Compliance Disclosure Solutions: Separating the Simple from the Advanced

GRC 20/20 is seeing a growing demand for compliance management technologies from the Corporate Compliance and Ethics department (e.g., Chief Ethics and Compliance Officer, Chief Compliance Officer). This demand spans from a broad compliance management platform to manage the range of compliance tasks and activities, to focused solutions in areas such as policy management, third party GRC (e.g., vendor/supplier), issue reporting and case management, and the area of compliance disclosures management.

The inquiries on Compliance Disclosure Management solutions is increasing as organizations look to get a handle on areas such as Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is the focus. Some are purpose-built for a specific disclosure area such as Conflicts of Interest, and not to be a platform to address a range of compliance disclosure areas. Others are broad disclosure platforms that are highly agile where the organization can adapt fields and customize forms, workflow, tasks, and reporting to meet a range of compliance disclosure areas. While some compliance disclosure solutions operate in a module in a broader compliance management platform (or GRC platform) where disclosure can be managed and cross-referenced to policies, regulations, risks, assessments, and cases.

GRC 20/20 separates Compliance Disclosure Management solutions in the market into basic and competitive solutions, but then also distinguishes advanced capabilities that separate competitive solutions in the market.

  • Basic compliance disclosure management solutions. These are solutions, and there are many of them, that address the basic forms, workflow, and task management of compliance disclosures management with some basic reporting capabilities. They can present a disclosure form, capture attestations, and route the form through a workflow for review and approval/denial. Most often, but not always, they focus on a single compliance disclosure areas such as Conflicts of Interest.
  • Competitive compliance disclosure solutions. These are the solutions that most often come up in RFPs regularly and have stronger capabilities to manage a breadth of compliance disclosures in the organization. They have more advanced reporting capabilities and provide a stronger portal for the configuration and customization of disclosures. Some key capabilities of competitive solutions are:
    • The ability to manage a breadth of disclosure types
    • Configurable and adaptable to organizations specific needs down to the field and value level
    • Strong graphical workflow builder and task management that allows for parallel as well as linear workflows
    • The breadth of templates for forms and reports on disclosures
    • Strong dashboard and reporting engine with pre-built reports as well as the ability to do custom reports
    • The ability to present the relevant policy, gather attestation to the policy and provide the training with the disclosure
    • Provide for regularly scheduled/periodic disclosure campaigns as well as the ad hoc/triggered disclosures when they arise
    • Ability to manage and document disclosures that are exceptions/exemptions to the defined policy and regularly track and monitor them
    • Provide a robust and legally defensible audit trail/system of record of disclosure related activities
    • Allow for attachments, such as documents/evidence, to disclosures

However, what really separates Compliance Disclosure Management solutions in the market are the advanced capabilities. These include:

  • Disclosure forms and workflow that are highly configurable by the average business user (e.g., citizen developer) without extensive IT knowledge
  • Advanced workflow based on disclosure type and role (e.g, hierarchical workflows)
  • Integration with other business systems, such as HR management systems, to populate information and provide information consistency between systems, or to integrate with ERP systems to pull up transaction history for disclosures related to gifts and entertainment to a particular entity in the past
  • Advanced reporting capabilities, including regulatory reporting in which reports are automatically generated in the format specific regulators are looking for (e.g., securities industry reporting for COI)
  • The ability to define and manage disclosure campaigns to broad and specific employee audiences
  • Integration with policy and training so the disclosure form also includes the written policy as well as training on the policy
  • The ability to provide anonymous reporting on issues related to compliance disclosure
  • Risk management capabilities to measure risk and track key risk indicators (KRIs) related to disclosures
  • Mobile interface/application where disclosures can be reported on smartphones and tablets
  • Collaborative engagement that allows disclosure reviewers and disclosures to communicate and interact back and forth to ask questions and provide more information
  • The ability to provide confidential notes that are encrypted and protected by the disclosure reviewer(s)
  • Provide for follow-up tasks and action items that may be scheduled out in advance to follow-up on disclosures that were approved but needs closer monitoring or other activities

These are some of the advanced capabilities that I am encountering regularly. If you are looking for or evaluating Compliance Disclosure Management solutions, feel free to ask an inquiry of GRC 20/20 . . .

