Introduction
Compliance is synonymous with brand reputation and, therefore, a strong compliance function is critical to organizational success. The pandemic has tossed a new curveball our way, making it imperative for organizations to align with the new ways of doing business. So, now more than ever before, compliance management professionals need to stay on top of the complex web of regulatory obligations that govern their businesses and implement measures, processes, and policies in an ethical and legal manner. They must have visibility across the organization to effectively manage and monitor both regulatory and corporate compliance. To keep penalties, fines, lawsuits, work stoppages, and shutdowns at bay, organizations need to embrace compliance to stay ahead of the changing and challenging times.
Whether it is the management team, board of directors, or the frontline, everyone has a key role to play in ensuring that the organization stays true to its mission, keeps its promises, acts in an ethical manner, and inspires trust. Compliance leaders need to empower the different lines of business to demonstrate a culture of trust and integrity.
Chief Compliance Officers (CCO) are confronted with a complex regulatory landscape and dynamic market and economic conditions that pose new challenges. There’s significant pressure on businesses due to growing and changing regulatory requirements as CCOs are tasked to guarantee adherence while also pre-empting risks and ensuring the frontline assumes greater responsibility for compliance. And, all this while treading the tightrope of limited resources and budgets.
In this eBook, we shall walk you through the key focus areas, talk about how to adopt a risk-based and federated approach, explore ways to track regulatory engagements while keeping your policies in sync with evolving regulations, and the need to focus on integrity and culture. And, while we cut through the clutter of challenges and opportunities, we also tell you how MetricStream can be your partner of choice in this journey.
Follow a Federated Approach to Compliance
While there may not be a one-size-fits-all approach to regulatory or corporate compliance, some organizations still follow distributed and fragmented programs where each department — be it HR, IT, or quality — develops a different set of compliance processes, taxonomies, and systems. This approach is inefficient and somewhat flawed as it limits visibility into compliance risks due to a lack of consistency and normalization in the reported data.
Mature organizations, by comparison, tend to follow a federated approach to compliance – one where methods, taxonomies, and frameworks for compliance are standardized across the enterprise, but the unique compliance needs of each department are preserved as well. In a federated approach, compliance is centrally coordinated but managed in a more autonomous manner at the business unit or department levels. All departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments — be it policy governance, compliance risk management, regulatory change management, compliance case management, or regulatory reporting — it results in a lot of duplication of effort and data. For example, if the purchasing department assesses a third party without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort.
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. What that does is, instead of having teams struggle with disparate silos of compliance data, they can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls, and objectives where various data elements are mapped to one another in a many-to-many manner.
Move the Needle: Adopt a Risk-based Approach
Compliance risk is more than just a regulatory issue. It is also a business issue with the potential to damage organizational reputations, diminish customer trust, and limit market opportunities. So, while we take the federated route to compliance, let us look at the changing landscape that has called for a renewed approach to compliance.
Over the past decade, compliance risk — that is, the potential for material loss and legal penalties arising from violations of or non-conformance to industry regulations, laws, and codes of conduct — has become a key concern for businesses, driven largely by a wave of record-high regulatory fines. The pandemic, for instance, made it amply clear that not all risks require the same level of protection even as companies are being subjected to unknown and unprecedented risks. Today’s compliance requirements, thus, call for an all-out customization.
A risk-based approach has to be undertaken and customized to suit the needs of each industry type. What will work for the healthcare industry may not work for the financial sector. For instance, the years that followed the financial crisis were marked by a globally coordinated effort to implement stricter regulatory measures aimed at guarding the financial system against future shocks. The Basel III regulations introduced tighter capital requirements, widened risk coverage, stipulated leverage ratios to protect against excessive borrowing, etc.
We also saw a gradual shift away from global regulation as each geography implemented laws or standards that were specific to their own markets, needs, and concerns. As regulatory agendas continued to diverge, global banks and financial services institutions faced the two-fold challenge of not only juggling multiple international compliance requirements that often vary from one jurisdiction to the next but also conforming to local regulations governing business models and operations. Meeting the demands of this complex regulatory environment calls for a renewed approach to compliance — one that focuses on analyzing the business impact of regulations, identifying and prioritizing the underlying compliance risks, applying mitigating controls, and monitoring the entire system consistently.
The pandemic has upended business operations in many different ways, but even prior to that many financial institutions were seen lagging in their compliance risk management efforts. A McKinsey study found that most senior managers felt more comfortable with their credit-risk management than with their control of compliance risk. In a post-pandemic world, such issues will only get magnified. To get ahead of the curve, organizations must reassess and rearchitect their risk profiles.
What are the best practices for compliance risk in an evolving landscape? It has to begin with a stronger business ownership of the risk, of course. Here’s how organizations can move the needle with a robust compliance risk management program
Assess and Prioritize Risks
A systematic assessment of compliance risks across the enterprise enables financial institutions to clearly understand their risk exposure, including the likelihood that a particular compliance risk will occur, the reasons for its occurrence, and the extent of its impact. Risk computations also make it easier for organizations to rank and prioritize compliance risks, link them to the appropriate risk owners, choose the right approach to mitigation, and allocate resources efficiently. A well-defined risk assessment methodology helps stakeholders understand the impact of compliance risk not just at a financial level, but also at a reputational, legal, and business level. Having both qualitative and quantitative risk measures in place goes a long way in providing a nuanced picture of risk. Also of significant value is an integrated compliance data model that can offer a contextual view of risk, that is, in terms of its link with other risks as well as controls, regulations, policies, departments, and objectives.
