2017 promises significant shifts in retailer tactics as they embrace more intimate conversations, leveraging the power of digital devices, analytics and channels. Walking the fine line between becoming a trusted advisor, to intrusion and perceived (or actual) privacy violations, will become as much of a science as it is an art in today’s world.
Here’s a look at the top five trends that will impact the retail industry in 2017.
Retailers will provide innovative mobile apps to enhance customer experience, going beyond simple payments to establishing a virtual, real-time, personal shopping conversation — for example, notifying sales associates of a drive-through pickup or return. Retailers will equip associates with mobile devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while blurring the line between online and in-store shopping.
Omnichannel will reach beyond purchase into actual use as retailers unify online, offline and Internet of Things analytics to understand the 360-degree view of an individual’s needs and behavior and gain insight into preferences. Correlation analysis throughout the shopping journey will increasingly be used to predict an online or offline purchase, using browsing history, reviews read, social media networks and favorites on sites like Facebook or Pinterest — blurring the line between online and in-store shopping. The focus will shift to helping impatient buyers make faster decisions, and at the same time build long-term loyalty. Most importantly, the Internet of Things will become increasingly critical in providing insight into how products are being used after purchase and predicting a repeat purchase or recommendation.
Understanding customer needs, wants and behaviors will drive retailers to strengthen the relationship by using partnerships and connected devices to create a frictionless, real-time experience. Retailers will use devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while establishing a virtual, real-time, personal shopping conversation. This will be bolstered by a rise in subscription services that provide clear value and built trust like Amazon Dash, 1-click and Amazon Prime. Retailers will leverage partnerships that capitalize on trust built with complementary, highly trusted brands to provide convenient buying experiences. We will see a rise in combined offers for a specific need – travel, hiking or formal attire — complete with personalized rewards.
Consumers will begin to react to privacy concerns that arise from more intimate, personal conversations with their trusted retailers, with whom they allow tracking and analytics. Retailers will need to provide more transparency into actual analytics and increasingly allow consumers to participate in the co-creation and selective editing of their own profiles, going beyond simply opting in to how information will be used. In addition, retailers will need to provide tangible assurances that their private information is safe, as new cyber threats emerge that target mobile and Internet of Things. Innovative retailers will start to show how their app experience protects data in smart devices.
As consumer data accumulates from the shopping experience, through the supply chain into warehouses and out into the home through the Internet of Things, unencrypted transmissions and card-not-present transactions will present opportunities to hackers to steal personal data captured along this chain. Retailers will start to cooperate and adopt ‘Information Security by Design’ principles, building security deep into processes as opposed to bolting security monitoring onto processes after the fact.
Stay tuned for some astounding innovations by both retailers and the technology vendors that support them. And don’t forget that we are an essential part of these equations. As consumers, we co-create and influence innovations as they unfold in the landscape of our shopping experiences by staying engaged and, ultimately, voting with our (mobile) payments.
The original blog was published via Retail Touch Point. View it here.
All manufacturers and distributors wish to avoid having to recall a product. Through governance, risk and compliance tools, and processes they aim to safeguard product quality and standards. This takes not only attention to detail and precision within the company’s own business operations, but also with those of its suppliers and third parties, as well as effective monitoring and assessments across the whole supply chain.
However, plans do have to be made around handling a product recall should one need to happen. With increasing regulatory demands and complex international supply chains, effectively managing a pharmaceutical recall takes a coordination effort of many responsibilities.
Among the many aspects a manufacturer has to get right is the identification of key decision makers, a clear understanding of roles and responsibilities, and a robust communications strategy. The damage to company brand and reputation can be severe for those that get it wrong.
The Food and Drug Administration (FDA) is responsible for protecting human health by ensuring the safety of pharmaceutical products. They can request or order a product recall when it becomes aware of a problem; but recalls are also initiated by the manufacturers themselves.
The FDA takes an advisory as well as reinforcement role through guidance on recall processes and action needed through the stages. Senior management, quality assurance, regulatory liaison, and communicators will be central to a manufacturer’s recall process.
