Compliance programs are at an inflection point. On one hand, regulatory scrutiny is intensifying, even as markets and consumers elevate the pressure on organizations to demonstrate better integrity and transparency. On the other hand, individual accountability is increasing, as more senior executives—including CEOs—are held personally liable for compliance violations in their organizations.
Added to that, enterprises are digitizing almost every aspect of their business, and as compliance functions strive to manage the risk and compliance implications of this trend, they also have to grapple with the digitization of their own processes.
Against this background, here’s a look at some of the key compliance areas and best practices that are likely to be in focus through 2020 and beyond.
Organizational ecosystems are rapidly growing more complex and globally distributed. Meanwhile, the regulations they are subject to are fast becoming more numerous and dynamic. How does one manage all these changing requirements as efficiently as possible?
A good way is to integrate the compliance universe by building a unified data model that maps all key compliance elements. This approach can help organizations identify and resolve redundancies or inefficiencies in their compliance program.
The first step in building a unified data model is to map regulatory bodies and areas of compliance together. This makes it easier for organizations to determine commonalities in the scope and objectives of various regulations. Each area of compliance can then be mapped to more granular requirements like specific rules or directives. Finally, context can be established by linking compliance requirements to policies and business units.
A large global bank, dealing with 250+ regulators on a daily basis, uses policies as a point of integration in their compliance data model. Hundreds of regulations across jurisdictions have been integrated and mapped to just 70 policies. Thus, the scope of compliance monitoring has reduced, enabling the company to save time and costs.
Another company, a global retail major, uses controls as their point of integration. The company’s operations are highly decentralized with each region having its own control frameworks. Through a common, yet federated data model, the company has mapped its controls to various policies and regulations. In doing so, they have successfully identified control redundancies across business units, and rationalized their control environment for better efficiency.
A critical aspect of any effective compliance program is the ability to treat compliance as a cultural change activity, rather than as a set of enforcement directives from senior management. People across the enterprise need to know where to find the necessary polices, and what to do in situations with adverse compliance implications. The idea is to build a pervasive culture of compliance awareness and self-help through effective training.
It’s also valuable to set a clear tone at the top -- one that establishes a certain level of compliance rigor and seriousness. Good compliance behaviors must be incentivized to encourage repeatability. The more that people are rewarded for compliance, the more deeply good behaviors become embedded in the organization’s culture.
Technology can also help instill a culture of compliance. A leading insurance provider uses a balanced scorecard mechanism in their compliance software to align sales incentives with compliance related metrics like customer complaints and customer attrition. This approach has significantly improved the way the sales function interacts with clients.
There’s no one-size-fits-all approach to compliance. It can vary greatly from one organization to the next depending on industry and geography, as well as the number and complexity of regulations. However, organizations would do well to have a compliance program that is future-proof i.e., agile and scalable enough to respond quickly to changes in the regulatory, market, and technology landscapes. Agility by design is almost a given in today’s dynamic business environment.
Many organizations wonder if their compliance program should be centralized or decentralized. The recommended approach is often a federated one that balances centralized compliance management and data aggregation, with decentralized control testing and compliance assessments. A federated program establishes certain commonalities in compliance at an enterprise level, but it also allows for flexibility in how these elements are adopted to meet the unique needs of each department.
Today, everyone’s talking about artificial intelligence (AI), bots, cognitive intelligence, and robotic process automation (RPA) almost as if they were a panacea. Take, for instance, regulatory rule mapping, which is something that many compliance functions, particularly in banking and financial services, struggle with because of the complexity and number of rules and requirements. Can AI and/or bots solve the challenge completely? Is there a magic pill that can be implemented to fix the problem overnight?
In truth, there is none. AI is not a homogenous tool but rather a number of heterogenous capabilities that are brought together. Each organization needs to clearly define their specific compliance challenges or use cases, and then choose the right technology to address them.
When identifying the compliance use case, there are two questions that can be considered. First, what is the source of data? Depending on whether that data is structured or unstructured, one might choose either descriptive analytics or big data processing to address a specific challenge.
The second question is whether the process is repeatable or not? Is it deterministic (i.e., outcomes are clear, no decision-making or analysis is required)? Or is it cognitive (i.e., outcomes are unclear; some cognitive analysis is required)? Based on the answer, one might want to go ahead with either RPA or a cognitive rule engine. Or if the process involves extensive interaction with people, the use of conversational chatbots might make sense.
Compliance officers across industries have a lot on their plates going into 2020. But the possibilities to add value are tremendous. Compliance today isn’t just about avoiding regulatory penalties or fines. It’s about building trust and credibility. That’s where an integrated compliance universe, a focus on culture, and a future-ready compliance function can make a significant difference.
MetricStream offers a comprehensive suite of products and solutions to help organizations simplify and strengthen both regulatory and corporate compliance. These products address multiple aspects of the compliance program, including a centralized library of compliance obligations, compliance assessments, as well as policy management, regulatory change management, regulatory engagement management, and case management.
• Establish a tightly mapped framework of their compliance universe, including regulations, policies, processes, assets, risks, controls, and control activities
• Efficiently capture and monitor regulations by integrating with authoritative regulatory content sources
• Improve efficiency by streamlining and automating workflows across compliance control assessments, testing, and issue management
• Simplify policy search across the enterprise through a centralized, easy-to-use policy portal
• Reduce the cycle time required to create, refresh, and align policies with regulatory requirements
• Gain assurance that the organization is compliant with regulatory requirements by simplifying the collection of evidence and attestations
• Improve business performance and decision-making through a unified and real-time view of the organization’s compliance posture