Compliance management is the ongoing process of monitoring and assessing systems to ensure they comply with industry and security standards as well as corporate and regulatory policies and requirements.
It’s a big business. In fact, the Competitive Enterprise Industry found that if it were a country, U.S. regulation would be the world’s eighth-largest economy.
And compliance tracking is what’s keeps that economy afloat.
So, what is compliance tracking?
Compliance tracking, as the name implies, is the act of continuously assessing whether your business is adhering to regulatory requirements, including internal policies and specific industry standards.
Not a one-off, compliance tracking is a dynamic process.
Compliance tracking in risk management, therefore, consists of compliance monitoring, assessment, and analysis of organizational performance and risk indicators. Only by following this process will risk teams will be able to target areas of non-compliance and take corrective action to prevent costly penalties.
How to do it? The subsequent article lays out a best-practice approach to compliance tracking in risk management.
Why compliance tracking in risk management is important
By why do businesses need to track compliance in the first place?
Most advanced economies have become regulatory economies.
It’s a trend that’s been going on for some time now, no doubt accelerated by the Financial Crisis of the late 2000s.
The London-based think tank JWG, for instance, measured 50,000 regulations across the G20 from the years 2009 to 2012.
That number rose to 50,000 regulations in 2015 alone.
The cost of complying with those regulations has also gone up.
Compliance with just the Dodd Frank Wall Street Reform and Consumer Protection Act, for instance, cost banks USD 36 billion, according to the publication Trade.
Financial regulation, though significant, isn’t the only (external) compliance cost driver for firms. According to Deloitte, Australian enterprises spent AUD 94 billion to administer and comply with public sector rules.
Policymakers have also been drawing up cybersecurity regulations like the Digital Operational Resilience Act and APRA Prudential Standard CPS 234.
Independent of external regulations, companies also develop their own set of rules, regulations, policies, procedures, and laws to stay competitive in the market and/or limit exposure to unethical conduct.
Compliance with these internal mandates can have significant cost implications, too. At one time, Australian enterprises were spending as much as AUD 155 billion to administer and comply with self-imposed rules and regulations.
Challenges with compliance tracking in risk management
Indeed, businesses are paying a lot to stay on the right side of rules, regulations, and laws. They have every reason to inquire whether they’re getting their compliance money’s worth.
That’s the question compliance tracking asks, are investments holding up?
According to the experts, the answer might be no.
Sure, companies are spending plenty on compliance, especially regulatory compliance. But they aren’t efficiently allocating their compliance resources within pre-existing risk management frameworks.
What’s the problem with that? The piecemeal approach to compliance, besides being costly and inefficient, ends up limiting the visibility of senior business leaders who need to make strategic business decisions based on an accurate picture of compliance risk.
Those aren’t the only challenges with compliance tracking in risk management.
The volume of regulation a company must comply with also makes managing compliance more complex. This issue has multiple dimensions, including:
- The volume and pace of regulatory change
- The availability and adequacy of resources to implement those changes
- The inherent difficulty in meeting new regulatory expectations and potential for increased supervision (or sanction) from regulators
The lack of operational risk management software to track compliance obligations is also a problem. Without such platforms to monitor breaches, teams must rely on manual structures, e.g., spreadsheets, emails, Word documents, shared folders, etc.
A fledgling company might get by like this, but home-spun structures won’t scale.
Best-practice compliance tracking in risk management
So, what’s there to be done to get ahead of compliance tracking and not let breaches fall through the cracks?
Well, best-practice compliance tracking in risk management involves identifying the areas in the organization with the highest compliance risk and then recalibrating the compliance function to monitor these risks.
What are some concrete steps to take to turn this risk-based approach to compliance management into a reality? We recommend taking the following steps:
1. Develop a compliance risk framework
Develop a single overarching framework for compliance across the organization. This unifying thread will govern processes taken and tools procured.
2. Understand company-wide compliance risk
Make sure the strategy is centered on a complete understanding of the company’s compliance risk, especially levels of regulatory scrutiny. Those levels are predictive of future scrutiny.
3. Assess risk frequently
Of course, businesses aren’t static. That’s why this compliance risk assessment needs to be done regularly (experts recommend annually), especially after major business changes.
Business partners need to be part of this calculus, as well. Vendors and contractors, especially those deemed unethical in the past, can create compliance risk, so third-party business relationships should be factored into a company’s risk-monitoring framework.
4. Analyze compliance risk
After identifying all potential compliance risks, move ahead and analyze those risks, by asking how likely an individual risk is to occur and the potential impact of that risk to the company were it to become a compliance incident, e.g., a corruption scandal or a hefty fine from a regulator.
5. Prioritize the most serious risks
The following step is compliance risk prioritization, or triaging risk based on pre-established criteria.
Why’s this important? Companies don’t have infinite resources to deal with identified compliance risk.
Instead, they will have to use a standardized risk methodology, usually a risk matrix, to determine which risks they will deal with, an assessment often made based on (proportional) levels of risk.
6. Sign off on risk controls
Finally, the compliance decision maker, usually a C-level executive reporting directly into the Board’s audit committee, will need to sign off on risk controls, the actual strategies and tools teams will implement to manage high-level risk and promote compliance, either by mitigating the risk or eliminating it altogether.
How to make this staged approach work, though?
For one, teams will need to ensure that their processes, policies, and procedures are all standardized.
Here, the centralization of the compliance function should be reinforced by training and education, as well as clear reporting methods and mechanisms, which keep due diligence and risk assessment efforts current.
What to look for in compliance tracking software
Digital technology with compliance tracking functionality will be of great benefit, too. How so?
Compliance tracking (for that matter, compliance management, more broadly) is too much of a task for manual processes, alone. To remain resilient, compliance needs a battle-tested, proactive approach, automated processes supported by advanced technology to shore up reporting outcomes.
In this respect, integrated resilience management software gives you the functionality you need to manage a compliance incident, as well as learn from that incident by investigating its root cause, to proactively prevent future incidents.
But not all solutions are created equal. It’s important to find a flexible platform that’s able to support a number of different governance, risk management, and compliance use cases.
Compliance-related functionality should include:
- Capture compliance sources, e.g., mandatory laws and regulations, or self-enforced, internal programs and policies
- Derive requirements from these sources
- Derive business rules from these requirements, which then dictate specific compliances items, or controls for one or more risks
- And proactively develop activities and capture contacts for compliance actors who must execute those items, as well as assign roles and responsibilities to contacts to determine which activities and business rules are relevant
Ensure ongoing compliance with Noggin
Where to find these capabilities in an integrated workspace that provides a comprehensive and holistic approach to resilience, as well? Try Noggin.
With Noggin, you increase alignment and drive compliance using controlled documents. Manage contractors using questionnaires and document reviews and follow up with inspections and audits to ensure controls are implemented and risks are managed on an ongoing basis.
But don’t take our word for it. Request a demo of Noggin to see for yourself.