An effective product recall hinges on the company’s level of preparation. Identifying, training, and updating the core team that will be involved in the event of a recall is essential, as is clearly establishing decision-making authority at each stage of the process. Plans should be regularly tested to identify any knowledge or process gaps that must be filled.
Throughout the decision-making and recall process itself, manufacturers need to keep the FDA informed, as well as work closely with suppliers, distributors, and other third parties along the supply chain to take effective action. The FDA assigns a classification to the recall—which is essentially determined by the level of danger the quality or safety issue presents—and this impacts a number of factors in the recall process, including urgency and method of distributor/customer notification.
Any confusion over roles and responsibilities can result in delays, process stages being missed or not executed well, and possible non-compliance. Decision-makers, plan executors, and communicators need a common understanding of their role and responsibilities as well as those of others involved. This extends outside company walls to suppliers, distributors, regulators, and third parties.
The pharmaceutical industry is a global one with many manufacturers supplying multiple markets. Where licenses to sell in particular markets are held by multiple third parties, a lack of clarity over who has what responsibility—and/or any breaks in the chain of communication—can cause significant problems.
To maximize success, manufacturers must cultivate a transparent environment of information access and exchange. This is essential not only to track impacted parties and the root cause of the issue but also to keep all players up to date throughout the recall process. All responsible individuals need to work from the same information, and it needs to be up to date.
This is hard to achieve for many companies still working with systems and applications in silos where shared data has to be interpreted and fed into various tools that support the process.
Plan executors and senior management need visibility into product recall progress as well as the output of root cause analysis and other quality assurance tasks. This is best achieved through real-time executive dashboards and reports with drill-down capability to access relevant statistics, analytics, and trends.
Poor communication can be found at the root of many poorly-handled business problems. Product recall planning must consider the complete spectrum of communications—intra-company, externally with parties along the supply chain, with customers, and with regulators and officiating bodies.
Time zones, physical distance, language barriers, and cultural differences can all hinder effective communication. These must be managed for timely and effective communication.
Not only does communication need to be effective during the process of a product recall itself, it also needs to ensure the business learns from the situation, feeds information back into the system, and is equipped to take any corrective or mitigating action needed. An integrated solution that tracks and manages information and events across departments can initiate action based on change—for example the requirement for training or actions resulting from an audit.
It is also important when considering the business tools to support effective company communication to think about how people consume information and the clearest and most effective ways of presenting it to achieve the maximum result. The visual presentation of data, for example, can be an effective way of maximizing understanding.
Through planning and the use of technology, manufacturers can streamline and improve the processes and procedures that expedite product recall activities. In this way they aim to limit brand impact, better serve customers, and ultimately drive improved business performance.
Effective governance, risk management, and compliance are essential for good business practice and to try to mitigate issues that may result in the need for a product recall. Despite ensuring effective processes and procedures and compliance with regulatory mandates, issues do still arise and preparation is essential to manage them when they do.
Automated risk management solutions can help support the execution of roles and responsibilities, informed decision making, and effective communication not only when a product recall has had to be decided upon but also minimizing and managing enterprise risk in day-to-day operations.
The original article was published by Pharmaceutical Processing. To read the full blog, click here.
To safeguard quality and standards, food manufacturing and distribution is highly regulated. To be fully compliant, companies need insight into their complete supply chain — end-to-end from base ingredients to finished product — and they must be prepared to act in the event of a contaminated or compromised product that jeopardizes customer health. This demands detailed and precise planning, execution, monitoring and assessment. Disconnected, manual governance, risk and compliance (GRC) tools and processes can be inefficient for the job.
The regulatory landscape in the food industry is increasingly complex, particularly for global manufacturers and distributors. Companies have to comply with all local, national and regional regulatory agencies relevant to their business. This means keeping up with evolving regulations and ever-changing circumstances. Guidelines and mandates must be interpreted, acted upon and compliance tracked. The impact on businesses is far-reaching across manufacturing, handling and food distribution.