Determine the Right Controls
Once compliance risks have been assessed and ranked, the appropriate controls can be chosen to prevent or detect the risks. These controls, in turn, need to be evaluated periodically based on their design and operating effectiveness. Higher risk controls require more comprehensive and frequent evaluations, while lower risk controls may not require as much focus. Compliance software tools can help accelerate control assessments by streamlining and automating the process. Some tools offer predefined criteria and checklists to simplify assessments, along with mechanisms to score, tabulate and report results. Any potential risk issues or exceptions that are found can be documented in the compliance tool, following which a systematic mechanism of issue investigation and remediation can be initiated and tracked up to closure. Many large banks are beginning to rationalize their compliance controls, thereby minimizing redundancies in control testing, while also saving on the time and effort involved in compliance. Fewer and better controls improve not only risk mitigation, but also compliance monitoring and testing.
Some organizations are looking at the use of Robotic Process Automation (RPA) in control assessments. RPA tools have the potential to minimize manual intervention, thereby freeing up time for compliance managers to focus on more strategic, high-priority, and value-added tasks.
Report Findings Early and in Real Time
Compliance managers are almost always under pressure from senior stakeholders to report on the status of compliance risks and controls in as close to real time as possible. Meeting these expectations can be extremely difficult, given the number of departments and processes that a compliance program covers. Reporting becomes even more complex in organizations that operate across multiple countries. Advanced reporting tools can be useful in these situations. Graphical dashboards, for instance, offer compliance managers comprehensive visibility into the compliance risk management process with aggregate reports as well as individual status trackers. Viewers can browse both historical and real-time data on risk, including an analysis of control and risk assessment results. These insights enable compliance managers to stay in constant touch with the ground reality and progress on their compliance risk management program. Automated alerts for events, such as exceptions and failures, help eliminate any surprises and make the compliance process predictable. Many organizations are also exploring the use of advanced analytics and machine learning in detecting and predicting compliance risks. With faster, better, and more in-depth risk insights, decision-makers can swiftly identify potential compliance blind spots and address them before they snowball into bigger issues.
As the regulatory landscape gets increasingly divergent and changes at a rapid clip, a robust compliance risk management program is key to reducing the likelihood of compliance failures. It is important that the program becomes an integral part of everyday business operations and a top priority for senior management and company boards.
To ensure that optimal resources and investments are directed towards the risks and regulations that matter the most, compliance functions need to adopt a risk-based approach to compliance. While all the three lines of the business must work together to identify and mitigate risks, the onus is on compliance experts to identify and manage compliance risks proactively, while also helping the organization avoid potential regulatory or policy violations.
An Integrated and Holistic Solution
With an integrated compliance management solution, organizations can aggregate and consolidate all their compliance information in a centralized repository. Everybody involved can access the information they need and whenever they need it in a secure manner with appropriate authorization and access protocols. An integrated solution can also help organizations define and link foundational compliance elements such as objectives, processes, risks, controls, and regulations. Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store, and monitor regulatory changes while keeping organizations updated through automated notifications and alerts.
A major benefit of using an integrated compliance solution is the ability to accelerate workflows around policies, cases, compliance assessments, and other processes. At each stage, pending tasks can be tracked and notifications triggered for incomplete actions. The status of the overall compliance program can also be quickly tracked by regulation and by department.
Graphs, dashboards, and charts can be used to track open issues along with their level of criticality. These tools can show the status of policies and attestations as well as the links between policies, regulations, risks, and controls. The result is a holistic view of compliance that enables stakeholders to proactively spot areas of concern as well as opportunities.
Sync Your Policies with Evolving Regulations
As organizations grapple with new compliance challenges, the task of ensuring compliance without disrupting operational efficiencies assumes greater importance. Both regulatory authorities and organizations are learning new ways to deal with this unprecedented crisis. Organizations are now required to ensure compliance with recently-updated regulations not only at the federal, state and regional levels, but also at the global level. This will be a work in progress for a while now.
What this means is that organizations need to be nimble in understanding and analyzing the new processes and regulations. And, it is possible that the regulations may get updated again even before the organizations have time to catch their breath. The dissemination of information on the regulatory changes and the related communication too must be done at a fast clip. To ease the creases in policy adherence in these unusual times, here are some steps organizations can take to simplify the process of policy change management.
Proactively Track Regulatory Updates
This is important for organizations to make well-informed decisions in a timely manner rather than take ad hoc measures without looking at the larger picture. One way of staying on top of important regulatory updates is by subscribing to various regulatory content such as regulatory agency filings, briefs from industry associations, trade publications, specialized media sources or the national and local media. Organizations can also set up tools that integrate directly with these content sources and automatically generate alerts on the latest regulatory updates, which can then be routed to a subject matter expert.
