Chief Compliance Officers (CCO) are confronted with a complex regulatory landscape and dynamic market and economic conditions that pose new challenges while opening up new opportunities. There’s significant pressure on businesses due to growing and changing regulatory requirements as CCOs are tasked to guarantee adherence while also pre-empting risks and ensuring the frontline assumes greater responsibility for compliance. And, all this while treading the tightrope of limited resources and budgets.
In this eBook, we shall walk you through the key focus areas, talk about how to adopt a risk-based and federated approach, explore ways to track regulatory engagements while keeping your policies in sync with evolving regulations, and the need to focus on integrity and culture, especially in a COVID-scarred world. And, while we cut through the clutter of challenges and opportunities, we also tell you how MetricStream can be your partner of choice in this journey.
While there may not be a one-size-fits-all approach to regulatory or corporate compliance, some organizations still follow distributed and fragmented programs where each department — be it HR, IT or quality — develops a different set of compliance processes, taxonomies and systems. This approach is inefficient and somewhat flawed as it limits visibility into compliance risks due to lack of consistency and normalization in the reported data.
Mature organizations, by comparison, tend to follow a federated approach to compliance – one where methods, taxonomies and frameworks for compliance are standardized across the enterprise, but the unique compliance needs of each department are preserved as well. In a federated approach, compliance is centrally coordinated, but managed in a more autonomous manner at the business unit or department levels. All departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments — be it policy governance, compliance risk management, regulatory change management, compliance case management or regulatory reporting — it results in a lot of duplication of effort and data. For example, if the purchasing department assesses a third party without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. What that does is, instead of having teams to struggle with disparate silos of compliance data, they can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls and objectives where various data elements are mapped to one another in a many-to-many manner
Compliance risk is more than just a regulatory issue. It is also a business issue with the potential to damage organizational reputations, diminish customer trust and limit market opportunities. So, while we take the federated route to compliance, let us look at the changing landscape that has called for a renewed approach to compliance.
Over the past decade, compliance risk — that is, the potential for material loss and legal penalties arising from violations of or non-conformance to industry regulations, laws and codes of conduct — has become a key concern for businesses, driven largely by a wave of record-high regulatory fines. The pandemic, for instance, has made it amply clear that not all risks require the same level of protection even as companies are being subjected to unknown and unprecedented risks. Today’s compliance requirements, thus, calls for an all-out customization.
A risk-based approach has to be undertaken and customized to suit the needs of each industry type. What will work for the healthcare industry may not work for the financial sector. For instance, the years that followed the financial crisis were marked by a globally coordinated effort to implement stricter regulatory measures aimed at guarding the financial system against future shocks. The Basel III regulations had introduced tighter capital requirements, widened risk coverage, stipulated leverage ratios to protect against excessive borrowing, etc.
We also saw a gradual shift away from global regulation as each geography implemented laws or standards that were specific to their own markets, needs and concerns. As regulatory agendas continued to diverge, global banks and financial services institutions faced the two-fold challenge of not only juggling multiple international compliance requirements that often vary from one jurisdiction to the next, but also conforming to local regulations governing business models and operations. And this geo diversity will only widen with the COVID-19 crisis making a geographically scattered workforce the new normal. Meeting the demands of this complex regulatory environment calls for a renewed approach to compliance — one that focuses on analyzing the business impact of regulations, identifying and prioritizing the underlying compliance risks, applying mitigating controls and monitoring the entire system consistently
The pandemic has upended business operations in many different ways, but even prior to that many financial institutions were seen lagging in their compliance risk management efforts. A McKinsey study found that most senior managers felt more comfortable with their credit-risk management than with their control of compliance risk. In a post-pandemic world, such issues will only get magnified. To get ahead of the curve, organizations must reassess and rearchitect their risk profiles.
