Taking a Risk-Based Approach to Compliance Management

Paying the cost of compliance management

If enterprise-wide compliance is on your mind, you’re not alone. Business uncertainty and regulatory compliance have both been in the news for some time now. In the Australasian region, for instance, Australia and New Zealand both revamped their occupational health and safety systems, forcing firms operating in those jurisdictions to invest resources in compliance with a number of new statutes, including landmark changes to asbestos and other hazardous materials management.

Globally, twin shocks to the political system, Brexit and the unexpected election of Donald Trump, made regulatory overhaul in two of the world’s largest economic zones, the EU and the U.S., a near certaintyⁱ. Nor had business completely recovered from the previous shock to the system: the global financial crisis of the late 2000s. At the height of the Great Recession, subnational, federal, and supranational bodies all issued sweeping financial reforms, which majorly upped the ante on regulatory compliance risk. As catalogued by London based think tank JWG, the years 2009 to 2012 saw the publication of over 50,000 regulations across the G20ⁱⁱ. That number actually rose to 50,000 regulations in 2015 aloneⁱⁱⁱ.

The cost of complying with those regulations has, of course, been steep for businesses. In fact, the volume of regulation is the key contributor to rising compliance costs. Compliance with the Dodd Frank Wall Street Reform and Consumer Protection Act, for instance, cost banks $36 billion, according to the publication Trade^iv. Cumulatively, regulatory compliance cost banks $100 billion in 2016^v .

Financial regulation, though significant, isn’t the only (external) compliance cost driver for firms. According to Deloitte, Australian enterprises spent $94 billion to administer and comply with public sector rules (in general)^vi.

Independent of external regulations, companies also  develop their own set of rules, regulations, policies, procedures, and laws just to stay competitive in the market and/or limit exposure to unethical conduct. Compliance with these internal mandates can have significant cost implications as well. In 2014, Australian enterprises spent $155 billion to administer and comply with self-imposed rules and regulations^vii.

Relevant terms in governance, risk, and compliance

• Compliance. Conforming with stated requirements.
• Compliance risk. The effect of uncertainty on compliance objectives
• Risk management. The set of processes through which management identifies, analyses, and, where necessary, responds appropriately to risk. 
• Regulatory compliance. An organization’s adherence to laws, regulations, guidelines, and specifications relevant to its business, violations of which might result in punishment, including severe financial penalty. 
• Governance. The overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures.

Why the cost of compliance doesn’t add up

So businesses are paying a steep price for compliance. But the degree of external and internal business volatility is testing the resilience of even the best-resourced compliance programs. The question is, then, are compliance investments actually holding up?

Well, if you ask the experts, the answer is no, not at all. Sure, companies are spending plenty on compliance, especially regulatory compliance. 

The problem is that firms are allocating resources without having first developed an overarching, enterprise-wide framework for compliance management^viii. 

Besides being costly and inefficient, this piecemeal approach to compliance ends up limiting the situational awareness of senior leaders who need to make strategic business decisions based on an accurate picture of compliance risk.

Without a clear mandate from the top, individual teams begin managing specific compliance requirements as they see fit, i.e. with a different set of roles, activities, and even systems. With little communication between the (resulting) siloes, the risk of work duplication is high. What’s more, businesses might also end up paying double for advanced compliance management solutions that perform the same functions but aren’t configured to exchange relevant data (between each other).

Lack of a centralizing compliance strategy and the siloing effects that deficiency creates aren’t the only challenges to developing a culture of compliance.

The volume of regulation a company must comply with also makes managing compliance more operationally complex: not only the volume and pace of regulatory changes, but also the availability and adequacy of resources to implement those changes, the (generalized) difficulty in meeting new regulatory expectations, as well as the potential for increased supervision from regulators^ix.

The challenges, though, are all interrelated: more regulatory volatility bumps up compliance costs and creates operational headaches. Those headaches are, then, exacerbated by a lack of a centralizing approach to managing compliance risk, particularly common in companies who tackle compliance in house. After all, those companies are the least likely to have adequate processes, personnel, and tools to achieve basic compliance goals.

A lack of advanced compliance management technology, in particular, means that teams have to rely more heavily on manual structures, i.e. spreadsheets, Word documents, shared folders, etc. A fledgling company might get by with these rudimentary solutions, but home-spun structures like those won’t scale as a firm gets larger and reporting requirements increase in kind.

