Multiple compliance incidents combined with a dynamic regulatory landscape pose a huge challenge for compliance officers.There are different elements of an effective compliance program that can work together seamlessly and respond in an agile manner to a fast-changing regulatory landscape. Explore this article to find out
Change is the only constant in today’s volatile and fast-paced business environment. No one knows that better than compliance officers, given the sheer volume of regulatory changes that they have to deal with. Tracking these changes is difficult enough, but identifying and assessing their impact on internal business processes is a whole other issue. As regulations evolve, policies need to be reviewed, training courses updated, compliance assessments and exams re-evaluated, and even business processes redesigned.
The challenge is compounded when compliance management processes, including assessments, surveys, and control tests, are managed in an ad hoc, manual manner. A lot of time in such cases is spent sifting through volumes of documents, spreadsheets, and emails to evaluate compliance, build reports, and compare trends across various assessment periods.
While, there is no one-size-fits-all approach to compliance, some organizations leverage a distributed and fragmented approach wherein different departments manage their regulatory requirements independently with little or no collaboration between them. More mature organizations tend to follow a federated approach – one that balances compliance management centralization with distributed participation and collaboration. A recent MetricStream webinar poll confirmed that the majority of organizations (58%) follow a federated approach to compliance, whereas 42% follow a distributed approach. Others employ alternative compliance methods depending on the nature and complexity of the regulations involved.
Whatever the approach, there are key steps that organizations can take to maximize their investments in regulatory compliance. In the following sections, we look at some of these steps, while also exploring how technology can empower compliance professionals to manage, monitor, and communicate compliance information effectively in a changing regulatory landscape.
A common data architecture for compliance enables different teams within the organization to collaborate and work towards similar objectives. Instead of struggling with disparate silos of compliance data, they can leverage a single data model and common taxonomy to consolidate and map all the elements of their compliance universe. Multiple business functions can share an integrated library of risks, regulations, controls, and objectives.
The flexibility of the data model matters. Organizations should be able to link various elements of their compliance universe in a many-to-many manner. This, in turn, simplifies the process of tracking the impact of regulations and regulatory changes on the business. How will an updated regulation affect organizational policies, risks, and controls? Which policy needs to change based on a change in regulation? Does the risk library need to be updated because of a regulatory change? Which controls are linked to those risks? These questions are easier to answer with an integrated compliance data model.
Technology can help by providing the foundation on which to build this data model and taxonomy. It enables compliance professionals to plot and understand the relationships between various compliance data elements at the click of a button, without having to juggle multiple cumbersome spreadsheets and documents.
Organizations spend a considerable amount of time tracking and analyzing regulatory changes. One way to simplify the process is to integrate with authoritative regulatory content sources that provide periodic feeds and updates on regulatory changes. These content providers help ensure that any updates to regulations are not missed. With a robust technology framework, regulatory changes can be fed into the organization as automated alerts, and then directly routed to a subject matter expert who can proactively act on them.
Organizations often translate regulations into corporate policies to better manage and monitor compliance. However, they may end up with hundreds or thousands of policies scattered across the enterprise in various forms and layouts, many of which may be outdated or redundant.
A robust policy management system can help overcome these issues by, first, streamlining the process of policy creation, review, approval, communication, and attestation, thereby minimizing redundancies. Some systems provide a centralized, online policy portal for employees to quickly access policies instead of searching for them across multiple different databases. A common portal helps ensures that all employees and, in some cases, third parties have access to the same version of the latest policy.
The other benefits of a policy management system are automation and reporting. For instance, automated notifications can be triggered to employees for policy attestations, and the details of these attestations can be tracked on dynamic reports and dashboards.
Mapping of policy data elements is also key. While being created, policies or even sections of policies can be mapped to regulations, risks, and controls. This way, every time a regulation is updated, the impacted policies can be easily identified.
Finally, training is essential. Employees need to clearly understand the required policies and how they impact the organization’s compliance posture. Violations can only be minimized when policies are effectively communicated and enforced through effective training and awareness drives.
A risk-based approach to compliance involves identifying compliance risk areas within the organization that are high-risk, and then managing and monitoring those areas on priority. Compliance risks can be measured and scored across business units, processes, and geographies. Based on the risk rating, organizations can effectively plan and implement controls.
Compliance risk assessments help the organization understand the full range of its risk exposure, and flag potential risk events, while also determining why those events may occur and how severe their impact could be. Through an effective assessment, the organization can map its compliance risks to regulations, controls, and other key elements, and allocate the right amount of resources to keep the risks in check. For instance, if there is a high likelihood of an information security violation occurring, the organization can proactively implement the necessary physical, administrative, and technical controls to avoid a security breach.
A recent survey by KPMG indicates that slightly less than 80% of Chief Compliance Officers (CCOs) report that they have a formal compliance risk assessment process in place, and 90% of CCOs identify, assess, and categorize inherent compliance risks. For many, the inherent compliance risk assessment is mostly qualitative; however, some leading organizations gather quantitative data to support their inherent compliance risk assessments which, in turn, makes these assessments more valuable.
Heavily regulated industries like banking and financial services, health care, and pharmaceuticals are often required to follow a structured approach towards managing their engagements with regulators. Technology can streamline the process in multiple ways. It can help track and prioritize requests from regulators, assign tasks to internal teams, and track them to closure from a single point of reference instead of multiple systems or spreadsheets.
Technology also enables all regulatory engagement data to be captured in a central repository, thereby making it easy to share, track, and access the data. Workflows can be easily defined, minimizing inconsistencies or duplication of effort. In addition, graphical dashboards, reports, and metric cards can provide comprehensive and real-time intelligence on various regulatory engagements, tasks, findings, action plans, and trends. These insights can help stakeholders take informed steps towards strengthening the organization’s relationships with regulators.
While compliance risk assessments, policies, and controls go a long way towards minimizing compliance issues, violations can arise. When they do, there must be a streamlined and consistent process to record, investigate, track, and report these cases to closure.
The first step in any case management process is documentation. Technology can help by capturing information on each case in a consistent and systematic manner. Regardless of the channel through which the case is reported – be it hotlines, emails, or a web portal – data on the case can be integrated in a common database. Therefore, if the organization wants to track when a particular compliance violation occurred, against whom, the evidence that exists, or the priority level of the case, all they need to do is log onto a single case management system and pull up the data.
After a case has been documented, it is usually escalated to a triage group which then assigns an individual or team to the case depending on its severity and priority level. The case is then examined by a team of investigators (internal or external), and once their findings have been recorded, a corrective action plan is designed and implemented. There can be multiple parties collaborating on the case for its remediation and resolution.
At the end of the day, a successful compliance program is made up of various elements – regulatory change management, policy and document management, compliance risk management, regulatory engagement management, and case and incident management. Together, these processes and the technology that supports them, enable organizations to respond in an agile manner to a fast-changing regulatory landscape. Having said that, compliance is not an end in itself. When managed well, it enables organizations to build trust with regulators, protect reputations, and keep risks in check – all of which contribute towards building a safer, better-governed world.