GRC is central to business operations in all industries; in food manufacturing and distribution it must be integral to the way companies work. Robust management, quality inspection and corrective action is of paramount importance. Companies that automate and streamline activities through supply chain traceability and GRC systems will be quicker to react and take control in the event of a food quality or standard issue.
The stakes are high when it comes to public health and safety. Preserving company and brand reputation depends on successful GRC and this means excellence across three stages of compliance:
1. Policy and Procedures
Regulatory compliance requires tight control over policy and procedures. Organizations need first to be fully aware of the regulations appropriate to their business, to understand what it takes to be compliant and to ensure that all staff and suppliers have up-to-date training.
In the U.S., this largely means being up-to-speed on regulations from the USDA Food Safety and Inspection Service (FSIS) and the Food and Drug Administration (FDA), which together are responsible for ensuring food safety.
2. Execution and Controls Monitoring
Organizations must take a proactive approach to food safety and compliance to mitigate against incidents and to protect their business, onward supply chain and customers.
The first step is to identify hazards, in order to stop them from causing a problem. Again, this involves being up to date on the latest information as the FDA identifies specific hazards, for example, related to agricultural products and pesticides. To help exercise effective controls, companies must choose suppliers wisely and impose rigorous prerequisites around aspects such as sanitation and pest control.
Each hazard has its own characteristics and, therefore, control measures. In the case of the pathogens Salmonella and Clostridium botulinum for example, each requires its own particular control measures.
3. Access to Data and Incident Management
A host of issues can cause a food safety standard problem. These include allergens, viral and parasitic outbreaks and bacterial contamination. One such issue occurred last year when nearly 30,000 cases of hummus had to be recalled due to a possible listeria contamination.
To maximize information capture, companies should tap into all data sources that can provide feedback on product quality. These days, this can include social media as news spreads quickly when a food standard issue occurs. Once an organization is aware of an issue, it must be able to rapidly track and trace the impact on its own production and be ready to instigate robust incident management. Preparation is key.
Earlier this year, Mars had to recall millions of confectionery bars in response to pieces of plastic found in some items. As a global brand, the task of tracking down impacted batches and isolating the production problem is significant. Thanks to the efficiency of its supply chain management systems and GRC controls, Mars was able to quickly identify the root cause, trace the contaminant back to a specific factory and track affected batches.
Supply chain management is all-important in regulatory compliance. No company can rapidly and successfully track forward and back the impact of an issue without knowing its supply chain. Traceability back to source and forward to consignees is essential. For example, the conditions on the farms that breed the cows for the beef that makes the hamburgers are important. Not just to the farmers (or the cows) but to all the companies that do business with those farms.
In the event that something does go wrong, the impacted organization needs to put its action plan into operation quickly. Then, root cause analysis can begin and be swiftly followed by corrective and preventive action planning.
Product recalls must be effectively managed for regulatory compliance and for the protection and preservation of the company’s brand reputation. The complex multi-stage process will include:
1. Making the Decision
Generally, the decision to initiate a food recall is taken voluntarily by the food manufacturer. This could be as a result of the organization’s own issue identification — from its own tests, industry watching or customer feedback monitoring — or from a supplier notification. Regulatory agencies may detect a problem from sample testing or field inspections.
Both FSIS and the FDA have the power to instigate a recall themselves. Such action is rare, but can occur if a company refuses to act and there is a threat to human health.
2. Communication and Investigation
The investigation must identify impacted items so that action can be taken to remove them from the food supply and to prevent any more from entering it. Communication is critical here — within the organization, with suppliers, with partners, with distributors, with governing bodies and with customers.
The recalling firm should discuss the nature of its communications with the FDA District Office Recall Coordinator, including any requirement for translation into other languages. Press releases are also used for wider notification.
The manufacturer is responsible for notifying all its recipients of the compromised food product and they, in turn, must contact all of the companies they passed it on to, in whichever form. For example, tomato purée may be used in a range of products such as sauces and pizza, as well as being sold as a product in its own right. The complexity of the food distribution and supply chain highlights the importance of swift and clear recall communication.