Another way to stay ahead of the curve is by mapping existing regulations to policies and processes ahead of an impending regulatory change. Policies can also be linked with risks and controls. This approach could be employed by both large organizations that deal with hundreds or thousands of policies and smaller ones that may have less than 50 policies. Sifting through each of these policies for every major or minor change in regulations could be a Herculean task. By linking regulations to a policy or a section of a policy, organizations can dramatically reduce the time taken to understand which policy has been impacted by a regulatory change and respond accordingly.
Closely Monitor the Policy Change Lifecycle
Every time a policy is impacted by a change in regulation, it goes through a cycle of updates, reviews, approvals, communication, and attestations. Tracking the policy at every stage is important because it helps identify and address any issues that might arise. This can be done with the use of smart reporting tools and dashboards that can automatically collect and roll up data from within the policy management system. These tools help slice and dice data easily for deeper analyses, allowing organizations to make informed decisions and mitigate compliance-related risks.
Conduct Impact Assessments and Update Policies Strategically
As soon as a new regulation comes into effect or an existing one is updated, it should be analyzed by a subject matter expert to assess its impact on organizational policies.
Things to be Determined
- Whether the organization will have to update existing policies in response to the regulatory change or draft new policies altogether
- How potential benefits stack up versus the effort and time required to administer the new policy
- If the organization has enough methods to communicate and enforce the updated policy
- If the updated policy will improve business performance
Organizations also have to be cognizant of the fact that too many updates and versions of policies could be confusing for employees. The key is to find the right balance. Organizations must conduct impact assessments to determine if a policy update is really required and if there should be any version controls. A robust policy management system can help streamline regulatory impact assessments and trigger policy update processes with clearly defined review and approval workflows. A single system can be a handy solution by making stakeholders' collaboration seamless as it can whittle down the number of phone calls, email exchanges, and meetings.
Keep Employees Consistently Engaged
Understanding, analyzing, and updating policies is only one-half of the job. The other half is educating the workforce about these updates and letting them know how they can impact the business. This can prove to be a really challenging task, particularly for large organizations with employees across departments, business units, and locations. Good policy management systems can ease some of this pain by automatically pushing out updates to the relevant individuals or departments.
Creative ways can be used to do this. If the policy update is simple, an email blast to employees might suffice. However, if it is a major change, it might warrant a dedicated training session. A policy update can also be made available as a pop-up or widget in the intranet portal, CRM, or any other operational system. Whatever the approach, policy training should ideally be as engaging and interactive as possible for best retention.
The same needs to be done for policy attestations. Conducting an interesting survey or quiz to track how much employees have understood a policy update is likely to see more employee participation and provide better insights than a simple yes-no attestation form. All policies and related updates should be stored in a centralized policy portal so that employees can access and read them whenever required.
Focus on Integrity and Culture Role of Management, Boards, and the Frontline
Compliance and integrity are two sides of the same coin. Organizations that perform with integrity enjoy the brand loyalty of customers, employees, and partners. They attract better talent, face less regulatory scrutiny, win more trust, and experience fewer conduct-related risks — all of which translate into stronger business performance. According to EY’s 15th Global Fraud Survey, 97% of business leaders recognized the importance of showcasing the fact that their organization acted and operated with integrity.
Integrity exemplifies an organization’s DNA and culture. And, the culture is the responsibility of the whole organization. Whether it is the management team, the board of directors, or the frontline, everyone has a key role to play in ensuring that the organization stays true to its mission, acts in an ethical manner, and inspires trust.
So, let’s take a look at the role each of these lines of the business plays in securing the culture and integrity of an organization.
The Top Management: Lead from the Front
To build a sustainable culture of integrity, the management team must be able to articulate the organization’s core values in a straightforward, unambiguous, and consistent manner. The more the employees understand what acting with integrity means (or does not), the more likely they will be able to conform to behavioral expectations. Cultural differences across geographies is a point to ponder in this respect. For instance, local values around practices of gift-giving may differ from one region to another and may have a different bearing on corporate policies.
It is the onus of the top management to let employees understand that accountability, transparency, and desired behaviors are some of the important issues to focus on. Employees must be able to understand why a particular behavior matters, how it impacts the achievement of organizational and personal goals, and what would happen if not adhered to. Anyone in the organization who engages in unethical behavior should be held accountable by the management team, regardless of their level of seniority or importance as a resource.
The leadership team must also ensure ways to measure integrity. Tools such as customer surveys, employee reviews, and assessments of compliance with codes of conduct can help the management team gauge how effectively integrity is rooted in their organization. And, in all of this, the top management has to lead by example.
Board of Directors: Exercise Stewardship
In the face of continuing corporate scandals — be it violations of data privacy or falsification of emissions data or the creation of fraudulent banking accounts — the challenge for boards of directors is to find ways to understand and influence integrity and culture across the organization. Standards such as the UK Corporate Governance Code underscore the importance of the board’s role in establishing, assessing and monitoring corporate culture and values.
Some boards institute formal processes and structures to monitor progress and gaps in compliance. They have specific conduct committees that meet every month to oversee corporate compliance with codes of conduct, standards, and policies. Boards take corrective actions where necessary and ensure that functions like HR, compliance, risk, and Internal Audit (IA) are empowered with sufficient resources to strengthen organizational culture. The emphasis is on better reporting as such boards demand information on where organizational behaviors are lagging or how many breaches of conduct have occurred.