What are the best practices for compliance risk in an evolving landscape? It has to begin with a stronger business ownership of the risk, of course. Here’s how organizations can move the needle with a robust compliance risk management program
A systematic assessment of compliance risks across the enterprise enables financial institutions to clearly understand their risk exposure, including the likelihood that a particular compliance risk will occur, the reasons for its occurrence and the extent of its impact. Risk computations also make it easier for organizations to rank and prioritize compliance risks, link them to the appropriate risk owners, choose the right approach to mitigation and allocate resources efficiently. A well-defined risk assessment methodology helps stakeholders understand the impact of compliance risk not just at a financial level, but also at a reputational, legal and business level. Having both qualitative and quantitative risk measures in place goes a long way in providing a nuanced picture of risk. Also of significant value is an integrated compliance data model that can offer a contextual view of risk, that is, in terms of its link with other risks as well as controls, regulations, policies, departments and objectives.
Once compliance risks have been assessed and ranked, the appropriate controls can be chosen to prevent or detect the risks. These controls, in turn, need to be evaluated periodically based on their design and operating effectiveness. Higher risk controls require more comprehensive and frequent evaluations, while lower risk controls may not require as much focus. Compliance software tools can help accelerate control assessments by streamlining and automating the process. Some tools offer predefined criteria and checklists to simplify assessments, along with mechanisms to score, tabulate and report results. Any potential risk issues or exceptions that are found can be documented in the compliance tool, following which a systematic mechanism of issue investigation and remediation can be initiated and tracked up to closure. Many large banks are beginning to rationalize their compliance controls, thereby minimizing redundancies in control testing, while also saving on the time and effort involved in compliance. Fewer and better controls improve not only risk mitigation, but also compliance monitoring and testing.
Some organizations are looking at the use of Robotic Process Automation (RPA) in control assessments. RPA tools have the potential to minimize manual intervention, thereby freeing up time for compliance managers to focus on more strategic, high-priority and value-added tasks.
Compliance managers are almost always under pressure from senior stakeholders to report on the status of compliance risks and controls in as close to real time as possible. Meeting these expectations can be extremely difficult, given the number of departments and processes that a compliance program covers. Reporting becomes even more complex in organizations that operate across multiple countries. Advanced reporting tools can be useful in these situations. Graphical dashboards, for instance, offer compliance managers comprehensive visibility into the compliance risk management process with aggregate reports as well as individual status trackers. Viewers can browse both historical and real-time data on risk, including an analysis of control and risk assessment results. These insights enable compliance managers to stay in constant touch with the ground reality and progress on their compliance risk management program. Automated alerts for events, such as exceptions and failures, help eliminate any surprises and make the compliance process predictable. Many organizations are also exploring the use of advanced analytics and machine learning in detecting and predicting compliance risks. With faster, better and more in-depth risk insights, decision makers can swiftly identify potential compliance blind spots and address them before they snowball into bigger issues — a boon for pandemic-scarred businesses.
As the regulatory landscape gets increasingly divergent and changes at a rapid clip, a robust compliance risk management program is key to reducing the likelihood of compliance failures. It is important that the program becomes an integral part of everyday business operations and a top priority for senior management and company boards.
To ensure that optimal resources and investments are directed towards the risks and regulations that matter the most, compliance functions need to adopt a risk-based approach to compliance. While all the three lines of the business must work together to identify and mitigate risks, the onus is on compliance experts to identify and manage compliance risks proactively, while also helping the organization avoid potential regulatory or policy violations.
With an integrated compliance management solution, organizations can aggregate and consolidate all their compliance information in a centralized repository. Everybody involved can access the information they need and whenever they need in a secure manner with appropriate authorization and access protocols. An integrated solution can also help organizations define and link foundational compliance elements such as objectives, processes, risks, controls and regulations. Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store and monitor regulatory changes, while keeping organizations updated through automated notifications and alerts.
A major benefit of using an integrated compliance solution is the ability to accelerate workflows around policies, cases, compliance assessments and other processes. At each stage, pending tasks can be tracked and notifications triggered for incomplete actions. The status of the overall compliance program can also be quickly tracked by regulation and by department.