The timeline for the recall will vary according to the level of urgency and nature of the product. Where there is a risk to human health, action must be immediate and regular progress reports should be provided to the regulator.
The regulator will oversee the recall process and carry out audit checks to determine that diligent action was taken and that the recall was successful. FSIS or the FDA may choose to contact the likes of distributing agencies and school food authorities to confirm that they received information about the recall and acted accordingly.
Once the issue has been contained, root cause analysis can begin. Unfortunately, an all too common obstacle to this is access to required data. Electronic records and a connected, digital system of supply chain management can help here, greatly easing the task of traceability and communication.
3. Prevention and Control
Learning from a product recall must feed back into the organization to support continuous improvement and, if required, change. Regular inspections and risk assessments — across the entire supply chain — must be integral to processes and procedures as well as control measures and a comprehensive understanding of compliance. The final status report on a product recall must be shared with the relevant regulatory agency, detailing actions taken and the preventive action program implemented.
Through effective GRC, food manufacturers and distributors can help meet the requirements of regulatory compliance, manage issues when they arise and mitigate against repeat problems. By streamlining processes and procedures that expedite these activities, companies will work more effectively with supply chain partners, better serve clients and customers and ultimately drive improved business performance.
According to a leading IT firm research nearly 90 percent of the data in the world has been produced in just the last two years. Though a bit of a buzz phrase these days, big data is as important as the internet itself to many businesses today, for a number of reasons. The simplest explanation of how big data benefits businesses is this: It provides the insights needed to make more confident decisions, take faster actions, improve operational efficiencies, minimize risks, and reduce spending.
The sudden emergence of the whole phenomenon around the data explosion has been the result of the pervasive use of mobile devices and the large volumes of data generated from web based purchases, mobile activities, and social media interactions. As the massive volume of data and computing platforms continues to proliferate, the absence of thorough reassessments and thinking around information processing paradigms of the past will leave today’s enterprises ill-prepared to deal with this new (IT) normal.
Enterprises have to realize the obvious fact that big data is an immensely powerful concept, and information is a strong business asset. Managing large volumes of homogenous data is something that organizations of all kinds can benefit from; spanning retail, social networking, science and research, clinical trials, CRM, operational activities, transactions and more. The real challenge for organizations today is to move beyond the data volumes and data storage obstacles to assess the true value of available data to reduce overall internal audit or compliance field work costs. The vast majority of enterprise businesses are faced with the challenge of decoding large volumes of homogenous, inconsistent, or inaccurate data — often referred to as “bad data.”
Industry analyst Doug Laney encapsulated the characteristics of big data using the three Vs — volume (the quantity of data), velocity (the rate at which data is generated and changed) and variety (the number of different data sources and types). Many are also adding characteristics such as “complexity,” “veracity” and “variability” to their understanding of the concept.
An accurate analysis of big data helps enterprises with better insights into their customers, market opportunities, growth prospects, and corporate performance. This strategic analysis of large volumes of data enables organizations to achieve higher-quality results in their own internal audit and compliance processes, thus enabling them to establish more effective governance, controls, and monitoring mechanisms.
With the skyrocketing number of transactions and evolving compliance requirements and regulations, big data analysis offers endless opportunities for enterprises to mitigate key governance, risk, and compliance issues. Just as big data analytics can lead to more targeted marketing initiatives by analyzing marketing program responses, supplier activities, customer demographics, and sales patterns, effective analysis of massive volumes of structured and unstructured data can also enable organizations in the Governance, Risk and Compliance (GRC) space to:
Big data analysis should become a core component of every organization’s operations, performed on a continuous basis, spanning areas such as payment or billing transactions, payroll, social media analysis, sales, operational processes, and compliance. For many organizations, especially in highly scrutinized and regulated industries such as healthcare, finance, and insurance, big data analysis can support Enterprise Risk Management (ERM) by helping monitor risks involving loans, claims, and patient care procedures.
