Compliance and ethics have become a critical challenge in organizations around the world. Faced with growing regulatory change increased enforcement actions, and a greater focused on the social responsibility and accountability of organizations, compliance and ethics management has become a front and center issue. Compliance and ethics departments are grappling with the challenges of conduct, bribery and corruption, insider trading, anti-trust, harassment, discrimination, privacy, and more. They need a coordinated strategy and process supported by an integrated information and technology architecture.
Recent developments, such as last month’s Department of Justice Evaluation of Compliance Program Guidelines, are putting greater emphasis on having robust insight, reporting, and analytics of compliance. Compliance and ethics departments have been plagued with manual processes encumbered by documents, spreadsheets, and emails. One organization that GRC 20/20 talked to was spending 200 employee hours to build an annual report on compliance. That is not managing compliance, that is reacting. Compliance and ethics issues that started eleven months back did not get contained and the organization was not aware of the issue for months later.
The other challenge is that too many compliance and ethics departments are buying point solutions that focus just on one small problem and do not integrate to manage an overall compliance and ethics program. It is not uncommon to see an organization with manual processes as well as a range of point solutions deployed for managing niche aspects of compliance such as conflicts of interest, gifts and hospitality, and more. Having a bunch of software solutions that do not integrate leaves the organizations blind to insights and interrelationships of compliance risk and exposure.
Organizations need to start approaching corporate compliance and ethics through a strategy that delivers an integrated information and technology architecture of compliance. Where the organization can mine and report and see relationships between hotlines, cases, policies, assessments, forms, approvals, training, and due diligence. If these activities are siloed and manned in manual processes or point solutions that do not integrate the organization is going to be blind-sided with issues, never find and get to root problems, or spend a massive amount of employee time trying to manually reconcile information to uncover relationships and root causes to be addressed.
Today’s compliance and ethics program needs a next generation information and technology architecture that delivers:
- Engagement. Compliance is not about the back office of corporate compliance and ethics, but it is about the front-office. The organization needs a strong compliance and ethics portal, a singular portal, that delivers policies, training, issue reporting, compliance-related forms, communications, and reminders to employees (and relevant third parties). There should be one view for individuals to access all of this and not scattered point solutions.
- Obligation management. The organization needs a systemized and organized way to define, manage, and monitor all of their compliance and ethics obligations. This includes laws, regulations, contractual commitments, ethical principles, social accountability, and more. Consider that global financial services firms alone are dealing with over 200 regulatory change events every business day. Organizations need a way to document new and existing obligations and manage those as they impact policies, training, assessments, cases, and more.
- Assessments. Organizations need a streamlined approach to manage compliance and ethics assessments. This includes self-assessments, checklists, quizzes, surveys, workpapers, and questionnaires. These are used by both the back-office of compliance and ethics management as well as the gathering information from all levels of the organization to assess compliance.
- Compliance risk management. There is greater pressure on organizations to show how they have identified, analyzed, addressed, and monitored compliance risk. The organization today needs compliance risk technology to identify and assess risk. There needs to be a central inventory of compliance risks and detailed assessments and analysis of these risks. The best risk management methodology for compliance risk assessments are bow-tie risk assessments (I will be blogging on How to Tie a Compliance Bow-Tie in the next few weeks).
- Policy management. Policies are the center of compliance and ethics. Everything relates back to policies. In the new DoJ guidance, policies were referenced over 30 times throughout the document. Organizations have to have structured approaches to inventory, develop, manage, monitor, communicate, and maintain policies. This requires defined workflows and notification capabilities. Many organizations are looking for collaborative policy authoring technologies to allow multiple roles to work on the same policy at the same time and see changes and comments in real-time without document checkin and checkout. These policies need to be accessible to individuals in a portal (back to engagement above). Many compliance and ethics departments are now leading a cross-organization strategy in enterprise policy management to ensure every policy is managed and maintained consistently.
- Training management. Linked to policies is training management. Training is done on policies. I do not think you will find any compliance and ethics training that is disconnected from a policy. As a result, organizations are looking for solutions that integrate policy and training management into the same portal. Where employees can read a policy and take the training in the same portal and interface without jumping to different systems. There is also a need to be able to manage compliance communications and campaigns that might bundle elements together, and manage the communications and activities over the calendar year.
- Compliance forms and disclosure management. Compliance has tons of forms. Forms that have to be filled out by individuals and routed for review and approval/disapproval. Forms such as conflicts of interest, gifts and entertainment, and more. These are often referred to as disclosures, but forms can be more than that. This is an area where organizations make mistakes and purchase siloed solutions. They should be looking for an overall integrated solution that allows for the creation and management of the range of compliance forms and disclosures. These also connect with policies and training, as well as hotlines and issue reporting.
