In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and ethical obligations?Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of compliance data. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.
The Inevitable Failure of Compliance SilosCompliance activities managed in silos of technology often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, and siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance processes can provide greater insight into the state of the integrity of the organization. This ad hoc approach results in poor visibility across the organization and its control environment. A non-integrated approach to compliance information results in these phenomena, each one feeding off the last:
- Redundant and inefficient processes. Managing compliance in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency, and agility. The organization ends up with a variety of processes, applications, and documents to meet individual compliance mandates. The result: a major drain of time and resources.
- Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple compliance assessments asking the same questions in different formats. Limited visibility across the compliance risk exposure ensues.
- Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
- Lack of agility. Reactive compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
- Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide inter-dependencies. This fragmented view creates gaps that cripple compliance management and creates a business ill-equipped for aligning compliance initiatives to business objectives.
Compliance Management: Does Your Organization Walk its Talk?Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries. Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases, regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors. Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board. Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar of being the bastion and champion of corporate integrity. Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive GRC management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed. Today’s business entity must ensure compliance is understood and managed company-wide; that its obligations are more than written policies, but part of the fabric of operations; and that a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity. Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance, whether its activities are effective, and how they are enhancing shareholder value and providing assurance on the integrity of the organization. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance from the top down. The breadth and depth of compliance bearing down on companies today requires a robust compliance program operating in the context of integrated processes and information.  USSC – http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm
Upcoming Events . . .
- 2018 GRC 4.0 Market Sizing, Forecasting, Analysis & Segmentation
- January 22 @ 10:00 am – 12:00 pm CST
- Navigating the Pitfalls and Challenges of a GRC Software RFP and Implementation
- January 25 @ 10:00 am – 11:00 am CST