Delivering on Agile Compliance in Dynamic Business
- A Special Guest Blog by Michael Rasmussen
Organizational exposure to compliance risk is rising while the cost of compliance soars. Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with obligations and value. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.
However, compliance is not easy. Organizations are complex and dynamic. The modern organization changes by the minute or even second. The organization can go from a state of compliance to non-compliance in a blink of an eye. Processes change. Technology changes. Employees change. Business relationships change. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.
In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations?
To maintain compliance, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync.
An ad hoc or reactive approach to compliance breeds complexity and slows the business down. Organizations in the past have addressed compliance focused on singular obligations, resulting in multiple redundant initiatives working in isolation. These isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through unreliable spreadsheets, documents and email.
Demands from governments, the public, business partners, and clients require the organization to implement agile compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its environment that is continuously adapting and evolving. A strong compliance program requires an agile approach that can efficiently prioritize resources to compliance risks that pose the greatest exposure. This paradigm shift focuses on establishing agile compliance processes that move from a reactive fire-fighting mode to a framework that proactively monitors, detects, manages, and mitigates compliance risks.
An agile compliance management approach enables organizations to manage and monitor compliance risk through:
- Compliance program management. This is the core process that integrates all functions into a cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, projects and tasks. Organizations require a 360° view of compliance activities delivered through compliance program management.
- Compliance risk identification and assessment. Risk assessments are mandatory. Continuous compliance assessment and monitoring activities will ensure that controls are in place and working. The risk identification and assessment process drive every aspect of a successful agile compliance program.
- Regulatory and risk intelligence. Staying current on compliance risk exposure and obligations requires a process that continuously monitors the fast-changing regulatory environment – and monitors the business itself for change.
- Policy definition, communication, and maintenance. Agile compliance requires up-to-date policies and procedures that address compliance and ethical risks in accordance with organizational values and obligations. The policy definition, communication, and maintenance process provide proof the program is sound.
- Compliance reporting and accountability. To effectively provide assurance to the Board, a process of compliance governance, accountability, and reporting must be in place. This process requires collaboration and opens lines of communication with other areas of the business.
- Due diligence. Assessing employees as well as third-party business partners is critical to managing compliance risk. An established process that documents due diligence and screening efforts assures the organization that engaged individuals and companies do not have a bent toward unethical behavior, and possess the proper background, resources, and experience to perform the job they are contracted for.
- Training and communication. Written policies are not enough – individuals need to know what is expected of them in their day-to-day jobs. The training and communication process communicate the corporate culture, obligations, and expectations across the organization and to business partners.
- Enforcement of the control environment. While policies and procedures may define how the organization behaves – this ultimately gets down to controls. Implement preventive and detective controls that support compliance obligations and policies. Then confirm and monitor that these controls are in place and operating as designed.
- Record and report issues. Implement clearly defined processes for individuals to report concerns, weaknesses, and wrongdoing. This is often done through hotline systems or through web reporting. The reporting processes should be communicated and maintained, enabling management to document reports of non-compliant behavior and exposure made directly to the company.
- Conduct investigations. Even in well-run organizations things go wrong. Active detection and monitoring using thorough investigation processes can quickly identify potential incidents of corruption and effectively resolve issues. This includes working with outside law enforcement and governing authorities.
- Implement communication and reporting processes. Create open channels of communication where employees can get answers to questions about policies and procedures. This process alone can help avoid many instances of non-compliance or wrongdoing. Channels include live help lines, FAQs, as well as form processing for approval/disapproval of requested activities.
- Third-party relationships. The ability to effectively manage third-party risk is central to the success of a compliance program. Organizations should seek to automate ongoing due diligence to assess, score, and monitor third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.
Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance. With no record, assessments can also be compromised or tampered with. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage risk and compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.
Agile compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture that delivers on compliance agility to make compliance efficient and effective in a dynamic business environment. Compliance must be an active, living part of the organization and culture that can detect and prevent issues as a continuous process to be monitored, maintained and nurtured.