Simply stated, integrating big data analytics into an organization’s GRC methodology will help pave the way for a truly data-driven organization.
Social media remains one of the most talked about and used phenomena in this new age digital world. Today’s tech-savvy organizations are on the constant look out for the latest social technologies that can help them gain a competitive advantage over their peers. The rise of popular social networking sites like Facebook, LinkedIn, and Twitter in the workplace has provided a big boost to the broader social media movement. In fact, an increasing number of organizations are harnessing the power of social media platforms and applications for both internal and external communications. Organizations, large and small alike, are leveraging powerful social media capabilities to share updates, curate content, and promote and showcase their products and services, as well as communicate with employees, media, partners, and their broader ecosystems.
According to the 2014 Social Media Marketing Industry Report, a significant 92% of marketers indicate that social media is important for their business, up from 86% in 2013. Nearly 89% of marketers want to know the most effective social tactics and the best ways to engage their audience with social media.
While a corporate presence on social media has become imperative for all organizations, it can also be a double-edged sword. It offers limitless opportunity for success, but if not used appropriately, it can cause irreparable disasters.
While the benefits and value of social media are clear, risk management in the context of social media remains a more elusive, lesser known, and lesser understood facet. As an increasing number of organizations embrace social media tools for work-related purposes, new risks are presented. According to Gartner’s 2015 CIO Survey, 89% of CIOs agreed that the digital world engenders new, vastly different, and higher levels of risk.
According to a recent MetricStream survey report, in 70% of the surveyed organizations, the Marketing or Corporate Communications department is the core group responsible for monitoring and managing their company’s social media presence. Only 20% of organizations have actively involved their Governance, Risk Management, and Compliance (GRC) groups in social media monitoring. This poses a concern, as it indicates that companies are focusing more on the marketing aspects of social media, and not necessarily on the risks and compliance mandates surrounding it.
Users of social media, along with the organization’s technology and broader GRC professionals, must understand the potential identity, security, compliance, and privacy threats arising from social media, so that they can design and implement the most efficient and effective risk mitigation and management strategies. All risks must be defined, analyzed, assessed, monitored, and managed as part of the organization’s overall GRC strategy.
Predictive analytics-driven systems can help organizations gain a better understanding of the risk landscape and all potential risks. Nearly 60% of the financial services companies who participated in the Deloitte 2014 Global Survey on Reputation Risk indicated that they invest heavily in monitoring various data sources, including traditional and social media data sources. Citing the sheer volume of social media channels and the number of ways people have the potential to use those channels to destroy shareholder value, Gartner Research Director John Wheeler writes that organizations can tackle these challenges by developing clear social media policies and training for employees, establishing a social media risk management function, and providing adequate technology capabilities to support social media risk management.
Today’s latest GRC technology platforms and solutions can provide comprehensive compliance frameworks that support real-time identification of content and conversations across social networks, with the capability to integrate “big social media data” into the organization’s existing compliance infrastructure. Cross functional teams including IT, Marketing, Audit, Risk, Compliance, IT, Sales, HR, and legal professionals must all understand the role they play in this ecosystem, and put the right controls in place to regulate the ways in which the organization communicates socially with employees, partners, investors, the media, customers, and the public at large via social media.
Keep in mind, social media conversations are not always happening solely on organizations’ own pages, but also elsewhere on blogs, forums, and other individual and company pages. Organizations will continue to be challenged when it comes to identifying all of the accounts and pages that should be monitored on a continuous basis. Given the rapid emergence of new sites, pages, and hash tags, the process of defining the scope and methodology of social media monitoring will only become more complex.
In today’s mobile world, employees and organizations at large have an incredible toolkit to share information at lightning speed. As social media usage and adoption continues to rapidly grow across all levels of the organization, technology providers must step up to the plate. With the help of the latest GRC technologies that leverage natural language processing and big data analytics, organizations can be equipped and empowered to effectively monitor and govern social media. The right teams, the right technologies, and the right strategies can help create a truly harmonized approach to social media risk management in a way that ensures adherence to regulatory, legal, and compliance requirements, while guiding risk management, and protecting the corporate brand and reputation.