Here are some compliance disclosure and policy management resources and events you should be aware of:

Seminars

Policy Management by Design Workshops

Published/Recorded GRC 20/20 Research

Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].”[1] Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  1. Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  2. GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  3. Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations.

Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues.  While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations.

GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization.

Attendees will learn:

  • GRC in the context of the Three Lines of Defence Model
  • How the second and third line of defense depend on the first line to protect the organization
  • How to effectively communicate and train the first line of defence on policies
  • Methods for first line employees to identify and report issues and incidents
  • How technology can automate and enable the first line of defense
  • Driving efficiency, effectiveness and agility into all three lines of defense

[button link=”https://www.brighttalk.com/webcast/11811/333341?utm_campaign=user_webcast_register&utm_medium=email&utm_source=brighttalk-transact&utm_content=title”]REGISTER[/button]

[1]This is the official definition of GRC that is found in the OCEG GRC Capability Model. www.OCEG.org

Is SMR & CR, the UK Financial Services biggest challenge for 2018?

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects . . .

The rest of the article can be read via the link in the button below. Michael Rasmussen of GRC 20/20 posted this as a guest blog on www.governorsoftware.com.

[button link=”https://www.governorsoftware.com/news/is-smr-cr-the-uk-financial-services-biggest-challenge-for-2018″]READ MORE[/button]

Technology Priorities for Compliance & Ethics

Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance with a proper system of record and audit trail. With no auditable system of record, compliance information can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.

Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.

Value Organizations Needed from Compliance & Ethics Technology

In a recent survey GRC 20/20 did in conjunction with OCEG (Technology Priorities for Compliance & Ethics: Aligning Technology to Changing Requirements), we asked the question, “Which of the following options align MOST with the value you would derive from an integrated ethics and compliance software solution?” The respondents indicated that their five most critical values for a compliance software platform are as follows:

  1. Regulatory Compliance and Defensibility. Ensure your company satisfies regulatory requirements and demonstrates ethical behavior by clearly documenting policy attestations, training completions, and investigations.
  2. Align Corporate Goals with Ethics and Values. Update business processes such as policy attestation, training, procurement, and employee communication to operationalize ethics and values. Analyze helpline issues and campaigns to identify and close gaps.
  3. Manage Your Complete Program with One Platform. One user interface via single-sign on for hotline/case, disclosures, training, policy and third-party risk, and reduced reporting time with pre-built dashboards to visualize and analyze compliance data with HR, procurement and travel data.
  4. Protect Your Brand. Increase employee engagement through helpline responsiveness and surface risks through centrally managed disclosures. Gaining employee trust mean issues are reported internally and not to external media.
  5. Frictionless Employee Engagement. Easy-to-use multi-channel intake methods via hotline (phone), web, text (SMS), proxy, and disclosures allows for accessible ways for employees to report workplace issues ensuring the employee voice is heard.

While all of these values were critical, it was having the robust system of record to defend compliance and the ability to align corporate goals with the ethics and values of the organization that was ranked the most critical.

Broad Capabilities Needed from Compliance & Ethics Technology

Next, we focused on the capabilities organizations desired from technology to automate compliance and ethics processes. The top five capabilities that organizations ranked were:

  1. Compliance Reporting. Standard reporting that shows the number of reported issues by type and region, tracks policy attestations and online training completions, and shows disclosures up for review. The capability to export data for analysis in spreadsheets or business intelligence (BI) software.
  2. Policy Management. Distribute policies and track attestations with the option of targeting specific employee groups based on HR attributes, archiving older policy versions automatically, and quick search and retrieval of attested policies by employee.
  3. Learning Management. Distribute online training courses and track course completions, allow use of any standard training content (in-house or externally sourced) without depending on any one vendor.
  4. Disclosure Management. Distribute conflict of interest and gifts, travel and entertainment disclosure questionnaires for review, approval or conditional approval. Allow employee self-service and disclosure updates, and track all Yes and No answers for proactive risk management.
  5. Helpline and Case Management. Multilingual, global, and 24/7 incident reporting via anonymous phone, text, web, or proxy that allows investigators to manage simple or complex cases with multiple allegations and parties within the same case.

