Compliance is everyone’s responsibility – be it product development, professional services, marketing, sales, or HR. Yet, it is the compliance function that is usually blamed for violations or breaches that occur. It is also the compliance team that is seen as a roadblock to business growth, rather than a trusted partner and enabler.
These misconceptions only hold the organization back. They fail to recognize that compliance teams and business units actually share the same goal: to drive business performance and growth in a way that engenders trust with customers, investors, and stakeholders.
Only when the two lines of defense work together can organizations hope to thrive in an increasingly regulated environment. Business units across the enterprise must realize that they have a key role to play in mitigating compliance risks, assessing controls, and remediating issues. In fact, a truly proactive and sustainable compliance program is one where compliance teams and business units view each other as partners, working closely together to strengthen both compliance and integrity.
Here are a few key areas where compliance teams and business units can collaborate more effectively:
The success of a compliance program depends largely on the front lines taking more responsibility for the risks in their lines of business. However, according to KPMG’s compliance journey report, 32% of Chief Compliance Officers (CCOs) do not agree or do not know if their business units, operations, and IT management are involved in assessing compliance risk.
That needs to change. Organizations must consider realigning responsibilities across the three lines of defense such that the first line is more engaged and more responsible for compliance risk identification, assessment, measurement, and management. That gives the second line the independence they need to provide effective oversight of compliance risks, and to objectively challenge the decisions of the first line.
Technology can help by “layering” risk processes into the systems used by the first line in such a way that these processes become an integral, almost seamless part of business activities. Think mobile apps that allow employees to assess compliance risks from the convenience of their smart phones. Or, automated notification tools that throw up risk alerts when an employee is about to make a potentially non-compliant decision. These capabilities strengthen the adoption of compliance practices in the first line.
Technology can also automatically calculate, aggregate, and roll up data on the quantitative and qualitative impact of risk across business units. Thus, the second line gains the insights they need to track compliance risks by product or service, line of business, legal entity, and/ or country. Based on this data, the team can proactively identify and mitigate the areas of highest risk before they turn into more serious issues.
All key regulations need to be translated into policies and procedures to ensure effective compliance among business units. The challenge arises when there are too many policies, some of which are outdated, and others that are redundant or conflicting.
One way of simplifying the clutter is to streamline policy creation, communication, attestation, and exception. A well-structured policy lifecycle enables the second line to minimize process redundancies, and gain better control over how policies are developed and disseminated.
Another best practice is to map policies to regulations, risks, controls, business processes, business units, and assets. This integrated data model gives compliance teams a clear understanding of how each policy impacts business units, and where the major compliance gaps exist.
For the first line, it’s important to have a centralized policy portal where employees can quickly access all the latest published policies, including new announcements, as well as attestation tasks and requests for policy exceptions. Effective dissemination of policies is also important. Compliance violations can be minimized simply by ensuring that policies are communicated in a simple and engaging manner through well-thought-out training and awareness drives.
It also helps to align the policy program to employee incentives, rewards, and recognition. The greater the incentive, the more motivated employees will be to actively participate in compliance.
As part of a robust compliance program, all non-compliance cases, as well as violations or breaches, need to be documented and tracked proactively. Since the first line is best positioned to observe and report these cases, organizations would do well to ensure that reporting processes are made as simple and intuitive as possible. For instance, questionnaires can be designed in simple, natural business language. Or, employees can be given the flexibility to choose from a range of reporting channels – be it hotlines, emails, or web portals.
Once the case details are documented by the first line, (when the violation occurred, against whom, evidence, priority), a triage team can be assigned to the case depending on its severity and priority. The case can then be examined by a team of internal or external investigators.
After the findings from the investigations have been recorded, a corrective action plan can be implemented by the second line in collaboration with the responsible business units. This coordinated, streamlined effort helps ensure that each case is resolved and remediated effectively.
One of the biggest impediments to compliance is the lack of consistency and coordination in compliance and control processes. Each business unit ends up using their own compliance terms, methodologies, and tools which, in turn, makes it difficult for the second line to gain a clear picture of the organization’s compliance health.
A centralized compliance management system can help overcome these challenges by breaking down restrictive silos, and establishing a “single source of truth” for compliance. It can help in aggregating data on regulations, risks, controls, and policies, while also providing a birds-eye view of overall compliance efforts.
Thus, the organization can gain a better handle on compliance. They can also be better-prepared for audits with all the required data ready in one place. A common centralized repository gives both the business units and the compliance function access to the right compliance information at the right time.
In an era of unforeseen risks and increasing regulations, businesses need to be compliant from the bottom up. Smart, compliance-led controls, policies, and processes supported by robust underlying technology are key to ensuring that regulatory requirements are met.
Compliance and ethical standards need to be owned and practiced by all employees. The compliance team may be accountable as an oversight function and advisor, but the responsibility for compliance does not rest solely with them. Only when the business and the compliance function collaborate towards a common objective, can organizations achieve sustainable compliance.