The story of Wells Fargo’s cross-selling compliance failure, reminds me of the huge fine that HSBC received in 2012 for mis-selling— over $3 billion. Wells Fargo’s $185 million fine for poor cross-selling practices pales in comparison – but still “ouch!” Even worse and more costly could be the reputation damage — Wells Fargo styles itself as the big bank that has that small town feel.
According to reports, Wells Fargo had identified violations of its cross-selling policies for years — for instance, issuing credit cards without fully informing customers — and significant remedial actions, sometimes even with mass firings of offenders. The tone at the top seems to have been pretty clear and supportive of compliance. Yet on the other hand, failing to meet sales quotas could also result in a firing — as it should.
At most companies, we find that employees are rewarded for meeting goals that are tied to business goals — with performance indicators focused on production, growth, and sales. There is no reward for not breaking the rules. “Hey, John — thanks for not doing anything illegal this quarter — here’s an extra $2,000” — nope, that doesn’t happen.
The challenge for managers in the middle is how to communicate both compliance and sales goals, and how to monitor just as strongly for compliance as for performance. Managers have the customer relationship management systems, sales force automation applications, and financial management tools to track progress toward the achievement of financial objectives. However, they also need the tools to monitor and track compliance of the employees on their teams. What costs less — the fines and reputation damage of repeated compliance failures, or investments in the GRC tools that managers need?
Executives also need to monitor the mood in the middle. Frankly, the best way to do this is to talk directly to employees on the teams to see what messages they are getting from their managers. Often these are formal “skip-levels,” but informal visits and conversations can also give you a sense of the mood in the middle.
You get what you inspect, not what you expect. So, frequent, even continuous monitoring of sales for fraudulent activity should be the norm for a company whose growth is heavily dependent on consumer cross-selling.
Banking and Financial Services industry is undergoing a strategic shift with the advent of disruptive technologies such as Fintech, Blockchain, and IoT which are challenging the established technology based banking models. This may be the third wave of technology transformation to reshape the modern financial institutions around the world, the first two being ‘computerization’, which moved the banking operations from paper based to software based, and the second being ‘internet/mobile banking’ which radically changed the way banks delivered their services to the customers.
However, with the arrival of each technological shift have come new challenges, and this trend is not likely to change much in near future. Cybersecurity has become one of the biggest concerns for the organizations across the globe. Regulators are also continuously altering the existing regulatory landscape in the larger interest of the consumers and the economy as a whole.
In the course of this blog series, I will take you through some of these disruptions in the banking and financial services industry, and how adopting a mature Governance, Risk and Compliance (GRC) based approach may be the way forward. My first blog will talk about the changing regulatory landscape and five steps that you may want to adopt to stay ahead of the curve.
Welcome to the initial entry of this blog! In subsequent posts, I’ll discuss competitive trends I’m observing in the GRC market along with other issues that will affect GRC vendors.
Earlier in my career, I had the opportunity to work in the CRM industry and saw directly how that market grew, matured and eventually consolidated. In many ways, today’s GRC market is similar (buyers still learning what GRC means to them, no dominant market player, little M & A activity to date) to how the CRM market appeared in the early 2000’s.
Thanks for joining and I’m looking forward to speaking with you.
Warren
Banking and Financial Services Institutions across the globe are struggling to keep pace with regulatory change, and, quite often, grappling with the sheer volume and the complexity of these updates can be a laborious, up-hill battle.
According to a survey by MetricStream which polled the responses of 123 compliance professionals across North America & Europe, 19% of the respondents reported taking up to a year to implement regulatory changes1. Considering the magnitude of change that financial institutions have to deal with, this may no longer be affordable.
