The Exposure of Compliance at the Frontlines of the Organization
Compliance and ethics do not happen in the back office but at all levels of the organization. From the top down to the front-line employees. Compliance and ethics done right are a part of everyone’s job.
Too often we shovel compliance into the bowels of the organization, thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back-office of legal, human resources, IT, and other departments.
This misperception is a critical issue that organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations, and cross-partner, vendor, and supplier relationships throughout the extended enterprise.
This requires that all the organization’s compliance policies be clearly communicated and understood by the front lines of the organization. The scenarios of risk and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve an activity that employees should catch and report.
The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. The challenge is that organizations need to find a way to get everyone involved and adhere to policies to build integrity across the whole organization and the extended enterprise.
Inevitable Failure of Policy & Training Management
Policy and training matter. Compliance communications, attestations, and disclosures matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance.
Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, disclosure, and training. An ad hoc approach to compliance, policy and training management exposes the organization to significant liability.
This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties.
To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what disclosures were made, what exceptions were granted, and how policy violation and resolution was monitored and managed.
The user experience for policy management has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality, and a lack of centrally coordinated efforts for policy and compliance communications.
Organizations have ended up with multiple sources of policy, training, surveys, assessments, disclosures, attestations, and issue reporting. Interaction with these systems has consumed human and financial capital. Communication is often inconsistently logged in documents and spreadsheets if they are logged at all.
There is no coordination of policy communication and training and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten.
A typical organization may have over two dozen policy portals that are file shares, SharePoint sites, and other intranet sites that struggle with rogue, out-of-date, and inconsistent policies that open the floodgates of liability as they are mismanaged instead of protecting the organization as they should.
One organization found that eighty per cent of their compliance staff time was spent managing and chasing documents and emails for compliance and not actually managing compliance. Another organization spent two hundred hours building an annual report on compliance because all the data was trapped in thousands of documents and emails that had to be aggregated, tabulated, and then reported on.
If compliance, policies, and training programs don’t conform to a structured process, defined audit trail and system of record, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support, organizations are not positioned to drive desired behaviours in corporate culture or enforce accountability in compliance, ethics, and the new era of corporate integrity with ESG: environmental, social, governance.
With today’s complex business operations, global expansion, and the ever-changing legal/regulatory and compliance environments, well-defined compliance, policy, and training management program is vital to enable an organization to effectively develop and maintain compliance and adherence to values to govern and ensure with integrity.