Things aren’t looking that much better on the risk side of ledger, either. Traditional forms of risk management disjointed, disconnected, and overly manual processes and frameworks-are also becoming increasingly outmoded, less and less capable of preventing risks (systemic or otherwise) from turning into major incidents.

Just like they do with compliance, too many companies are also managing their risks in silos, or on an individual, risk-by-risk basis^x.

What’s more, individual teams don’t always have the internal (communications) tools they need to properly integrate their knowledge base of risk into their systems for managing risk.

In turn, business managers don’t get visibility into enterprise-wide risk, which limits them to a fragmented view of (sector-specific) risk, despite the high probability of contagion between business lines. Team-specific processes to identify, assess, manage, monitor, and report on risk proliferate, meaning that teams are less able to stay ahead of business risk, and processes become more reactive and less effective.

Achieving a risk-based approach to compliance management

Clearly, the challenges are stark. But achieving efficient, cost-effective compliance management is possible. Senior leaders just have to redirect their company’s compliance efforts (and resources) away from piecemeal interventions and toward an enterprise-wide, risk-based approach to compliance, a strategy that entails identifying the areas in the organization with the highest compliance risk and then recalibrating the compliance function to monitor these risks.

So what are some concrete steps to take to turn this risk based approach to compliance management into a reality? Two steps: developing a single overarching framework for compliance across the organization, a unifying thread that will govern processes taken and tools procured. But that strategy needs to be centered on a complete understanding of the company’s compliance risk, especially levels of regulatory scrutiny, which are predictive of future scrutiny. Of course, businesses aren’t static. That’s why this compliance risk assessment needs to be done regularly (experts recommend annually), especially after major business changes.

The same logic applies to the oft-changing risk and regulatory environment around the business. Teams shouldn’t just focus on the once-in-a-generation reforms; they also need to be on the lookout for minor tweaks to statutes, standards, regulations, and court rulings that can affect the company’s compliance requirements.

Business partners need to be part of this calculus as well. Vendors and contractors, especially those deemed unethical in the past, can create compliance risk, so third-party business relationships should be factored into a company’s risk-monitoring framework.

After isolating all potential compliance risks, teams will move ahead and analyze those risks, by asking themselves how likely an individual risk is to occur and the potential impact of that risk to the company were it to become a compliance incident, e.g. a corruption scandal or a hefty fine from a regulator.

The following step is compliance risk prioritization, or triaging risk based on pre-established criteria. Companies don’t have infinite resources to deal with identified compliance risk. Instead, they will have to use a standardized risk methodology, usually a risk matrix, to determine which risks they will deal with, an assessment often made based on (proportional) levels of risk.

Finally, the compliance decision maker, usually a C-level executive reporting directly into the Board’s audit committee, will need to sign off on risk controls, the actual strategies and tools teams will implement to manage high-level risk and promote compliance, either by mitigating the risk or eliminating it altogether.

To make this staged approach work, teams will need to ensure that their processes, policies, and procedures are all standardized, and that the centralization of the compliance function is reinforced by training and education, as well as clear reporting methods and mechanisms, which keep due diligence and risk assessment efforts current. 

The risk management lifecycle 

Noticing overlap with the risk management lifecycle? That’s no coincidence. The steps you’ll take to centralize compliance risk rehash key tenets of the risk management lifecycle as outlined below.

• Risk identification. The identification stage consists of isolating all potential operational risks, whether recurring risks or potential one-offs. Risk identification involves staff across the business, not just C-suite executives. 
• Risk assessment. Once identified, risks must be added to a risk register where they are to be assessed based on a number of factors, like how likely the risk is to occur, how frequently the risk will occur, and the potential risk exposure to human and non-human assets if the risk is not managed. The use of a risk matrix, an established risk assessment methodology, is a standardized way of prioritizing risks in a central risk register by likelihood and consequences. The severity of each risk can then be assessed separately, either as inherent, target, or residual risk, using a common methodology. 
• Analysis. In analyzing risk, teams will consider which risk controls (if any) to put in place. Additionally, teams will provide decision makers with a thorough risk analysis, a clear cost and benefit evaluation as well as outlines of possible alternative measures to take.
• Decision. Based on the analysis furnished, decision makers will choose the best control (or combination of controls).
• Implementation. Carrying out the decision taken requires having a plan for applying the selected controls. Adequate time and resources must also be allocated for any control measure to be successful. In addition, implementing controls requires clearly communicating your plan to everyone involved.
• Monitoring. Implementation, however, isn’t the end of the story. Once they’re put in place, controls will have to be consistently monitored to ensure they are working as expected.