It may have been possible to keep a track of regulatory updates using standard manual approaches during the pre-financial meltdown era, but as regulators continue to usher in more reforms in this age of rapidly evolving and disruptive financial technologies — including Fintech, IoT, and Crypto currencies — standard models are proving to be ineffective.
Yet, the survey shows that 48% of the organizations surveyed are still using office productivity software (Excel spreadsheets) to track regulatory changes.
The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations would need to proactively address this business challenge before it gets too late. Adopting the below model, which elucidates 5 basic principles to develop a robust regulatory change management framework, would equip organizations with the right set of tools to manage regulatory changes and stay ahead of the curve.
Organizations have to keep track of regulatory content from global as well as regional regulators from a multitude of sources including regulatory publications, industry associations, national and local media, and specialized content providers such as LexisNexis, Thomson Reuters, etc. With so many sources to keep track of and high volumes of relevant content to analyze, organizations may find this exercise time consuming and resource incentive.
The solution? A cloud based content platform which serves as a one-stop shop for regulatory content from various sources. Using this platform, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. Pre-defined rules can be setup based on a variety of regulatory attributes including industry, jurisdiction, topic, state, due-date, etc., thereby ensuring relevant information reaches subscribers in real time
A global organization has to deal with inconsistencies in regulations across geographies and multiple business operations. Having a standard regulatory taxonomy in line with the organizational hierarchy and consistent in terms of language, terminology, and structure will improve communication among stakeholders, making it easier to setup a robust compliance framework. Additionally, it helps organizations to categorize, store, and deliver regulatory updates without having to frequently modify the rules and linkages that have been setup in the system.
One way to standardize the taxonomy is to setup a centralized GRC repository to store all regulatory updates from across the organization, index updates according to the organizational hierarchy, and map them to multiple GRC attributes such as risks, controls, policies, etc.
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a seasoned compliance professional with the ability to scrutinize these regulatory updates to determine whether they are applicable to the organization. Relevant SMEs need to be identified within the organization who understand the laws/regulations and have sufficient knowledge to analyze these updates in detail.
How can organizations achieve this? Ensure that there is first level of screening or assessment by a centralized regulatory coordinator to determine the applicability of the regulatory updates to the organization. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the organization’s overall processes, policies, controls, or other factors.
It is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle — from the time a new alert is delivered to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage, and the board has clear visibility into the whole process.
Every regulatory update needs to be assessed in terms of the business impact it has on the organization. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, trainings, and reports are affected and need to be revised.
It is also important to group similar regulatory updates as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organizational hierarchy to provide a holistic view of the impact across the enterprise.
At any point of time, an organization should be able to gain a comprehensive view of the number of regulatory updates effecting them both holistically and by business unit or functional area.
The next step would be to formulate action plans, listing out tasks that need to be assigned to relevant users. Standard workflows need to be defined for the review and approval processes with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders.
At each stage of the implementation process, reports and dashboards should provide visibility into real time status of the change, accountability, and the overall impact on the organization.Furthermore, it is important to log any issues or findings with defined remediation plans for quick and efficient issue closure and resolution.
To make these steps easier and achievable, organizations can opt for a robust and comprehensive regulatory change management solution which leverages a common foundation to facilitate multi-dimensional mappings with other GRC elements. Such a solution can help centralize disparate, siloed, and manual operations across business units and geographies, and align them with the organization’s overall business goals and objectives. This will not only help them track and analyze the all too frequent regulatory changes, but also ensure that these changes are effectively and efficiently implemented.
References:
Most startups are focused on getting their business off the ground. As a result, they usually delay policy development until a later date. But here’s why it’s important to draft and implement certain policies right at the start of your business: policies pre-empt and prevent misunderstandings between employees and employers about obligations and behavior at the workplace. More importantly, they help protect a business against lawsuits and employee disputes which could otherwise wipe out a startup before it has had a chance to take off.
Here are a few key policies that startups would do well to focus on:
Many startups provide a consolidated bank of vacation days and sick days that employees can draw from. Other startups offer an unlimited time-off system. Whatever your approach, remember that a time-off system is only as effective as the policy surrounding it.