Graphs, dashboards and charts can be used to track open issues along with their level of criticality. These tools can show the status of policies and attestations as well as the links between policies, regulations, risks and controls. The result is a holistic view of compliance that enables stakeholders to proactively spot areas of concern as well as opportunities.
As organizations grapple with new compliance challenges following the COVID-19 crisis, the task of ensuring compliance without disrupting operational efficiencies assume greater importance. Both regulatory authorities and organizations are learning new ways to deal with this unprecedented crisis. Organizations are now required to ensure compliance with recently-updated regulations not only at the federal, state and regional levels, but also at the global level. This will be a work in progress for a while now.
As of May 2020, more than 100 countries issued over 350 regulatory notifications to deal with the COVID-19 crisis. And, organizations are now required to adapt to these regulatory changes as soon as possible as opposed to the pre-pandemic era, when they had adequate time to ensure compliance. What this means is that organizations need to be nimble in understanding and analyzing the new processes and regulations. And, it is possible that the regulations may get updated again even before the organizations have time to catch their breath. The dissemination of information on the regulatory changes and the related communication too must be done at a fast clip.
To ease the creases in policy adherence in these unusual times, here are some steps organizations can take to simplify the process of policy change management.
This is important for organizations to make well-informed decisions in a timely manner rather than take ad hoc measures without looking at the larger picture. One way of staying on top of important regulatory updates is by subscribing to various regulatory content such as regulatory agency filings, briefs from industry associations, trade publications, specialized media sources such as LexisNexis or the national and local media. Organizations can also set up tools that integrate directly with these content sources and automatically generate alerts on latest regulatory updates, which can then be routed to a subject matter expert.
Another way to stay ahead of the curve is by mapping existing regulations to policies and processes ahead of an impending regulatory change. Policies can also be linked with risks and controls. This approach could be employed by both large organizations that deal with hundreds or thousands of policies and smaller ones that may have less than 50 policies. Sifting through each of these policies for every major or minor change in regulations could be a Herculean task. By linking regulations to a policy or a section of a policy, organizations can dramatically reduce the time taken to understand which policy has been impacted by a regulatory change and respond accordingly.
Every time a policy is impacted by a change in regulation, it goes through a cycle of updates, reviews, approvals, communication and attestations. Tracking the policy at every stage is important because it helps identify and address any issues that might arise. This can be done with the use of smart reporting tools and dashboards that can automatically collect and roll up data from within the policy management system. These tools help slice and dice data easily for deeper analyses, allowing organizations to make informed decisions and mitigate compliance-related risks.
As soon as a new regulation comes into effect or an existing one is updated, it should be analyzed by a subject matter expert to assess its impact on organizational policies.
Whether the organization will have to update existing policies in response to the regulatory change or draft new policies altogether
How the potential benefits stack up versus the effort and time required to administer the new policy
If the organization has enough methods to communicate and enforce the updated policy
If the updated policy will improve business performance
Organizations also have to be cognizant of the fact that too many updates and versions of policies could be confusing for employees. The key is to find the right balance. Organizations must conduct impact assessments to determine if a policy update is really required and if there should be any version controls. A robust policy management system can help streamline regulatory impact assessments and trigger policy update processes with clearly defined review and approval workflows. A single system can be a handy solution by making stakeholders collaboration seamless as it can whittle down the number of phone calls, email exchanges and meetings.
Understanding, analyzing and updating policies is only one half of the job. The other half is educating the workforce about these updates and letting them know how they can impact the business. This can prove to be a really challenging task, particularly for large organizations with employees across departments, business units and locations. Good policy management systems can ease some of this pain and also automatically push out updates to the relevant individuals or departments.
Creative ways can be used to do this. If the policy update is simple, an email blast to employees might suffice. However, if it is a major change, it might warrant a dedicated training session. A policy update can also be made available as a pop up or widget in the intranet portal, CRM or any other operational system. Whatever the approach, policy training should ideally be as engaging and interactive as possible for best retention.
