Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
As organizations strive to keep up with the demands of a dynamic and digital age, compliance priorities are rapidly evolving. New generations of compliance functions will be expected to efficiently manage a wide range of new risks, while also enabling the first line of defense to assume greater responsibility for compliance – all this, with limited resources and budgets.
Against this backdrop, here’s a look at some of the compliance function’s key priorities today:
While there may not be a one-size-fits-all approach to regulatory or corporate compliance, some organizations still cling to distributed and fragmented programs where each department—be it HR, IT, or quality—develops a different set of compliance processes, taxonomies, and systems. Not only is this approach inefficient, but it also limits visibility into compliance risks due to the lack of consistency and normalization in the reported data.
More mature organizations, by comparison, tend to follow a federated approach to compliance – one that standardizes methods, taxonomies, and frameworks for compliance across the enterprise, while at the same time supporting the unique compliance needs of each department. In a federated approach, compliance is centrally coordinated, but managed in a more autonomous manner at the business unit or department level. Various departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments—be it policy governance, compliance risk management, regulatory change management, compliance case management, or regulatory reporting—the result is a lot of duplication of effort and data. For example, if the purchasing department assesses a third party without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort.
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. That way, instead of struggling with disparate silos of compliance data, teams can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls, and objectives where various data elements are mapped to each other in a many-to-many manner.
In Accenture’s 2019 Compliance Risk Study, 60% of respondents agreed that responsibilities previously performed by compliance in the second line of defense are now moving to the first line. Today, the success of a compliance program depends largely on the first line taking more responsibility for compliance and risks in their lines of business. But for the first line to become more risk-aware, they need the right information and tools. Some banks have embedded contextualized compliance and risk data within trading systems or loan processes to help the first line make better risk-aware business decisions. Other organizations are setting up compliance advisory teams to guide and support the first line in understanding the risk implications of potential transactions.
There are many compliance management tools that can help meet the needs of the first line. For example, a centralized online policy portal can simplify access to the policies that the first line needs to ensure that a potential trade or business decision meets compliance requirements. Through the portal, employees can quickly view all the latest published policies, including new announcements, as well as attestation tasks. They can also request for policy exceptions. Meanwhile, a centralized compliance management system can help consolidate all the required compliance and control data in one place, so that the first line can better understand their risks, and also be better prepared for audits.
Organizations with a strong culture of ethics and integrity built into every aspect of their business are likely to face far fewer compliance risks than those that do not prioritize integrity. A strong culture is a core indicator of success, but it is also one of the most difficult objectives to achieve, as it has multiple dimensions and drivers that need to be managed.
Recently one of the largest banks in the world admitted that the lack of a compliant culture was one of the core reasons for repeated breaches and fraud incidents. Their incentive structures were aligned more to growth than to ethics or integrity. Added to that, their business systems were too complicated and disparate to make risk awareness an integral part of the decision-making process.
By contrast, some organizations make it a point to incentivize good behavior and ethical practices in the first line. For example, one of our clients—an insurance firm—created balance scorecards that integrate metrics around customer complaints and the risks of customer attrition into the calculation of sales incentives. Other clients have created policy governance mechanisms that align policy exceptions to reward and recognition programs. Initiatives like these help organizations embed ethical and cultural expectations deep into their processes, thus encouraging compliant behaviors across their enterprise.
To ensure that optimal resources and investments are directed towards the risks and regulations that matter most, compliance functions need to adopt a risk-based approach to compliance. While all the three lines of defense must work together to identify and mitigate risks, the onus is on compliance to identify and manage compliance risks proactively, while also helping their organization avoid potential regulatory or policy violations.
In KPMG’s 2019 CCO survey, 89% of chief compliance officers (CCOs) agreed that their compliance risk assessments incorporate qualitative information and quantitative statistics. However, the report also indicated that there is room to strengthen the participation of compliance in governance or risk committees that discuss inherent risks in the organization’s new products or geographic footprint.
With an integrated compliance management solution, organizations can aggregate and consolidate all their compliance information in a centralized repository. Everybody involved can access the information they need, whenever they need it, in a secure manner with appropriate authorization and access protocols.
An integrated solution can also help organizations define and link foundational compliance elements such as objectives, processes, risks, controls, and regulations. Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store, and monitor regulatory changes, while keeping organizations updated through automated notifications and alerts.
A major benefit of using an integrated compliance solution is the ability to accelerate workflows around policies, cases, compliance assessments, and other processes. At each stage, pending tasks can be tracked, and notifications can be triggered for incomplete actions. In addition, the status of the overall compliance program can be quickly tracked by regulation and by department.
Graphs, dashboards, and charts can be used to track open issues along with their level of criticality. These tools can show the status of policies and attestations, as well as the links between policies, regulations, risks, and controls. The result is a holistic view of compliance which enables stakeholders to proactively spot areas of concern, as well as opportunities for improvement.
After years of dealing with constant regulatory changes and new risks, compliance is entering a new era marked by opportunity and growth. The coming year will call for greater collaboration with the business and other assurance functions, as stakeholders increasingly lean on compliance to guide them through the regulatory complexities and risks ahead. Strong compliance programs, clearly defined process, and targeted technological investments will be key in meeting these demands.