Christmas (or other holiday tradition you celebrate) is upon us with its associated gift giving. In the spirit of giving and Christmas cheer, I am delivering the beginning of a series of role-plays looking at what different risk and compliance roles would want in their Christmas stockings.
To kick this off- we will initially focus on the role of Corporate Compliance . Each subsequent week we will look at another role (see below for schedule).
To understand what Corporate Compliance desires requires an understanding of what this roles is about and its responsibilities. Unfortunately compliance, like many GRC related terms, has different heads and definitions throughout the organization. Though Corporate Compliance is a specific role that typically reports into legal/general counsel and is focused on the the most pertinent legal/regulatory issues the organization has to comply with. To date I have not met one Corporate Compliance Officer that is responsible for every aspect of compliance throughout the organization. Often fragments of compliance such as SOX, privacy, information security, health and safety, and other other areas often fall outside of the Corporate Compliance area of focus.
Corporate Compliance is typically responsible for managing the most significant and highly visible legal/regulatory compliance issues such as; anti-corruption, ethics, anti-trust, employment/labor issues, etc. In the U.S. this role is centered around adherence to the U.S. Sentencing Commission Organizational Sentencing Guidelines and what is laid out as the seven elements of what a compliance program should look like. This compliance program involves defining and maintaining policies, oversight, due diligence in hiring and access, training/communication, monitoring, investigations, and program improvement. There is also an additioanl requirement to implement at least an annual risk analysis for potential wrongful conduct.
Again there are other view of compliance – IT, finance, audit, business operations – and they have varying but related needs to Corporate Compliance.
So when you think of the Corporate Compliance Officer/Manager this season your first desire may be to give this role the ultimate compliance platform to manage compliance content and processes. In designing this platform, you will find that the best solutions come from a range of providers and not a single vendor. So my Christmas Wish would be for a new platform to be developed that would integrate the following:
- Next generation policy & procedure management. Organizations are in a complete disarray in managing corporate policies and procedures – they often are out-dated, scattered across parts of the business, and not manage consistently. Further, the recent trend in legislation and regulatory guidance is to demonstrate training and not just attestation. I desire a platform that is easy to use, manages the lifecycle of policies, and allows dissemination, communication and training (e.g., elearning) on these policies in a single platform. Axentis is the best example of a platform delivering this today. Neohapsis (former Certus) has done interesting things with a few clients. QUMAS, has the most robust policy lifecycle management but lacks the integrated eLearning component.
- Regulatory intelligence. The Corporate Compliance role struggles with trying to keep abreast of a growing array of regulations, legislation, regulator findings/rulings, and case law. The current situation is to have an army of legal professionals mining legal and regulatory sources for new developments that will impact the organization. My desire is to see this automated. Give the Corporate Compliance role an application that allows the compliance and legal function to profile their organization, link into content providers (e.g., WestLaw, LexisNexis) and then have new developments/alerts be pushed into the application and disseminated to the appropriate person for review and analysis based on responsibility. Compliance360 is the only company offering something close to this vision today. Though there are some industry specific providers doing interesting things such as CompliNet andFortent in the financial services vertical. ComplianceOnline (by MetricStream) also provides a wealth of regulatory information. SAI Global is also doing some interesting things in this area, with a particular strength outside the US. Further, LRN is another provider that continues to amaze me in their thought leadership and content.
- Enterprise investigations management. A struggling area of compliance is enterprise investigations – in most organizations there is no such thing as ‘enterprise’ investigations management. This is unfortunate as organizations fail to get a grasp on the range of issues, events, incidents, wrongdoing, and complaints across the organization. Without a complete view into enterprise issues, events, and investigations an organization’s risk management and compliance strategies become handicapped. On top of thi s, organizations manage investigations in home grown databases and spreadsheets which often lack any form of audit trail and non-repudiation. Consider solving this problem for corporate compliance buy giving Corporate Compliance a single enterprise investigations management platform that ties into whistle blowing/hotlines for anonymous reporting of incidents. EthicsPoint, in my humble opinion, offers one of the best solutions on the market for managing corporate investigations across the organization with integrated hotline services. Other contenders are Axentis, QUMAS, and Archer Technologies – but lack the hotline piece of EthicsPoint. BTW – get rid of the spreadsheets, they are difficult to manage and do not have the non-repudiation needed for sensitive compliance processes.
- Compliance process management. Corporate compliance today is a labor intensive and manual process. When it is automated this typically means sending an email. This is unfortunate given the range of process management solutions on the market. Corporate compliance needs a compliance backbone that allows them to manage complex processes and workflow as well as content. The most adaptable backbone for corporate compliance isArcher Technologies. Archer is quickly moving into a broader GRC offering from a focus within IT, and has one of the most flexible and highly configurable risk and compliance solutions on the market today. They allow for complete module customization, and even allow clients to share custom built risk and compliance process modules. On top of this they offer modules for many of the functions I list above – policy and investigations management in particular. There are other GRC platforms focused on process management – going beyond simple workflow – such as Mitratech, Compliance360, BWise, and MEGA. BWise and MEGA have particularly interesting solutions that support visual process modeling.
- Time machine. While compliance is focused on assuring compliance in the hear and now it often has to react to investigations, lawsuits, and regulators that want to understand the state of compliance on a given date and time. In that case how you are compliant today is of little importance. The Department of Justice, regulator, or prosecutor wants to know how you were compliant on this day five years back. This requires that the organization be able to demonstrate who read, was trained, and attested to a policy on a given date and time; how an investigation was handled; and how compliance was managed. I am a Mac user and love Leopard’s Time Machine ability to go back to any date in time and see my system/files on that date. That is what Corporate Compliance needs as well – a compliance Time Machine. There are a few vendors delivering this today such as Compliance360and QUMAS.
There . . . I have provided you some technical stocking stuffers for your corporate compliance department. In the next few years we should see an integrated application that delivers all of this best in class functionality.
Corporate Integrity welcomes your comments and thoughts on this topic in our blog. Upcoming issues of the newsletter will focus on ultimate platforms for:
- Enterprise risk management – week of 12/22/08
- Operational risk management – week of 12/29/08
- Supply-chain risk & compliance – week of 1/5/09
- Legal/general counsel – week of 1/12/09
- Corporate social responsibility – week of 1/19/09
- Audit – week of 1/26/09
- Finance/treasury – week of 2/2/09
- IT – 2/9/09
- Quality – 2/16/09
- Environmental, Health, & Safety – 2/23/09
Merry Christmas! (Yes, it is OK to say Merry Christmas),
President & Research Analyst