In one of the companies I worked for, a PTO policy wasn’t implemented until the business was ten years old. By then, significant expenses resulting from accrued vacation had built up. So, even though the PTO policy was eventually established, a number of people were immediately out of compliance since they had accrued more time off than the policy maximum. Addressing these exceptions took considerable time and company resources.
To avoid such mishaps, proactively draft a time-off policy with clear requirements. For instance, in a PTO policy, sick employees should understand that it’s best for them to stay away from work and avoid infecting other people, rather than come into work just because they want to save on their sick days.
Create a chain of approval. So, if employees want time off for a vacation, your policy might require them to get the approval of their team lead as well as their local manager. If there are times of the year when all hands are needed on deck, create a policy that establishes “freeze vacation” periods.
Educate managers to counsel employees who misuse the time-off policy.
In 2013, the Equal Employment Opportunity Commission (EEOC) received over 7,200 charges of sexual harassment. Meanwhile, in a HuffPost/YouGov survey, 32 percent of respondents reported having been harassed by a boss/superior or co-worker.
Instances of workplace sexual harassment or even discrimination due to race, religion, disability, and other factors can not only result in expensive lawsuits, but also severely damage the trust that other employees and customers have in your business. That’s why it’s important to establish policies around sexual harassment and discrimination, up front.
Make sure that these policies clearly define what constitutes sexual harassment and discrimination. Provide clear, real-life examples of the same. For instance, if an employee repeatedly asks a coworker out on a date despite being refused multiple times, it could be construed as sexual harassment. Emphasize zero tolerance for these behaviors.
Encourage employees to raise complaints if they are harassed. Clearly describe in your policy how they should go about it.
More importantly, walk the talk by translating policies into procedures. At one of the companies I worked for, an employee raised a case of sexual harassment against her manager as well as her department head and others. Despite there being a sexual harassment policy in place, appropriate action was not initiated in response to her claim in a timely manner.
So, make sure to train all managers on their roles and responsibilities in preventing as well as responding to sexual harassment or discrimination. Ensure prompt and impartial investigations and action.
In a startup, cash is always scarce. To make sure that it isn’t unnecessarily wasted, implement expense policies that cover things like Internet and cell phone usage, travel, hotels, meals, and entertainment.
Netflix is known for its unusual expense policy, which simply asks employees to “act in Netflix’s best interests.” Depending on the culture/ philosophy of your startup, you might implement a similar policy, or perhaps go further, and outline what exact expenses will be covered by your policy, and what won’t.
A 2012 Robert Half Management Resources survey found that CFOs receive many unusual items on expense reports, including cosmetic surgery, lottery tickets, pet food, and even teepees! To avoid such out-of-policy claims, make sure that there’s no ambiguity in your expense policies. At the same time, keep the policies flexible depending on each employee’s roles and responsibilities. For instance, a sales representative could be allowed to spend company resources on taking prospective buyers out to lunch.
Set clear deadlines for submitting expense claims. Reimburse these claims in a timely manner. And ensure that your policy isn’t a maze of complicated processes. Employees shouldn’t have to read a 25-page document of how to submit travel expenses. Keep things simple and straightforward.
Finally, invest in a system that will help you enforce expense policies effectively, and also automate and streamline expense tracking. A cloud-based system is usually cost-effective to implement, and has the flexibility to adapt to changes and growth in your startup. One of the most popular options is Concur.
Here are a few other tips to keep in mind while implementing your policies:
At the end of the day, it’s important to strike a balance between too many and too few policies. Too many policies, especially in a startup, will only create additional administrative complexities. Too few will open your organization to multiple legal and compliance risks. So identify and focus on those policy areas that are important to your organization. More importantly, hire employees who will behave in a way that’s consistent with your company culture, and who will act in your company’s best interests without needing strict compliance monitoring.
This post authored by Shellye Archambeau was originally published by Xconomy. The original article can be accessed here: Three Key Workplace Policies