The benefits of integrated, compliance risk and incident management software

When it comes down to it, compliance management is just another way of monitoring relevant business changes. But businesses change often, often in ways that affect their compliance risk profiles. When they do, compliance teams need be able to document those changes, whether recording observations or conducting investigations. Keeping information current is vital in compliance management, as data quality can be a structural barrier to effective compliance even for teams who used advanced technology^xi.

But it’s too big a task for manual processes, alone. To remain resilient, compliance needs a battle-tested, proactive approach, automated processes supported by advanced technology to sure up reporting outcomes^xii. Integrated, compliance risk and incident management software gives you the functionality you need to manage a compliance incident, as well as learn from that incident by investigating its root cause, so as to proactively prevent future incidents.

Don’t choose any old solution vendor. Find a flexible platform that’s able to support a number of different governance, risk management, and compliance use cases. Compliance-related modules, in particular, should have the following capabilities:

• Capture compliance sources, e.g. mandatory laws and regulations, or self-enforced, internal programs and policies
• Derive requirements from these sources
• Derive business rules from these requirements, which then dictate specific compliances items, or controls for one or more risks
• And proactively develop activities and capture contacts for compliance actors who must execute those items, as well as assign roles and responsibilities to contacts to determine which activities and business rules are relevant

Finally, regulatory volatility over the last decade has led to an upsurge in compliance costs for businesses across advanced economies. The only problem is these businesses aren’t making their hefty compliance investments count.

The prevalent piecemeal approach to compliance management needs to go. Instead, businesses need to centralize processes under the banner of enterprise wide, risk-based compliance management. The biggest investment you’ll need is the right advanced, integrated risk and incident management platform. With a flexible solution in tow, you’ll be well on your way to achieving all the business benefits of risk-based compliance management: greater efficiency, more visibility for senior leaders, lower costs, and less compliance risk. 

Citations

i. Samantha Regan et al., Accenture: 2018 Compliance Risk Study: Comply & Demand. Available at https://www.accenture.com/t20180322T192051Z__w__/usen/_acnmedia/PDF-74/Accenture-2018-Compliance-Risk-Study.pdf.

ii. Quoted in Tom Groenfeldt, Forbes: Taming The High Costs Of Compliance With Tech. Available at https://www.forbes.com/sites/tomgroenfeldt/2018/03/22/taming-the-high-costs-of-compliance-with-tech/#23c394e25d3f.

iii. Ibid.

iv. Qtd. in Ibid.

v. Ibid.

vi. Deloitte, Get out of your own way: Unleashing productivity. Available at https://www2.deloitte.com/au/en/pages/building-lucky-country/articles/getout-of-your-own-way.html.

vii. Ibid.

viii. The Wall Street Journal: Risk & Compliance Journal: Enterprise Compliance: Answers to Five Common Questions. Available at https://deloitte.wsj.com/riskandcompliance/2013/06/04/enterprise-compliance-answers-to-five-common-questions/.

ix. Stacey English and Susannah Hammond, Thomson Reuters: Cost of Compliance 2017. Available at https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/cost-of-compliance-2017.pdf.

x. Norlida Abdul Manab, International Review of Business Research Papers: Enterprise-Wide Risk Management (EWRM) Practices: Between Corporate Compliance and Value Creation. https://www.researchgate.net/profile/Norlida_Manab/publication/267817755_Enterprise-Wide_Risk_Management_ EWRM_Practices_Between_Corporate_Governance_Compliance_and_Value_Creation/links/57c2742508aeb95224d749b7/Enterprise-Wide-Risk Management-EWRM-Practices Between-Corporate-Governance-Compliance-and-Value-Creation.pdf

xi. Samantha Regan et al., Accenture: 2018 Compliance Risk Study: Comply & Demand. Available at https://www.accenture.com/t20180322T192051Z__w__/usen/_acnmedia/PDF-74/Accenture-2018-Compliance-Risk-Study.pdf.

xii. Ibid.