Middle and Lower Management: The Eyes and the Ears
The frontlines play a big role in the success of cultural initiatives as managers at this level have good visibility into how such initiatives are playing out. They know whether or not employees are motivated, values are being effectively imbibed, and whether or not employee behaviors are truly aligned with the organization’s goals. Middle managers are also well-positioned to influence and impact cultural changes through effective communication.
Many organizations have begun to incentivize employees for good behavior and ethical practices. They create balanced scorecards that integrate data around customer complaints and risks of customer attrition into the calculation of sales incentives. Some others have a policy governance tracking mechanism that aligns policy exceptions to rewards and recognition programs. These are all tangible steps for culture adherence that organizations can take. When the management, board and business work in tandem to achieve better compliance and integrity, it’s a boost to the organization’s reputation and morale.
Track Your Regulatory Engagements Effectively
Preparing is key to risk reduction. In this respect, organizations’ compliance maturity is of critical importance. Where on the compliance maturity curve an organization is, depends to a large extent on how effectively it manages regulatory engagements across federal, state, and international levels as new rules and regulations emerge across industries and jurisdictional boundaries.
An agile and well-coordinated strategy of responding to regulatory requests on time, managing regulatory meetings efficiently, and ensuring that the business is well-prepared for regulatory examinations can build credibility with regulators.
A group of compliance and regulatory experts met in London to discuss the core components of an effective regulatory engagement management program. They spoke about the key challenges faced in regulatory interactions and proposed ways to strengthen regulatory relationships. Here are some of the suggestions for organizations to adopt as best practices.
Be More Strategic
The journey starts with organizations being more strategic in their approach with the creation of a central “engagement hub” that enables employees to access materials, stay updated on deadlines, and understand their deliverables well. The hub can help users connect related engagements,and map them to Governance, Risk, and Compliance (GRC) elements such as the organizational hierarchy, risks, controls, and regulations. The regulatory engagement team should be able to strategically its their policies and processes with the organization’s risk appetite and compliance culture through a GRC framework.
Create an Internal Regulatory Engagement Community
In organizations that operate in highly regulated industries, employees often have to juggle multiple regulatory engagements. They either meet directly with regulators or help in preparing the materials that regulators review. The larger and more complex the organization is, the greater the size and scope of this group of individuals. Therefore, it’s important that they form an organized community, with the overall culture and strategy set by a senior executive who has direct access to the C-suite and board.
Keep the Senior Management, Board as well as the Business in the Loop
Boards and senior managers must quickly and easily understand the important regulatory engagement issues that an organization is facing. For that, they need well-structured reports based on good-quality data. These reports should capture interactions with regulators, the organization’s progress in addressing emerging issues, and regulatory engagements in the context of GRC data such as Key Risk Indicators (KRIs) and Key Control Indicators (KRIs) so that informed decisions on technology and other investments can be taken.
It is as important to keep the business in the loop about regulatory engagements as the senior management. While reports for the board and senior management focus on macro trends, reports for the business help effectively navigate specific regulatory and compliance risks, issues around operational risks and resilience. A “fire hose” approach must be avoided at all costs.
Enable Secure Access to Regulatory Engagement Information
Regulatory engagement intelligence is highly sensitive data. Therefore, there must be strong security and access controls in place to ensure that the information is not obtained and shared in inappropriate ways. In today’s world, spreadsheets and other documents stored on shared servers are not always secure. A dedicated system for regulatory engagement management with defined access and authorization protocols can be a game-changer.
Leverage Good Quality Data and Automation
Regulatory engagement managers often end up spending most of their time on cumbersome manual activities like tracking actions and sending reminders. By automating these processes, managers can be freed up to focus on the processes that truly add value to the compliance program. Automation also reduces the compliance risks associated with human error. Critical activities that can benefit from automation include the process of preparing for an engagement, managing regulatory findings through investigations and remediation, and organizing tasks to meet regulatory expectations.
Having structured data handy can make the task of tracking regulatory engagements very efficient. All regulatory engagement team activities such as meetings, exams, investigations, and enforcement actions produce structured data related to meeting dates, action owners, country or jurisdiction, meeting attendees, etc. Then, there are large volumes of unstructured data related to letters, emails, regulatory reports, etc. The unstructured data must be mapped to the unstructured one and stored in a single repository so that it can be accessed and worked on by multiple teams. This helps expedite tasks such as preparation for regulatory meetings or the creation of internal.
Create Repeatable Processes
Some regulatory engagements occur every quarter or twice a year or annually. They often require the same set of activities to be performed, be it regulatory capital calculations or some form of conduct risk reporting. To streamline such recurrent tasks and save time, organizations can create an automated set of action point reminders for process stakeholders. A unified system for documentation can help stakeholders adopt a regular reporting rhythm and improve the overall quality of their regulatory engagement activities.
How MetricStream Can Help
As organizations today reimagine risk landscapes and compliance requirements amid more stringent regulatory environments, MetricStream’s mission is to enable them to thrive on risk. Through a range of governance, risk, and compliance (GRC) products and solutions built on an integrated platform, we help customers build more risk-aware and compliant cultures
MetricStream’s Regulatory Compliance and Corporate Compliance solutions help organizations strengthen compliance by adopting an integrated approach. The solutions help automate various aspects of policy and procedure management, regulatory change management, compliance assessments, control testing, third-party compliance, regulatory engagement management as well as case and incident management.
As the pressure on compliance and regulatory engagement management teams grows, our solutions will help them:
Compliance is synonymous with brand reputation and, therefore, a strong compliance function is critical to organizational success. The pandemic has tossed a new curveball our way, making it imperative for organizations to align with the new ways of doing business. So, now more than ever before, compliance management professionals need to stay on top of the complex web of regulatory obligations that govern their businesses and implement measures, processes, and policies in an ethical and legal manner. They must have visibility across the organization to effectively manage and monitor both regulatory and corporate compliance. To keep penalties, fines, lawsuits, work stoppages, and shutdowns at bay, organizations need to embrace compliance to stay ahead of the changing and challenging times.
Whether it is the management team, board of directors, or the frontline, everyone has a key role to play in ensuring that the organization stays true to its mission, keeps its promises, acts in an ethical manner, and inspires trust. Compliance leaders need to empower the different lines of business to demonstrate a culture of trust and integrity.
Chief Compliance Officers (CCO) are confronted with a complex regulatory landscape and dynamic market and economic conditions that pose new challenges. There’s significant pressure on businesses due to growing and changing regulatory requirements as CCOs are tasked to guarantee adherence while also pre-empting risks and ensuring the frontline assumes greater responsibility for compliance. And, all this while treading the tightrope of limited resources and budgets.
In this eBook, we shall walk you through the key focus areas, talk about how to adopt a risk-based and federated approach, explore ways to track regulatory engagements while keeping your policies in sync with evolving regulations, and the need to focus on integrity and culture. And, while we cut through the clutter of challenges and opportunities, we also tell you how MetricStream can be your partner of choice in this journey.
While there may not be a one-size-fits-all approach to regulatory or corporate compliance, some organizations still follow distributed and fragmented programs where each department — be it HR, IT, or quality — develops a different set of compliance processes, taxonomies, and systems. This approach is inefficient and somewhat flawed as it limits visibility into compliance risks due to a lack of consistency and normalization in the reported data.
Mature organizations, by comparison, tend to follow a federated approach to compliance – one where methods, taxonomies, and frameworks for compliance are standardized across the enterprise, but the unique compliance needs of each department are preserved as well. In a federated approach, compliance is centrally coordinated but managed in a more autonomous manner at the business unit or department levels. All departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments — be it policy governance, compliance risk management, regulatory change management, compliance case management, or regulatory reporting — it results in a lot of duplication of effort and data. For example, if the purchasing department assesses a third party without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort.
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. What that does is, instead of having teams struggle with disparate silos of compliance data, they can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls, and objectives where various data elements are mapped to one another in a many-to-many manner.
Compliance risk is more than just a regulatory issue. It is also a business issue with the potential to damage organizational reputations, diminish customer trust, and limit market opportunities. So, while we take the federated route to compliance, let us look at the changing landscape that has called for a renewed approach to compliance.
Over the past decade, compliance risk — that is, the potential for material loss and legal penalties arising from violations of or non-conformance to industry regulations, laws, and codes of conduct — has become a key concern for businesses, driven largely by a wave of record-high regulatory fines. The pandemic, for instance, made it amply clear that not all risks require the same level of protection even as companies are being subjected to unknown and unprecedented risks. Today’s compliance requirements, thus, call for an all-out customization.
A risk-based approach has to be undertaken and customized to suit the needs of each industry type. What will work for the healthcare industry may not work for the financial sector. For instance, the years that followed the financial crisis were marked by a globally coordinated effort to implement stricter regulatory measures aimed at guarding the financial system against future shocks. The Basel III regulations introduced tighter capital requirements, widened risk coverage, stipulated leverage ratios to protect against excessive borrowing, etc.
We also saw a gradual shift away from global regulation as each geography implemented laws or standards that were specific to their own markets, needs, and concerns. As regulatory agendas continued to diverge, global banks and financial services institutions faced the two-fold challenge of not only juggling multiple international compliance requirements that often vary from one jurisdiction to the next but also conforming to local regulations governing business models and operations. Meeting the demands of this complex regulatory environment calls for a renewed approach to compliance — one that focuses on analyzing the business impact of regulations, identifying and prioritizing the underlying compliance risks, applying mitigating controls, and monitoring the entire system consistently.
The pandemic has upended business operations in many different ways, but even prior to that many financial institutions were seen lagging in their compliance risk management efforts. A McKinsey study found that most senior managers felt more comfortable with their credit-risk management than with their control of compliance risk. In a post-pandemic world, such issues will only get magnified. To get ahead of the curve, organizations must reassess and rearchitect their risk profiles.
What are the best practices for compliance risk in an evolving landscape? It has to begin with a stronger business ownership of the risk, of course. Here’s how organizations can move the needle with a robust compliance risk management program
Assess and Prioritize Risks
A systematic assessment of compliance risks across the enterprise enables financial institutions to clearly understand their risk exposure, including the likelihood that a particular compliance risk will occur, the reasons for its occurrence, and the extent of its impact. Risk computations also make it easier for organizations to rank and prioritize compliance risks, link them to the appropriate risk owners, choose the right approach to mitigation, and allocate resources efficiently. A well-defined risk assessment methodology helps stakeholders understand the impact of compliance risk not just at a financial level, but also at a reputational, legal, and business level. Having both qualitative and quantitative risk measures in place goes a long way in providing a nuanced picture of risk. Also of significant value is an integrated compliance data model that can offer a contextual view of risk, that is, in terms of its link with other risks as well as controls, regulations, policies, departments, and objectives.
Determine the Right Controls
Once compliance risks have been assessed and ranked, the appropriate controls can be chosen to prevent or detect the risks. These controls, in turn, need to be evaluated periodically based on their design and operating effectiveness. Higher risk controls require more comprehensive and frequent evaluations, while lower risk controls may not require as much focus. Compliance software tools can help accelerate control assessments by streamlining and automating the process. Some tools offer predefined criteria and checklists to simplify assessments, along with mechanisms to score, tabulate and report results. Any potential risk issues or exceptions that are found can be documented in the compliance tool, following which a systematic mechanism of issue investigation and remediation can be initiated and tracked up to closure. Many large banks are beginning to rationalize their compliance controls, thereby minimizing redundancies in control testing, while also saving on the time and effort involved in compliance. Fewer and better controls improve not only risk mitigation, but also compliance monitoring and testing.
Some organizations are looking at the use of Robotic Process Automation (RPA) in control assessments. RPA tools have the potential to minimize manual intervention, thereby freeing up time for compliance managers to focus on more strategic, high-priority, and value-added tasks.
Report Findings Early and in Real Time
Compliance managers are almost always under pressure from senior stakeholders to report on the status of compliance risks and controls in as close to real time as possible. Meeting these expectations can be extremely difficult, given the number of departments and processes that a compliance program covers. Reporting becomes even more complex in organizations that operate across multiple countries. Advanced reporting tools can be useful in these situations. Graphical dashboards, for instance, offer compliance managers comprehensive visibility into the compliance risk management process with aggregate reports as well as individual status trackers. Viewers can browse both historical and real-time data on risk, including an analysis of control and risk assessment results. These insights enable compliance managers to stay in constant touch with the ground reality and progress on their compliance risk management program. Automated alerts for events, such as exceptions and failures, help eliminate any surprises and make the compliance process predictable. Many organizations are also exploring the use of advanced analytics and machine learning in detecting and predicting compliance risks. With faster, better, and more in-depth risk insights, decision-makers can swiftly identify potential compliance blind spots and address them before they snowball into bigger issues.
As the regulatory landscape gets increasingly divergent and changes at a rapid clip, a robust compliance risk management program is key to reducing the likelihood of compliance failures. It is important that the program becomes an integral part of everyday business operations and a top priority for senior management and company boards.
To ensure that optimal resources and investments are directed towards the risks and regulations that matter the most, compliance functions need to adopt a risk-based approach to compliance. While all the three lines of the business must work together to identify and mitigate risks, the onus is on compliance experts to identify and manage compliance risks proactively, while also helping the organization avoid potential regulatory or policy violations.
An Integrated and Holistic Solution
With an integrated compliance management solution, organizations can aggregate and consolidate all their compliance information in a centralized repository. Everybody involved can access the information they need and whenever they need it in a secure manner with appropriate authorization and access protocols. An integrated solution can also help organizations define and link foundational compliance elements such as objectives, processes, risks, controls, and regulations. Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store, and monitor regulatory changes while keeping organizations updated through automated notifications and alerts.
A major benefit of using an integrated compliance solution is the ability to accelerate workflows around policies, cases, compliance assessments, and other processes. At each stage, pending tasks can be tracked and notifications triggered for incomplete actions. The status of the overall compliance program can also be quickly tracked by regulation and by department.
Graphs, dashboards, and charts can be used to track open issues along with their level of criticality. These tools can show the status of policies and attestations as well as the links between policies, regulations, risks, and controls. The result is a holistic view of compliance that enables stakeholders to proactively spot areas of concern as well as opportunities.
As organizations grapple with new compliance challenges, the task of ensuring compliance without disrupting operational efficiencies assumes greater importance. Both regulatory authorities and organizations are learning new ways to deal with this unprecedented crisis. Organizations are now required to ensure compliance with recently-updated regulations not only at the federal, state and regional levels, but also at the global level. This will be a work in progress for a while now.
What this means is that organizations need to be nimble in understanding and analyzing the new processes and regulations. And, it is possible that the regulations may get updated again even before the organizations have time to catch their breath. The dissemination of information on the regulatory changes and the related communication too must be done at a fast clip. To ease the creases in policy adherence in these unusual times, here are some steps organizations can take to simplify the process of policy change management.
Proactively Track Regulatory Updates
This is important for organizations to make well-informed decisions in a timely manner rather than take ad hoc measures without looking at the larger picture. One way of staying on top of important regulatory updates is by subscribing to various regulatory content such as regulatory agency filings, briefs from industry associations, trade publications, specialized media sources or the national and local media. Organizations can also set up tools that integrate directly with these content sources and automatically generate alerts on the latest regulatory updates, which can then be routed to a subject matter expert.
Another way to stay ahead of the curve is by mapping existing regulations to policies and processes ahead of an impending regulatory change. Policies can also be linked with risks and controls. This approach could be employed by both large organizations that deal with hundreds or thousands of policies and smaller ones that may have less than 50 policies. Sifting through each of these policies for every major or minor change in regulations could be a Herculean task. By linking regulations to a policy or a section of a policy, organizations can dramatically reduce the time taken to understand which policy has been impacted by a regulatory change and respond accordingly.
Closely Monitor the Policy Change Lifecycle
Every time a policy is impacted by a change in regulation, it goes through a cycle of updates, reviews, approvals, communication, and attestations. Tracking the policy at every stage is important because it helps identify and address any issues that might arise. This can be done with the use of smart reporting tools and dashboards that can automatically collect and roll up data from within the policy management system. These tools help slice and dice data easily for deeper analyses, allowing organizations to make informed decisions and mitigate compliance-related risks.
Conduct Impact Assessments and Update Policies Strategically
As soon as a new regulation comes into effect or an existing one is updated, it should be analyzed by a subject matter expert to assess its impact on organizational policies.
- Whether the organization will have to update existing policies in response to the regulatory change or draft new policies altogether
- How potential benefits stack up versus the effort and time required to administer the new policy
- If the organization has enough methods to communicate and enforce the updated policy
- If the updated policy will improve business performance
Organizations also have to be cognizant of the fact that too many updates and versions of policies could be confusing for employees. The key is to find the right balance. Organizations must conduct impact assessments to determine if a policy update is really required and if there should be any version controls. A robust policy management system can help streamline regulatory impact assessments and trigger policy update processes with clearly defined review and approval workflows. A single system can be a handy solution by making stakeholders' collaboration seamless as it can whittle down the number of phone calls, email exchanges, and meetings.
Keep Employees Consistently Engaged
Understanding, analyzing, and updating policies is only one-half of the job. The other half is educating the workforce about these updates and letting them know how they can impact the business. This can prove to be a really challenging task, particularly for large organizations with employees across departments, business units, and locations. Good policy management systems can ease some of this pain by automatically pushing out updates to the relevant individuals or departments.
Creative ways can be used to do this. If the policy update is simple, an email blast to employees might suffice. However, if it is a major change, it might warrant a dedicated training session. A policy update can also be made available as a pop-up or widget in the intranet portal, CRM, or any other operational system. Whatever the approach, policy training should ideally be as engaging and interactive as possible for best retention.
The same needs to be done for policy attestations. Conducting an interesting survey or quiz to track how much employees have understood a policy update is likely to see more employee participation and provide better insights than a simple yes-no attestation form. All policies and related updates should be stored in a centralized policy portal so that employees can access and read them whenever required.
Compliance and integrity are two sides of the same coin. Organizations that perform with integrity enjoy the brand loyalty of customers, employees, and partners. They attract better talent, face less regulatory scrutiny, win more trust, and experience fewer conduct-related risks — all of which translate into stronger business performance. According to EY’s 15th Global Fraud Survey, 97% of business leaders recognized the importance of showcasing the fact that their organization acted and operated with integrity.
Integrity exemplifies an organization’s DNA and culture. And, the culture is the responsibility of the whole organization. Whether it is the management team, the board of directors, or the frontline, everyone has a key role to play in ensuring that the organization stays true to its mission, acts in an ethical manner, and inspires trust.
So, let’s take a look at the role each of these lines of the business plays in securing the culture and integrity of an organization.
The Top Management: Lead from the Front
To build a sustainable culture of integrity, the management team must be able to articulate the organization’s core values in a straightforward, unambiguous, and consistent manner. The more the employees understand what acting with integrity means (or does not), the more likely they will be able to conform to behavioral expectations. Cultural differences across geographies is a point to ponder in this respect. For instance, local values around practices of gift-giving may differ from one region to another and may have a different bearing on corporate policies.
It is the onus of the top management to let employees understand that accountability, transparency, and desired behaviors are some of the important issues to focus on. Employees must be able to understand why a particular behavior matters, how it impacts the achievement of organizational and personal goals, and what would happen if not adhered to. Anyone in the organization who engages in unethical behavior should be held accountable by the management team, regardless of their level of seniority or importance as a resource.
The leadership team must also ensure ways to measure integrity. Tools such as customer surveys, employee reviews, and assessments of compliance with codes of conduct can help the management team gauge how effectively integrity is rooted in their organization. And, in all of this, the top management has to lead by example.
Board of Directors: Exercise Stewardship
In the face of continuing corporate scandals — be it violations of data privacy or falsification of emissions data or the creation of fraudulent banking accounts — the challenge for boards of directors is to find ways to understand and influence integrity and culture across the organization. Standards such as the UK Corporate Governance Code underscore the importance of the board’s role in establishing, assessing and monitoring corporate culture and values.
Some boards institute formal processes and structures to monitor progress and gaps in compliance. They have specific conduct committees that meet every month to oversee corporate compliance with codes of conduct, standards, and policies. Boards take corrective actions where necessary and ensure that functions like HR, compliance, risk, and Internal Audit (IA) are empowered with sufficient resources to strengthen organizational culture. The emphasis is on better reporting as such boards demand information on where organizational behaviors are lagging or how many breaches of conduct have occurred.
Middle and Lower Management: The Eyes and the Ears
The frontlines play a big role in the success of cultural initiatives as managers at this level have good visibility into how such initiatives are playing out. They know whether or not employees are motivated, values are being effectively imbibed, and whether or not employee behaviors are truly aligned with the organization’s goals. Middle managers are also well-positioned to influence and impact cultural changes through effective communication.
Many organizations have begun to incentivize employees for good behavior and ethical practices. They create balanced scorecards that integrate data around customer complaints and risks of customer attrition into the calculation of sales incentives. Some others have a policy governance tracking mechanism that aligns policy exceptions to rewards and recognition programs. These are all tangible steps for culture adherence that organizations can take. When the management, board and business work in tandem to achieve better compliance and integrity, it’s a boost to the organization’s reputation and morale.
Preparing is key to risk reduction. In this respect, organizations’ compliance maturity is of critical importance. Where on the compliance maturity curve an organization is, depends to a large extent on how effectively it manages regulatory engagements across federal, state, and international levels as new rules and regulations emerge across industries and jurisdictional boundaries.
An agile and well-coordinated strategy of responding to regulatory requests on time, managing regulatory meetings efficiently, and ensuring that the business is well-prepared for regulatory examinations can build credibility with regulators.
A group of compliance and regulatory experts met in London to discuss the core components of an effective regulatory engagement management program. They spoke about the key challenges faced in regulatory interactions and proposed ways to strengthen regulatory relationships. Here are some of the suggestions for organizations to adopt as best practices.
Be More Strategic
The journey starts with organizations being more strategic in their approach with the creation of a central “engagement hub” that enables employees to access materials, stay updated on deadlines, and understand their deliverables well. The hub can help users connect related engagements,and map them to Governance, Risk, and Compliance (GRC) elements such as the organizational hierarchy, risks, controls, and regulations. The regulatory engagement team should be able to strategically its their policies and processes with the organization’s risk appetite and compliance culture through a GRC framework.
Create an Internal Regulatory Engagement Community
In organizations that operate in highly regulated industries, employees often have to juggle multiple regulatory engagements. They either meet directly with regulators or help in preparing the materials that regulators review. The larger and more complex the organization is, the greater the size and scope of this group of individuals. Therefore, it’s important that they form an organized community, with the overall culture and strategy set by a senior executive who has direct access to the C-suite and board.
Keep the Senior Management, Board as well as the Business in the Loop
Boards and senior managers must quickly and easily understand the important regulatory engagement issues that an organization is facing. For that, they need well-structured reports based on good-quality data. These reports should capture interactions with regulators, the organization’s progress in addressing emerging issues, and regulatory engagements in the context of GRC data such as Key Risk Indicators (KRIs) and Key Control Indicators (KRIs) so that informed decisions on technology and other investments can be taken.
It is as important to keep the business in the loop about regulatory engagements as the senior management. While reports for the board and senior management focus on macro trends, reports for the business help effectively navigate specific regulatory and compliance risks, issues around operational risks and resilience. A “fire hose” approach must be avoided at all costs.
Enable Secure Access to Regulatory Engagement Information
Regulatory engagement intelligence is highly sensitive data. Therefore, there must be strong security and access controls in place to ensure that the information is not obtained and shared in inappropriate ways. In today’s world, spreadsheets and other documents stored on shared servers are not always secure. A dedicated system for regulatory engagement management with defined access and authorization protocols can be a game-changer.
Leverage Good Quality Data and Automation
Regulatory engagement managers often end up spending most of their time on cumbersome manual activities like tracking actions and sending reminders. By automating these processes, managers can be freed up to focus on the processes that truly add value to the compliance program. Automation also reduces the compliance risks associated with human error. Critical activities that can benefit from automation include the process of preparing for an engagement, managing regulatory findings through investigations and remediation, and organizing tasks to meet regulatory expectations.
Having structured data handy can make the task of tracking regulatory engagements very efficient. All regulatory engagement team activities such as meetings, exams, investigations, and enforcement actions produce structured data related to meeting dates, action owners, country or jurisdiction, meeting attendees, etc. Then, there are large volumes of unstructured data related to letters, emails, regulatory reports, etc. The unstructured data must be mapped to the unstructured one and stored in a single repository so that it can be accessed and worked on by multiple teams. This helps expedite tasks such as preparation for regulatory meetings or the creation of internal.
Create Repeatable Processes
Some regulatory engagements occur every quarter or twice a year or annually. They often require the same set of activities to be performed, be it regulatory capital calculations or some form of conduct risk reporting. To streamline such recurrent tasks and save time, organizations can create an automated set of action point reminders for process stakeholders. A unified system for documentation can help stakeholders adopt a regular reporting rhythm and improve the overall quality of their regulatory engagement activities.
As organizations today reimagine risk landscapes and compliance requirements amid more stringent regulatory environments, MetricStream’s mission is to enable them to thrive on risk. Through a range of governance, risk, and compliance (GRC) products and solutions built on an integrated platform, we help customers build more risk-aware and compliant cultures
MetricStream’s Regulatory Compliance and Corporate Compliance solutions help organizations strengthen compliance by adopting an integrated approach. The solutions help automate various aspects of policy and procedure management, regulatory change management, compliance assessments, control testing, third-party compliance, regulatory engagement management as well as case and incident management.
As the pressure on compliance and regulatory engagement management teams grows, our solutions will help them:
