– A Special Guest Blog by Michael Rasmussen.
Compliance is Not Easy
Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their compliance risk profile grows exponentially.
The dynamic and global nature of business is challenging for managing compliance. Compliance activities managed in silos often lead to the inevitable failure of an organization’s and compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its environment.
Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require an organization to implement agile compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.
Developing a Compliance Management Strategy
Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries. This requires an integrated role in the organization’s proactive risk management programs.
Compliance is now challenged to take an agile risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the context of dynamic and distributed business, and model risk and present and future business impact.
Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on agile compliance management processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.
The core principles of agile compliance management are:
- Understand your risk. An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic – done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and markets).
- Approach compliance in proportionality of risk. How an organization implements compliance procedures and controls is to be based on the proportionality of the risk it faces. If a certain area of the world or a business partner scores as a higher risk to corruption or ethical issues, the organization is to respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business – smaller organizations are not expected to have the same measures as large enterprises.
- Monitor the risk and regulatory environment. Content and information on changes to risk and regulatory environments is critical to understanding ever-changing compliance risk. New laws, changed regulations, court rulings and amended standards change the organization’s compliance requirements. A defined process with accountability to monitor risk of changing regulatory environments is essential.
- Tone at the top. The compliance risk management program should be fully supported by the Board of Directors and C-suite. Communication to top-level management must be bidirectional. Leadership is to communicate their definition of acceptable and unacceptable risk and their support for the compliance program. To fulfill their fiduciary obligations, executives and Board members should always be informed about the effectiveness and operations of the compliance risk management program.
- Know who you do business with. Know your business relationships. This requires an established risk-monitoring framework that catalogs all third-party relationships, markets, and geographies. Strict due diligence ensures the organization is contracting with ethical partners. If there is a high degree of risk to corruption, compliance, and ethical issues, implement additional preventive and detective controls in accordance with the risk. Also, know your employees and conduct background checks to determine if they are susceptible to corruption or unethical conduct.
- Keep information current. Due diligence and risk assessment efforts are to be kept current. These are not point in time efforts that happen once; perform assessments on a regular basis or when you become aware of conditions that point to increased risk due to ethics and compliance issues.
- Compliance oversight. Make a trusted executive responsible for the oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to an independent monitoring body, such as the audit committee.
- Manage change. It is essential to monitor the business for changes that can impact its compliance program or introduce greater risk to corporate ethics. Document changes required to business practices as a result of observations and investigations. Implement changes to address deficiencies through a deliberate program of change management. This requires that changes be monitored by compliance to be proactive in preventing corruption.
Success in compliance risk management begins with a strategy that addresses how the organization can effectively manage compliance risk across the organization. A strategy that ordains compliance as a continuous, ongoing process to be monitored, maintained, and nurtured daily. This requires a process, information, and technology architecture to manage compliance risk. This architecture is context-driven and agile. Compliance must be an active, living part of the organization and culture that can detect and prevent issues as a continuous process to be monitored, maintained and nurtured. Today’s organizations require integrated and agile compliance risk management strategy as an integrated function of the business and its operations.