have to be moving towards those.

Those are just a couple of areas that the regulators have made clear that they are going to look at SPACs very closely. If on the day, you become a U.S. public company, you don't have Sarbanes-Oxley 404 controls in place, the SEC may take a very dim view of that. And certainly, you open yourself up to potential investor and shareholder lawsuits.

But I think that as important as those are, they actually pale beside public opinion. And I think the greatest danger to a corporation now, certainly from a financial perspective, is negative publicity.

The social amplification and speed of social media make it mandatory that you have policies and procedures in place to detect anything and then prevent it. And if not remediate as quickly as possible, then at least be able to communicate that to all of the stakeholders that are now seen as a part of a corporation.

Q. If you had one piece of advice for compliance professionals thinking about what's next, what would be your summary piece of Tom Fox wisdom?

TF: In the past, I’ve always said the three most important things are: document, document, document.

I've amended that out to data, data, data.

You need to have a data expert, a data scientist, or someone who can work with data on your compliance team because either you're going to have to work with the data or more importantly, have someone who can work with the data. You can help shape the story that the data tells.

As the chief compliance officer, you can certainly see the trends, but you have to be able to work with data. If you don't have that training and you can't really pick up those skills in this part of your professional life, you're going to need to bring those skills into your compliance program.

I see compliance really moving towards a business process and a business function. And that means data and using data to determine if a potential violation is on the horizon and using that same data to tell your story to all of the stakeholders of a corporation--your shareholders, your employees, your third parties, those who you do business with, localities where you may be doing business.

And most importantly, if the government comes knocking, that's where the “document, document, document” part comes in because you can tell your story to the government as well.

Q. So what are you doing next in your career? You mentioned your book. What’s happening next for Tom?

TF: Well, about a year ago, I was contacted by LexisNexis, the preeminent legal publisher in the United States and the world. I was very honored that they selected me to be their first author to lead their compliance library that they make available. I'm extraordinarily pleased to announce that in June Lexis Nexis published my latest book, the 2nd Edition of Compliance Handbook.

I'm going to continue to grow the Compliance Podcast Network. We’ll have 70 podcasts on the network by the end of summer and I'm looking to grow the network. The thing I love about podcasting is I get to interview the top experts in every form of compliance: IT compliance, HR compliance, anti-corruption compliance, AML compliance, environmental compliance, you name it. I've learned so much by interviewing people.

So, I'm going to continue to learn and grow and hopefully be a resource to the compliance community going forward.

Thanks, Tom, for sharing your insights about what’s now in compliance – and what’s next. To learn more about Tom, visit his Compliance Podcast website.

To learn how MetricStream can help you address your compliance needs and help you manage what’s next, click here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blogs

Power What's Next with Integration and Technology.

banner
4 min read

Introduction

What’s happening with risk management and compliance professionals as they manage today’s vast wave of changes – from increased regulatory pressures and a skyrocketing number of legislations to master? How are they managing what’s next in the COVID-19 era?

To understand the current state of compliance programs and processes as well as the impact of the pandemic on compliance management, MetricStream conducted a comprehensive survey of compliance professionals across industries and geographies.

We learned a lot, including:

Managing third-party risk compliance is a huge challenge. Nearly half -- 48% -- of organizations found it challenging to track third-party compliance while 44% stated that their biggest challenge was to manually conduct compliance assessments.

Staying ahead of regulatory changes remains a key issue. Regulatory authorities worldwide keep regulations at par to protect the interests of businesses, customers, and relevant stakeholders, leading businesses to cope with a tsunami of ongoing changes. As just one example, banking sector companies alone cope with an average of 220 regulatory alerts a day, compared to just 10 back in 2004.

In the survey, we found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business. That’s neither efficient nor effective – how can you possibly keep up?

Engaging the front line is essential. 57% of respondents said that they engage with the frontline to respond to queries related to policies, regulations, processes, and controls. Frontline employees are the eyes and ears of the business and can often spot important trends and risks before the rest of the business. It’s encouraging that more than half are incorporating frontline feedback – a trend we hope to see continue.

The use of technology is not yet where it needs to be. Just 19% of organizations use standalone compliance management platforms. That’s shockingly low! And, only 19% of respondents said they use compliance management software as a component of a larger GRC platform – implying 80%+ are not managing compliance in a consistent, integrated way.

Combined with the manual scanning of regulatory changes, we’re seeing a key theme: automation and technology drive effectiveness and enable you to move valuable resources to strategic work, yet so few are taking advantage of it. There is work to be done. Enhancing regulatory and internal compliance assessments and improving employee awareness with more compliance training emerged as the top future priority areas. Training is key to creating a culture of compliance and coping with today’s fast-changing demands. Unless combined with more strategic technology, however, they are not enough.

In the words of the report: “As the world gears up for a post-COVID economy, organizations must also focus on fully integrated technology platforms that can automate and improve compliance with an ever-evolving regulatory framework. The post-COVID future will bring about greater uncertainties and greater changes in regulations and organizations must prepare for this now.” Only by getting ready now will we be empowered for what’s next.

Going Digital: The Only Way Forward

To navigate today’s regulatory landscape efficiently and effectively, organizations need to embrace digitization and automation. Technology-based compliance management solutions can help streamline and automate the entire process—establishing a centralized repository of regulatory obligations and mapping them to policies, risks, controls, and processes; identifying, tracking, and analyzing regulatory changes; identifying and prioritizing high-risk areas; creating, updating, and aligning policies; managing various regulatory engagement activities, and more.

[Read more: 3 Best Practices for a Proactive Approach to Compliance (eBook)]

MetricStream can help you power what’s next. We offer a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products help structure and streamline various aspects of the compliance function, enhancing overall efficiency. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.

Here’s a case in point: A leading health insurer was seeking to integrate all regulatory compliance processes so that the insights that ultimately rolled up to the senior management and board would provide a complete, accurate, and real-time view of enterprise-wide compliance. It embarked on a GRC journey with MetricStream and implemented an integrated GRC solution beginning with compliance issue management, followed by compliance risk management, policy management, case management, and audits. Today, an efficient and standardized compliance program is in place with timelier visibility into risks and other areas of concern.

[Read more: Leading Health Insurer Integrates Regulatory Compliance Efforts, Saves Time and Costs (Case Study)]

What’s next is never sure – but what’s certain is that what got us here won’t move us forward. The compliance function must adapt, automate, streamline, and collaborate with technology to power the future and turn risk into a strategic advantage.

Read more of what the compliance professionals had to say. To download the State of Compliance report, click here.

Want to see MetricStream in action? Request a demo by clicking here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources