Organizational exposure to compliance risk is rising while the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular obligations, resulting in multiple redundant initiatives working in isolation to respond to each obligation. These isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through unreliable spreadsheets, documents and email. This reactive methodology makes it difficult to adapt to new regulatory requirements and while increases pressure on management, employees, and third parties.
Business requires a common compliance risk management process, information, and technology architecture that is context-driven and adaptable to the enterprise and operational risk management strategy. Compliance must be an active, living part of the organization and culture that can detect and prevent issues as a continuous process to be monitored, maintained and nurtured in the context of governance, risk, and compliance management. Today’s organizations require integrated compliance risk management strategies as an integration function for effective enterprise risk management.
Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance. With no record, assessments can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage risk and compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.
Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.
A compliance technology architecture to support compliance risk management includes capabilities to perform:
- Compliance risk management. Technology to manage compliance risk surveys, assessments, and related risk information; report, analyze and model risk of compliance and ethics.
- Regulatory change management. Technology to track, document and manage regulatory changes and their business impact.
- Learning and training management. Technology to communicate and document training programs related to compliance – includes delivery of training, testing of attendees, and maintenance of training records.
- Policy and procedure management. Technology that maintains policy lifecycle management across development, maintenance, communication and attestation. Provides a robust audit trail and content management capability to ensure policies are current and communicated.
- Investigations management. Technology that enables incident management, facilitates collaboration, and documents investigation processes. The ability to record the range of issues reported from all mechanisms, actions taken, and results of the investigation.
- Issue reporting and hotlines. Technology that makes it easy for individuals to report issues and non-compliance, including a system to document reports made directly to all levels of management.
- Survey and assessment. Technology that delivers a consistent experience for conducting compliance surveys and assessments.
- Benchmarking, metrics, and dashboarding. Technology that produces reports of assurance to management that compliance is not only designed properly but also operating properly to address compliance risks in a dynamic business environment assure executives and the board that their fiduciary obligations for compliance are being met.
- Due diligence management. Technology that facilitates due diligence efforts to validate the hiring of the right people and partnering with ethical vendors that share the same commitment to compliance and corporate values.
- Forms automation and processing. Technology that creates and automates forms to manage processes such as interactions for gifts, entertainment, and facilitated payments through online forms, plus workflows for approval/disapproval.
- Compliance program/project management. Technology that brings compliance risk management together in a cohesive system to manage compliance activities, metrics, and reports. All compliance management personnel and employees should have access to the system and see the relevant tasks that pertain to their job.
Check Out These GRC 20/20 Compliance Management Resources . . .
- Strategy Perspective Research Paper
- Research Briefings