Upcoming Events . . .

Latest Research . . .

Compliance in Dynamic and Distributed Business

The hot topic for 2018 is certainly compliance. Compliance is more than adherence to laws and regulations, it is about the integrity of the organization to it’s ethics, values, social responsibility, policies, commitments, contracts, and controls. I have been stating for over a decade that the best executive title for a compliance executive is a Chief Integrity Officer, but we already have a CIO in the executive suite. A particular focus right now is on sexual harassment. I am having a lot of conversations on this front with organizations looking to communicate policies and deliver training. While this is critical to compliance, it needs to be lived and breathed by all levels of management as well.

Individual ethics and values also have to align with corporate ethics and values. It was just over a decade a go that I left a former employer. Why? A difference in values on a topic that is so critical today. The organization paraded at a company meeting how they were having a senior executive of an ‘adult entertainment’ company keynote at one of our conferences. Though I am a man, I thought this was a slap in the face to the women that worked in the company and were our clients. I protested and it was the foundational reason I left. Things need to change, and compliance is critical in changing it.

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

Compliance is not easy. The larger the organization the more complex its operations and corresponding compliance obligations are. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees start, others change roles, some leave the organization. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to a corporate compliance and ethics program. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal compliance risk and external compliance risk. What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and ethical obligations?

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of compliance data. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos of technology often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, and siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance processes can provide greater insight into the state of the integrity of the organization. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance information results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency, and agility. The organization ends up with a variety of processes, applications, and documents to meet individual compliance mandates. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple compliance assessments asking the same questions in different formats. Limited visibility across the compliance risk exposure ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide inter-dependencies. This fragmented view creates gaps that cripple compliance management and creates a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Management: Does Your Organization Walk its Talk?

Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.

Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases, regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors. Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.[1]

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar of being the bastion and champion of corporate integrity.

Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive GRC management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.

Today’s business entity must ensure compliance is understood and managed company-wide; that its obligations are more than written policies, but part of the fabric of operations; and that a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance, whether its activities are effective, and how they are enhancing shareholder value and providing assurance on the integrity of the organization. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance from the top down. The breadth and depth of compliance bearing down on companies today requires a robust compliance program operating in the context of integrated processes and information.

[1] USSC – http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm


Upcoming Events . . .

Latest Research . . .

GRC Archetypes: Compliance & Ethics Management

Compliance and ethics has become a significant challenge for organizations across industries, geographies, and business boundaries. It is inundated with challenges such as anti-bribery and corruption, market conduct, conflict of interests, third party (e.g., vendor/supplier) compliance, code of conduct, and more. Organizations are struggling to deal with the pace of regulatory change. Not only from new regulations, but changing/evolving regulations, enforcement actions, and administrative decisions. Global financial services firms are dealing with approximately 201 regulatory change events every business day (source: Thomson Reuters).

Compliance becomes further complicated by different geographies that have different approaches to compliance. In the USA it is very much a check-box/prescriptive approach. Organizations want a specified list of what they have to do and then want a “get out of jail free” card if they do those things. In Europe the approach is focused on principle or outcome-based compliance. It is not prescriptive. Regulators tell you what you have to achieve as an outcome but not tell you how you have to achieve it. This requires a much stronger risk management approach to compliance to determine how best to comply.

The challenge for compliance and ethics grows exponentially as organizations face greater obligations to manage compliance across its third party relationships of vendors, suppliers, outsourcers, service providers, contractors, consultants, intermediaries, brokers, agents, dealers, and other partners. There compliance and ethical issues are the organizations compliance and ethical issues. The legal and regulatory environment of today is making that clearer than ever.