The same needs to be done for policy attestations. Conducting an interesting survey or quiz to track how much employees have understood a policy update is likely to see more employee participation and provide better insights than a simple yes-no attestation form. All policies and related updates should be stored in a centralized policy portal so that employees can access and read them whenever required.
Compliance and integrity are two sides of the same coin. Organizations that Perform with Integrity™ enjoy brand loyalty of customers, employees and partners. They attract better talent, face less regulatory scrutiny, win more trust and experience fewer conduct-related risks — all of which translate into stronger business performance. According to EY’s 15th Global Fraud Survey, 97% of business leaders recognized the importance of showcasing the fact that their organization acted and operated with integrity.
Integrity exemplifies an organization’s DNA and culture. And, the culture is the responsibility of the whole organization. Whether it is the management team, the board of directors or the frontline, everyone has a key role to play in ensuring that the organization stays true to its mission, acts in an ethical manner and inspires trust.
So, let’s take a look at the role each of these lines of the business play in securing the culture and integrity of an organization.
To build a sustainable culture of integrity, the management team must be able to articulate the organization’s core values in a straightforward, unambiguous and consistent manner. The more the employees understand what acting with integrity means (or does not), the more likely they will be able to conform to the behavioral expectations. Cultural differences across geographies is a point to ponder on in this respect. For instance, local values around practices of gift giving may differ from one region to another and may have different bearing on corporate policies.
It is the onus of the top management to let employees understand that accountability, transparency and desired behaviors are some of the important issues to focus on. Employees must be able to understand why a particular behavior matters, how it impacts the achievement of organizational and personal goals and what would happen if not adhered to. Anyone in the organization who engages in unethical behavior should be held accountable by the management team, regardless of their level of seniority or importance as a resource.
The leadership team must also ensure ways to measure integrity. Tools such as customer surveys, employee reviews and assessments of compliance with codes of conduct can help the management team gauge how effectively integrity is rooted in their organization. And, in all of this, the top management has to lead by example.
In the face of continuing corporate scandals — be it violations of data privacy or falsification of emissions data or the creation of fraudulent banking accounts — the challenge for boards of directors is to find ways to understand and influence integrity and culture across the organization. Standards such as the UK Corporate Governance Code underscore the importance of the board’s role in establishing, assessing and monitoring corporate culture and values.
Some boards institute formal processes and structures to monitor progress and gaps in compliance to integrity. They have specific conduct committees that meet every month to oversee corporate compliance with codes of conduct, standards and policies. Boards take corrective actions where necessary and ensure that functions like HR, compliance, risk and Internal Audit (IA) are empowered with sufficient resources to strengthen organizational culture. The emphasis is on better reporting as such boards demand information on where organizational behaviors are lagging or how many breaches of conduct have occurred.
The frontlines play a big role in the success of cultural initiatives as managers at this level have good visibility into how such initiatives are playing out. They know whether or not employees are motivated, values are being effectively imbibed and whether or not employee behaviors are truly aligned to the organization’s goals. Middle managers are also well-positioned to influence and impact cultural changes through effective communication.
Many organizations have begun to incentivize employees for good behavior and ethical practices. They create balanced scorecards that integrate data around customer complaints and risks of customer attrition into the calculation of sales incentives. Some others have a policy governance tracking mechanism that aligns policy exceptions to rewards and recognition programs. These are all tangible steps for culture adherence that organizations can take. When the management, board and business work in tandem to achieve better compliance and integrity, it’s a boost to the organization’s reputation and morale.
Preparing is key to risk reduction. And, this is something organizations have imbibed in the past nine months since the pandemic took the wind out of the world’s sails. In this respect, organizations’ compliance maturity is of critical importance. Where on the compliance maturity curve an organization is, depends to a large extent on how effectively it manages regulatory engagements across federal, state and international levels as new rules and regulations emerge across industries and jurisdictional boundaries.
An agile and well-coordinated strategy of responding to regulatory requests on time, managing regulatory meetings efficiently, and ensuring that the business is well prepared for regulatory examinations can build credibility with regulators.