- Issue intake. The organization has to have the ability to intake and process compliance and ethics issues. This is a range of intake from hotlines, anonymous web reporting, customer complaints (and other complaints), and management reports. The organizations needs structured forms and processes to intake issues and filter these into a review and triage process to identify cases that need to be responeded to.
- Case management. Investigations are a key function of compliance and ethics professionals. The organization has to have structured and documented investigations on how a case was reported, investigated, and resolved. This is a critical piece of a strong compliance and ethics architecture, and information from cases should cross-reference and identify where assessments were missed, policies were violated, training not effective. Insight into issues and cases provides critical information to address the whole compliance and ethics program.
- Third party management. The modern organization is not-defined by brick and mortar business and traditional employees. It is a complex web of supplier, vendor, outsourcer, service provider, consultants, contractors, temporary workers, brokers, agents, dealers, and intermediaries. Compliance and ethics issues within third parties are the issues of the organization. This requires structured compliance and ethics process from onboarding, ongoing monitoring, and offboarding of third parties with due diligence, assessments, policy attestations, training, and issue reporting.
- Regulatory exam and audit management. Compliance regularly comes under the scrutiny of external audits and regulatory exams. A key piece of a compliance information and technology architecture is the management and documentation of audits and exams.
- Reporting, analytics, and dashboards. The key focus for many right now is the ability to have real-time insight and reporting into compliance and ethics management. The recent DoJ Guidance specifically challenges organizations on this capability. Strong reporting and analytics requires an integrated information archicture that can see across all of these areas listed here and see the complex relationships between them. Organizations need 360° situational awareness of compliance and ethics across all of these areas. This cannot be achieved with manual processes or siloed applidaitons for compliance.
- Compliance program and project management. Compliance and ethics is challenging. There are a lot of assessments, changes, and things to monitor. The compliance and ethics department needs an overall command and control center to see all the compliance projects, tasks, assessments, and activities. To manage compliance personnel and see their workload and specialities. Identify who can address a new development or issue. When the organization is in the midst of significant change, such as mergers and acquisition, to be able to manage this change as an overall project with tasks, activities, deadlines, and overall dependencies.
- Evidence trail. Compliance today has to be more that well written policies and fiction. Compliance and ethics needs to be a reality. Regulators, law enforcement, opposing counsel in a lawsuit, auditors . . . they want you to demonstrate compliance. Organizations need structured and defensible records of all compliance activities and interactions. Documents, spreadsheets, and emails do not deliver this – you can manufacture records with documents, spreadsheets, and emails. Defensible audit trails and system of record that can stand up in court wint non-repudiation are what is needed today.
- Mobility. We started with engagement, we will end with engagement. Mobility is a key aspect to all of this. Compliance interfaces for policies, training, forms/disclosures, issue reporting are all needed on smartphone and tablet interfaces to engage employees wherever and whenever they are at.
There is a lot more that can be added to this, and each of these areas listed has a whole range of requirements that are needed in today’s compliance and ethics function. This is just a summary to paint the big picture. A big picture that should indicate that compliance and ethics processes need to be approached strategically with an integrated information and technology architecture. The organization approaching this in manual processes or siloed solutions that do not integrate are headed toward the INEVITABILITY OF FAILURE.
GRC 20/20 is a research and analyst organization that specializes in evaluating and understanding the range of governance, risk management, and compliance solutions available in the market. If you have questions on compliance and ethics strategy, process, and technology in your organization . . . use our complimentary inquiry form to ask us your question as we objectively cover what is available across the market and what differentiates different players. Our focus and experience specializes in corporate compliance and ethics. Solution and service providers can request a briefing to update us on their solution.
Upcoming Webinar . . .
July 30 @ 10:00 am – 11:00 am CDT
Why Policy Management Matters
Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take […]
Obviously, as a compliance professional, I fully agree with the thrust of your article. However, our challenge from the C-Suite’s perspective, especially during the pandemic, is to do all of this faster, better and cheaper. As you know, the only way for us to be successful promoting, resourcing and implementing next gen compliance programming is if the C-Suite / Board make this a priority. In this climate a key way to make this a priority is if the next gen compliance architecture both preserves AND creates value. So, I would argue in addition to your points, we also need to make a better connection between how the discipline, change management, process improvements, data analytics, higher insight, improved decision making, etc., that come with next gen compliance programs can also be used to drive strategic initiatives that grow the business. Otherwise, like Sisyphus, we will continue to face the eternal uphill battle for precious time and treasure.
I fully agree. One of my upcoming blog articles is on building this business case. It starts with defining the drivers on why this is critical, which I outlined some at a high level in this current blog. But then goes into building the business case on how a new approach and architecture can make the organization efficient (e.g., financial capital, human capital), more effective (e.g., accurate, complete, thorough, less things slipping through cracks), and agile (e.g., keeping up with regulatory change, keeping up with business change, keeping all this change in sync).
May I please trouble you for the link to the blog article on this business case? Thanks1