Though compliance and ethics is much more than regulatory compliance. Compliance and ethics is about the very integrity of the organization. Not just meeting regulatory requirements, but ensuring the organization is in aligned and adhering to the values, ethics, policies, corporate social responsibility commitments, contracts, and other obligations of the organization. I have been stating for the past decade that the true Chief Compliance and Ethics Officer is really the Chief Integrity Officer of the organization.

The truth of compliance is that it is very fragmented. In all of my research, spanning interactions with thousands of organizations, I have not encountered one Chief Ethics & Compliance Officer that is truly responsible for oversight of all of compliance. There are many disconnected factions of compliance in organizations: corporate compliance and ethics, human resources compliance, IT compliance, privacy compliance, quality compliance, third party compliance, environmental compliance, health and safety compliance, . . . .

The problem is this leads to a lot of redundancy. Organizations are finding that they lack agility as there are uncoordinated approaches to compliance and the business is struggling with multiple systems and processes that are very repetitive and confusing. Organizations often have dozen of policy portals, different approaches for compliance assessments and surveys, a mixture of processes for reporting and managing incidents and cases . . . this hinders the organization, things get missed, and the organization ends up in hot water.

An ad hoc approach to compliance management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of compliance, how it was managed, who was responsible, what was done, who attested to it, what exceptions were granted, and how violations and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined compliance and ethics management program is vital to enable an organization to effectively develop and maintain the wide gamut of compliance tasks it needs to govern with integrity.

THE QUESTION: How is your organization approaching compliance and ethics management? Can you map yourself to one of the following GRC archetypes of compliance and ethics management?

  • Fire Fighter. Your organization approaches compliance and ethics management in an ad hoc fly by the seat of your pants approach. Compliance management is not structured and is addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the narrowest understanding of the requirement before you and not thinking strategically about compliance and ethics management. Compliance management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have an integrated solution to manage compliance and ethics planning, regulatory change, assessments, policies, issue reporting, third party management, and case management.
  • Department Islander. In this archetype, your organization has a more structured approach to compliance management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in compliance management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for compliance management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of compliance processes in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for compliance management to provide consistent processes and structure for compliance management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage compliance to meet requirements. Most often there is a broader compliance management platform deployed to manage compliance processes and tasks, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer.  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Compliance and ethics management is more than meeting requirements but is about encoding, communicating, and monitoring boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Compliance obligations are mapped to risks and objectives and actively understood and managed as critical governance processes of the organization. Compliance and ethics management is about the integrity of the organization and embraces corporate social responsibility, ethics, and the values of the organization and not just regulatory requirements.

The haphazard department and document centric approaches for compliance and ethics management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern compliance and ethics management. Organizations need to wipe the slate clean and approach compliance and ethics management by design with a strategy and architecture to manage the ecosystem of compliance and ethics processes throughout the organization with real-time information about conformance and how it impacts the organization.

GRC 20/20’s Compliance Management Workshop

GRC 20/20 will be leading a free interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Compliance Management

Research Briefings on Compliance Management

Solution Perspectives on Policy Management

Case Studies on Policy Management

Compliance Automation: The Role of Technology in Today’s Dynamic Organization

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The dynamic and global nature of business is particularly challenging to compliance management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

Compliance activities managed in silos often lead to the inevitable failure of a compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance across the business. Management is not thinking about how compliance processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment. 

A non-integrated approach to compliance management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient . . .

The rest of this blog post can be found as a guest blog at SureCloud:

[button link=”https://www.surecloud.com/blog/compliance-automation-role-technology-today’s-dy-namic-organization-0″]READ MORE[/button]

Compliance and Risk Bear Down on the Organization 

Compliance in Dynamic and Distributed Business

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to compliance risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations? 

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance risk management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance risk in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency and agility. The organization ends up with a variety of processes, applications and documents to meet individual compliance needs. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple risk and compliance assessments asking the same questions in different formats. Limited visibility across the risk landscape ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive risk and compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide co-dependencies. This fragmented view creates gaps that cripple compliance management and a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Risk Management: Does Your Organization Walk its Talk?

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance risk management boils down to defining – and maintaining – corporate integrity.

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar.

Today’s business entity must ensure compliance risk is understood and managed company-wide. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure.

The Bottom Line: Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

Check Out These GRC 20/20 Compliance Management Resources . . .

Enabling an Integrated Compliance Lifecycle

Inevitability of Failure

Ineffective Processes to Manage Regulatory Change and Compliance

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year, making change the single greatest challenge for organizations in the context of compliance. Each vortex of change is hard to monitor and manage individually, let alone to gain an understanding of how they impact each other.

Keeping current with regulatory change and keeping the organization’s policies and procedures up to date and linked to compliance requirements is not easy. Regulators across industries and jurisdictions are requiring that compliance is not just operationally effective, but is well documented. However, organizations often do not have adequate processes or resources in place to monitor regulatory change and maintain compliance. Organizations struggle to be proactive and intelligent about regulatory developments, failing to prioritize and revise impacted policies as needed. Instead, most organizations end up firefighting trying to keep the flames of regulatory change controlled.

Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:

  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory content  that require time-intensive analysis in order to properly understand the potential impact on the business and determine the actions required to comply.
  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions were taken as a result, or if the task was transferred to someone else. This environment produces a lack of visibility into the status of compliance obligations—there is uncertainty regarding ownership of initial review and an inability to sufficiently track what actions were taken as a result, let alone obtain reliable information on which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit trails, which regulators require. This leads to gaps in accountability and a lack of integrity in compliance records regarding who reviewed which change and what action was taken as a result. The lack of an audit trail can be conducive to deception: individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks an overall information architecture and thus is inadequate to effectively report on the number of changes, ownership of the review process, the status of business impact analysis, and courses of action. An inability to make sense of data collected in manual processes and thousands of documents exposes the organization to significant risks.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change management without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization lacks a full perspective of regulatory change and business intelligence. As a result, the organization struggles with inefficiency and cannot adequately prioritize the most important and relevant issues in order to make informed decisions.
  • No accountability and structure. Ultimately, there is insufficient accountability for regulatory change management, and the process fails to be agile, effective, and efficient in its use of resources. The regulatory change process must install strict accountability for subject matter expert review and analysis, compliance obligation task ownership and the ongoing monitoring of outstanding tasks to ensure that compliance deadlines are met.

The bottom line: Processes for managing regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders.  Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management.

Regulatory Change Management Maturity Model: From Ad Hoc to Agile

This is part 5 and final post in the series on regulatory change management, part of the broader series of posts on the Greatest GRC Challenges companies are facing today.  Next we will look at changing risk environments.  In the previous posts we explored:

In this post I detail GRC 20/20’s maturity model to measure regulatory change management programs to support an efficient, effective, and agile process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change


Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.

GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes as well as information and technology architecture.

The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few if any resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:

  • Lack of a defined regulatory taxonomy
  • Ad hoc and reactive approaches to regulatory and business change
  • Document and email-centric approaches
  • Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely does not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information and technology architecture. Positively, there is some structure to regulatory change responsibilities—but the management of regulatory change lacks accountability as it is done largely in documents and email that lack structures of accountability and automation. Characteristics of this stage are:

  • Varied approaches to regulatory change
  • Lack consistent structure
  • Lack integration or formal processes for sharing regulatory information
  • Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:

  • Visibility into regulatory change across the business
  • Established processes for regulatory change
  • Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:

  • Strategic approach to regulatory change across departments
  • Common process, technology and information architecture
  • Integration of legal/regulatory content feeds
  • Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content automated by technology. The organization has enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts and tasks. Characteristics of this stage are:

  • Regulatory intelligence achieved through integration of analyzed content and enterprise technology
  • Consistent views of regulatory change and impact on operations and policies
  • Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.