A group of compliance and regulatory experts met in London to discuss the core components of an effective regulatory engagement management program. They spoke about the key challenges faced in regulatory interactions and proposed ways to strengthen regulatory relationships. Here are some of the suggestions for organizations to adopt as best practices.
The journey starts with organizations being more strategic in their approach with the creation of a central “engagement hub” that enables employees to access materials, stay updated on deadlines and understand their deliverables well. The hub can help users connect related engagements and map them to Governance, Risk, and Compliance (GRC) elements such as the organizational hierarchy, risks, controls and regulations. The regulatory engagement team should be able to strategically align their policies and processes with the organization’s risk appetite and compliance culture through a GRC framework.
In organizations that operate in highly regulated industries, employees often have to juggle multiple regulatory engagements. They either meet directly with regulators or help in preparing the materials that regulators review. The larger and more complex the organization is, the greater is the size and scope of this group of individuals. Therefore, it’s important that they form an organized community, with the overall culture and strategy set by a senior executive who has direct access to the C-suite and board.
Boards and senior managers must quickly and easily understand the important regulatory engagement issues that an organization is facing. For that, they need well-structured reports based on good quality data. These reports should capture interactions with regulators, the organization’s progress in addressing emerging issues, regulatory engagements in the context of GRC data such as Key Risk Indicators (KRIs) and Key Control Indicators (KRIs), so that informed decisions on technology and other investments can be taken.
It is as important to keep the business in the loop about regulatory engagements as the senior management. While reports for the board and senior management focus on macro trends, reports for the business help effectively navigate specific regulatory and compliance risks, issues around operational risks and resilience. A “fire hose” approach must be avoided at all costs.
Regulatory engagement intelligence is highly sensitive data. Therefore, there must be strong security and access controls in place to ensure that the information is not obtained and shared in inappropriate ways. In today’s world, spreadsheets and other documents stored on shared servers are not always secure. A dedicated system for regulatory engagement management with defined access and authorization protocols can be a gamechanger.
Regulatory engagement managers often end up spending most of their time on cumbersome manual activities like tracking actions and sending reminders. By automating these processes, managers can be freed up to focus on the processes that truly add value to the compliance program. Automation also reduces the compliance risks associated with human error. Critical activities that can benefit from automation include the process of preparing for an engagement, managing regulatory findings through investigations and remediation and organizing tasks to meet regulatory expectations.
Having structured data handy can make the task of tracking regulatory engagements very efficient. All regulatory engagement team activities such as meetings, exams, investigations and enforcement actions produce structured data related to meeting dates, action owners, country or jurisdiction, meeting attendees, etc. Then, there are large volumes of unstructured data related to letters, emails, regulatory reports, etc. The unstructured data must be mapped to the unstructured one and stored in a single repository so that it can be accessed and worked on by multiple teams. This helps expedite tasks such as preparation for regulatory meetings or creation of internal.
Some regulatory engagements occur every quarter or twice a year or annually. They often require the same set of activities to be performed, be it regulatory capital calculations or some form of conduct risk reporting. To streamline such recurrent tasks and save time, organizations can create an automated set of action point reminders for process stakeholders. A unified system for documentation can help stakeholders adopt a regular reporting rhythm and improve the overall quality of their regulatory engagement activities.
The COVID-19 crisis has redefined and reshaped the compliance team’s role in the organization. As organizations today reimagine risk landscapes and compliance requirements amid more stringent regulatory environments, MetricStream’s mission is to enable them to Perform with Integrity™. Through a range of governance, risk, and compliance (GRC) products and solutions built on an integrated risk platform, we help customers build more risk-aware and compliant cultures.
MetricStream’s M7 Regulatory Compliance and Corporate Compliance solutions help organizations strengthen compliance by adopting an integrated approach. Our M7 Regulatory Compliance and Corporate Compliance solutions help automate various aspects of policy and procedure management, regulatory change management, compliance assessments, control testing, third-party compliance, regulatory engagement management as well as case and incident management.
As the pressure on compliance and regulatory engagement management teams grows, our solutions will help them: