GRC Archetypes: Compliance & Ethics Management

Compliance and ethics has become a significant challenge for organizations across industries, geographies, and business boundaries. It is inundated with challenges such as anti-bribery and corruption, market conduct, conflict of interests, third party (e.g., vendor/supplier) compliance, code of conduct, and more. Organizations are struggling to deal with the pace of regulatory change. Not only from new regulations, but changing/evolving regulations, enforcement actions, and administrative decisions. Global financial services firms are dealing with approximately 201 regulatory change events every business day (source: Thomson Reuters).

Compliance becomes further complicated by different geographies that have different approaches to compliance. In the USA it is very much a check-box/prescriptive approach. Organizations want a specified list of what they have to do and then want a "get out of jail free" card if they do those things. In Europe the approach is focused on principle or outcome-based compliance. It is not prescriptive. Regulators tell you what you have to achieve as an outcome but not tell you how you have to achieve it. This requires a much stronger risk management approach to compliance to determine how best to comply.

The challenge for compliance and ethics grows exponentially as organizations face greater obligations to manage compliance across its third party relationships of vendors, suppliers, outsourcers, service providers, contractors, consultants, intermediaries, brokers, agents, dealers, and other partners. There compliance and ethical issues are the organizations compliance and ethical issues. The legal and regulatory environment of today is making that clearer than ever.

Though compliance and ethics is much more than regulatory compliance. Compliance and ethics is about the very integrity of the organization. Not just meeting regulatory requirements, but ensuring the organization is in aligned and adhering to the values, ethics, policies, corporate social responsibility commitments, contracts, and other obligations of the organization. I have been stating for the past decade that the true Chief Compliance and Ethics Officer is really the Chief Integrity Officer of the organization.

The truth of compliance is that it is very fragmented. In all of my research, spanning interactions with thousands of organizations, I have not encountered one Chief Ethics & Compliance Officer that is truly responsible for oversight of all of compliance. There are many disconnected factions of compliance in organizations: corporate compliance and ethics, human resources compliance, IT compliance, privacy compliance, quality compliance, third party compliance, environmental compliance, health and safety compliance, . . . .

The problem is this leads to a lot of redundancy. Organizations are finding that they lack agility as there are uncoordinated approaches to compliance and the business is struggling with multiple systems and processes that are very repetitive and confusing. Organizations often have dozen of policy portals, different approaches for compliance assessments and surveys, a mixture of processes for reporting and managing incidents and cases . . . this hinders the organization, things get missed, and the organization ends up in hot water.

An ad hoc approach to compliance management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of compliance, how it was managed, who was responsible, what was done, who attested to it, what exceptions were granted, and how violations and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined compliance and ethics management program is vital to enable an organization to effectively develop and maintain the wide gamut of compliance tasks it needs to govern with integrity.

THE QUESTION: How is your organization approaching compliance and ethics management? Can you map yourself to one of the following GRC archetypes of compliance and ethics management?

  • Fire Fighter. Your organization approaches compliance and ethics management in an ad hoc fly by the seat of your pants approach. Compliance management is not structured and is addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the narrowest understanding of the requirement before you and not thinking strategically about compliance and ethics management. Compliance management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have an integrated solution to manage compliance and ethics planning, regulatory change, assessments, policies, issue reporting, third party management, and case management.
  • Department Islander. In this archetype, your organization has a more structured approach to compliance management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in compliance management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for compliance management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of compliance processes in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for compliance management to provide consistent processes and structure for compliance management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage compliance to meet requirements. Most often there is a broader compliance management platform deployed to manage compliance processes and tasks, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer.  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Compliance and ethics management is more than meeting requirements but is about encoding, communicating, and monitoring boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Compliance obligations are mapped to risks and objectives and actively understood and managed as critical governance processes of the organization. Compliance and ethics management is about the integrity of the organization and embraces corporate social responsibility, ethics, and the values of the organization and not just regulatory requirements.

The haphazard department and document centric approaches for compliance and ethics management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern compliance and ethics management. Organizations need to wipe the slate clean and approach compliance and ethics management by design with a strategy and architecture to manage the ecosystem of compliance and ethics processes throughout the organization with real-time information about conformance and how it impacts the organization.

GRC 20/20's Compliance Management Workshop

GRC 20/20 will be leading a free interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Compliance Management

Research Briefings on Compliance Management

Solution Perspectives on Policy Management

Case Studies on Policy Management

Compliance Automation: The Role of Technology in Today’s Dynamic Organization

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The dynamic and global nature of business is particularly challenging to compliance management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

Compliance activities managed in silos often lead to the inevitable failure of a compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance across the business. Management is not thinking about how compliance processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment. 

A non-integrated approach to compliance management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient . . .

The rest of this blog post can be found as a guest blog at SureCloud:

[button link="’s-dy-namic-organization-0"]READ MORE[/button]

Compliance and Risk Bear Down on the Organization 

Compliance in Dynamic and Distributed Business

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to compliance risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations? 

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance risk management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance risk in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency and agility. The organization ends up with a variety of processes, applications and documents to meet individual compliance needs. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple risk and compliance assessments asking the same questions in different formats. Limited visibility across the risk landscape ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive risk and compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide co-dependencies. This fragmented view creates gaps that cripple compliance management and a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Risk Management: Does Your Organization Walk its Talk?

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance risk management boils down to defining – and maintaining – corporate integrity.

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar.

Today’s business entity must ensure compliance risk is understood and managed company-wide. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure.

The Bottom Line: Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

Check Out These GRC 20/20 Compliance Management Resources . . .

Enabling an Integrated Compliance Lifecycle

Inevitability of Failure

Ineffective Processes to Manage Regulatory Change and Compliance

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year, making change the single greatest challenge for organizations in the context of compliance. Each vortex of change is hard to monitor and manage individually, let alone to gain an understanding of how they impact each other.

Keeping current with regulatory change and keeping the organization's policies and procedures up to date and linked to compliance requirements is not easy. Regulators across industries and jurisdictions are requiring that compliance is not just operationally effective, but is well documented. However, organizations often do not have adequate processes or resources in place to monitor regulatory change and maintain compliance. Organizations struggle to be proactive and intelligent about regulatory developments, failing to prioritize and revise impacted policies as needed. Instead, most organizations end up firefighting trying to keep the flames of regulatory change controlled.

Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:

  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory content  that require time-intensive analysis in order to properly understand the potential impact on the business and determine the actions required to comply.
  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions were taken as a result, or if the task was transferred to someone else. This environment produces a lack of visibility into the status of compliance obligations—there is uncertainty regarding ownership of initial review and an inability to sufficiently track what actions were taken as a result, let alone obtain reliable information on which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit trails, which regulators require. This leads to gaps in accountability and a lack of integrity in compliance records regarding who reviewed which change and what action was taken as a result. The lack of an audit trail can be conducive to deception: individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks an overall information architecture and thus is inadequate to effectively report on the number of changes, ownership of the review process, the status of business impact analysis, and courses of action. An inability to make sense of data collected in manual processes and thousands of documents exposes the organization to significant risks.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change management without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization lacks a full perspective of regulatory change and business intelligence. As a result, the organization struggles with inefficiency and cannot adequately prioritize the most important and relevant issues in order to make informed decisions.
  • No accountability and structure. Ultimately, there is insufficient accountability for regulatory change management, and the process fails to be agile, effective, and efficient in its use of resources. The regulatory change process must install strict accountability for subject matter expert review and analysis, compliance obligation task ownership and the ongoing monitoring of outstanding tasks to ensure that compliance deadlines are met.

The bottom line: Processes for managing regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders.  Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management.

Regulatory Change Management Maturity Model: From Ad Hoc to Agile

This is part 5 and final post in the series on regulatory change management, part of the broader series of posts on the Greatest GRC Challenges companies are facing today.  Next we will look at changing risk environments.  In the previous posts we explored:

In this post I detail GRC 20/20's maturity model to measure regulatory change management programs to support an efficient, effective, and agile process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change

Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.

GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes as well as information and technology architecture.

The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few if any resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:

  • Lack of a defined regulatory taxonomy
  • Ad hoc and reactive approaches to regulatory and business change
  • Document and email-centric approaches
  • Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely does not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information and technology architecture. Positively, there is some structure to regulatory change responsibilities—but the management of regulatory change lacks accountability as it is done largely in documents and email that lack structures of accountability and automation. Characteristics of this stage are:

  • Varied approaches to regulatory change
  • Lack consistent structure
  • Lack integration or formal processes for sharing regulatory information
  • Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:

  • Visibility into regulatory change across the business
  • Established processes for regulatory change
  • Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:

  • Strategic approach to regulatory change across departments
  • Common process, technology and information architecture
  • Integration of legal/regulatory content feeds
  • Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content automated by technology. The organization has enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts and tasks. Characteristics of this stage are:

  • Regulatory intelligence achieved through integration of analyzed content and enterprise technology
  • Consistent views of regulatory change and impact on operations and policies
  • Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.