GRC Archetypes: Compliance & Ethics Management

Written by The GRC Pundit

Published on2017-08-10DiscussionLeave a Comment on GRC Archetypes: Compliance & Ethics Management

Compliance and ethics has become a significant challenge for organizations across industries, geographies, and business boundaries. It is inundated with challenges such as anti-bribery and corruption, market conduct, conflict of interests, third party (e.g., vendor/supplier) compliance, code of conduct, and more. Organizations are struggling to deal with the pace of regulatory change. Not only from new regulations, but changing/evolving regulations, enforcement actions, and administrative decisions. Global financial services firms are dealing with approximately 201 regulatory change events every business day (source: Thomson Reuters).

Compliance becomes further complicated by different geographies that have different approaches to compliance. In the USA it is very much a check-box/prescriptive approach. Organizations want a specified list of what they have to do and then want a “get out of jail free” card if they do those things. In Europe the approach is focused on principle or outcome-based compliance. It is not prescriptive. Regulators tell you what you have to achieve as an outcome but not tell you how you have to achieve it. This requires a much stronger risk management approach to compliance to determine how best to comply.

The challenge for compliance and ethics grows exponentially as organizations face greater obligations to manage compliance across its third party relationships of vendors, suppliers, outsourcers, service providers, contractors, consultants, intermediaries, brokers, agents, dealers, and other partners. There compliance and ethical issues are the organizations compliance and ethical issues. The legal and regulatory environment of today is making that clearer than ever.

Though compliance and ethics is much more than regulatory compliance. Compliance and ethics is about the very integrity of the organization. Not just meeting regulatory requirements, but ensuring the organization is in aligned and adhering to the values, ethics, policies, corporate social responsibility commitments, contracts, and other obligations of the organization. I have been stating for the past decade that the true Chief Compliance and Ethics Officer is really the Chief Integrity Officer of the organization.

The truth of compliance is that it is very fragmented. In all of my research, spanning interactions with thousands of organizations, I have not encountered one Chief Ethics & Compliance Officer that is truly responsible for oversight of all of compliance. There are many disconnected factions of compliance in organizations: corporate compliance and ethics, human resources compliance, IT compliance, privacy compliance, quality compliance, third party compliance, environmental compliance, health and safety compliance, . . . .

The problem is this leads to a lot of redundancy. Organizations are finding that they lack agility as there are uncoordinated approaches to compliance and the business is struggling with multiple systems and processes that are very repetitive and confusing. Organizations often have dozen of policy portals, different approaches for compliance assessments and surveys, a mixture of processes for reporting and managing incidents and cases . . . this hinders the organization, things get missed, and the organization ends up in hot water.

An ad hoc approach to compliance management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of compliance, how it was managed, who was responsible, what was done, who attested to it, what exceptions were granted, and how violations and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined compliance and ethics management program is vital to enable an organization to effectively develop and maintain the wide gamut of compliance tasks it needs to govern with integrity.

THE QUESTION: How is your organization approaching compliance and ethics management? Can you map yourself to one of the following GRC archetypes of compliance and ethics management?

• Fire Fighter. Your organization approaches compliance and ethics management in an ad hoc fly by the seat of your pants approach. Compliance management is not structured and is addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the narrowest understanding of the requirement before you and not thinking strategically about compliance and ethics management. Compliance management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have an integrated solution to manage compliance and ethics planning, regulatory change, assessments, policies, issue reporting, third party management, and case management.
• Department Islander. In this archetype, your organization has a more structured approach to compliance management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in compliance management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for compliance management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of compliance processes in different portals and file shares with inconsistent formats and templates.
• GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for compliance management to provide consistent processes and structure for compliance management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage compliance to meet requirements. Most often there is a broader compliance management platform deployed to manage compliance processes and tasks, but some still rely on manual processes supported by documents, spreadsheets, and emails.
• Principled Performer.  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Compliance and ethics management is more than meeting requirements but is about encoding, communicating, and monitoring boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Compliance obligations are mapped to risks and objectives and actively understood and managed as critical governance processes of the organization. Compliance and ethics management is about the integrity of the organization and embraces corporate social responsibility, ethics, and the values of the organization and not just regulatory requirements.

The haphazard department and document centric approaches for compliance and ethics management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern compliance and ethics management. Organizations need to wipe the slate clean and approach compliance and ethics management by design with a strategy and architecture to manage the ecosystem of compliance and ethics processes throughout the organization with real-time information about conformance and how it impacts the organization.

GRC 20/20’s Compliance Management Workshop

GRC 20/20 will be leading a free interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

• Compliance Management by Design Workshop, Houston
  • August 15 @ 8:00 am – 4:00 pm CDT 

Strategy Perspective on Compliance Management

• Regulatory Change Management: Effectively Managing Regulatory Change in Financial Services
• The Compliance Journey: From Checkboxes to Compliance Risk Management
• International Tax Compliance: Strategies for Tax Substance Management & Compliance
• Policy Management by Design: A Blueprint for Enterprise Policy & Training Management
• Benchmarking Your Policy Management Program
• Policies, The Last Mile of Risk Management: The Relationship Between Risk and Policies

Research Briefings on Compliance Management

• How to Purchase Compliance Management Solutions
• How to Purchase Policy Management Solutions
• How to Purchase Issue Reporting & Management Solutions
• 2017 Market Landscape: GRC Intelligence & Content Solutions

Solution Perspectives on Policy Management

• RegEd CODE™: Enabling an Integrated Compliance Lifecycle
• Convercent Disclosure Manager: Innovation in User Experience for Compliance Management
• TRUSTe: Effectively Managing Privacy Risk in Processing Personal Data
• SAI Global: Delivering Effective Compliance Solutions & Architecture
• Convercent Predictive Analytics: Innovation in User Experience for Issue Reporting & Management
• ISMS Solutions’ Conformance Works: Effectively Managing the Standards Certification Process
• ComplyTrack® from Wolters Kluwer: Providing an Architecture for Healthcare GRC
• UCF Common Controls Hub: Innovation for Compliance Management
• NAVEX Global’s Agile Code of Conduct
• MetaCompliance: Effectively Managing & Communicating Policies

Case Studies on Policy Management

• SunPower Corporation: Value Achieved in Compliance Management
• BCBS of Michigan: Value Achieved in Issue Reporting & Management
• Claims Recovery Financial Services: Value Achieved in Policy Management
• Tricolor Auto Group’s Approach to Policy & Training
• HITEC’S PolicyHub: Streamlining Policy Management