7-Step Guide to Risk & Compliance
Published on : Thursday 07-10-2021
Safeguard the future of your organisation and make risk and compliance a top priority.
The 7-step model suggests ways in which organisations can maximise their business returns from investing in compliance, and about the ways in which technology can empower compliance professionals with the correct tools to assess impacts of regulations on the business and operating model, and to communicate information effectively.
To ensure that compliance becomes a company-wide endeavour, safeguarding your organisation from potential reputational damage and other unwanted risks, harnessing the potential and capacity of your whole team is imperative to success. The following steps will guide you in these efforts. We recommend that for each step you consider the suggested outcomes, review the suggested actions, and then ask what mechanisms you already have which could be repurposed or reinvigorated to undertake this.
Define & Communicate
This first step is about creating a structure to allow for agile and effective management of regulations. Setting your organisation up with “good bones” in the form of a well-designed regulatory system is key. This system must meet the requirements of the particular industry of operation, as well as allow for flexibility, transparency, and scalability to future proof your organisation, and ensure it is able to adapt to changing regulatory and audit requirements as they happen. In other words, your compliance system must be set up to be and remain compliant itself.
When designing/defining this type of framework, it is essential to anticipate and cater for the audit requirements of the current environment, as well as those in the future. Many industries are required to keep detailed documentation showing exactly how industry regulations are translated into the company’s day-to-day operational workings, i.e., the business processes. They may also be required to demonstrate and prove exactly how, and when, communications to staff regarding how to work compliantly were done, and may even require formal acknowledgement and record of this. The volume and frequency of changes makes the task of assessing the required impact of a regulation on business operations a time consuming task. Fortunately, compliance managers are no longer forced to rely on manual workflows and untraceable email communication in order to communicate and keep track of changes. Organisations can work to build single sources of knowledge within their intranets that allow them to update workers about changes quickly and easily, reducing the risk of non-compliant activities.
Ineffective company cultures are a major source of risk for organisations. Organisational culture will affect risk taking behaviour, both negatively and positively. It is the ultimate responsibility of the Chief Compliance and Risk Officers to ensure the rhetoric from the top filters down to promote desirable behaviour in terms of policy compliance, risk prevention, whistleblowing and accountability – and the risk and compliance structure must support this. This is why integrating a framework based on legal/standardised requirements into a workflow tool is crucial as a means of keeping everyone involved in your risk-prone processes up-to-date, and of communicating to stakeholders what the necessary defence controls are.
Identify & Document
Risk identification is the foundation of risk management, as you cannot manage a risk you don’t know about. To ensure this process is thorough and effective, it is essential to involve a range of both Subject Matter Experts, and stakeholders – these are the people actually carrying out the work. These people hold the keys to both identifying opportunities to improve the business process overall, as well as the ability to offer insights into why work may be completed incorrectly or non-compliantly. For example, if certain steps required for compliance conflict with activities related to KPIs and bonuses, you might find higher instances of non-compliant behaviour.
On a broader level, strategic, operational, financial and reputational risks must also all be defined and documented (with clear linkages between strategic, tactical, and operational pro- cesses and associated risks). This means identifying, prioritising and assigning accountability for managing any risk significantly impacting the organisation’s ability to achieve its strategic objectives. On a more specific compliance level, it means identifying, prioritising and assigning accountability for managing compliance in regard to particular laws and regulations. Ensuring the right people are involved, consulted, and their feedback factored into the compliance system is essential. Doing this means setting up the basis for communication and collaboration across the whole system – from meeting the needs of Execs, to those of the employees executing on transactional tasks for customers.
As both of these broader and more specific risks are constantly open to change, it is important that you define a compliance framework that is capable of protecting your organisation from risk. This should include not only simply staying informed about the latest regulatory updates, a huge job in itself, but also incorporating them into business processes and activities, and training and educating your team accordingly to ensure a strong compliance culture.
Design & Educate
Once the initial work to identify, prioritise, and get input on risks in your organisation has been completed, the next step is to define how the organisation will assess and control each risk, and create the supporting process and test structure to accompany this. Again, this step should make good use of iterative design of the control system, and the deep knowledge your people already have regarding the reality of how work gets done. This means that the structure of controls created to manage the risks identified during the identification stage must be tightly bound to the ways in which your real employees complete real work. It is also a rallying cry ensuring collaboration is designed into the system.
Designing collaboration into your compliance system is indispensable. Rules, although necessary and important to define, can also in some cases have the opposite effect of that desired, by inhibiting independent thought and discussion, leading many organisations to overlook or misread ambiguous threats. According to Harvard Business Review, rather than mitigating risk, firms actually incubate risk as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger. Creating and nurturing a culture of transparency, questioning, and open communication across the org chart is essential not just for productivity and performance, but also compliance and risk mitigation.
Deploy & Test
Once the design of exactly how risk and compliance will be measured has been completed, it is time to automate the actual workings of the system as much as possible. This has obvious benefits, with many areas of the globe enduring a serious shortage of compliance professionals. Automation allows you to do more with less.
Being able to respond in a timely way to incidents is imperative to mitigating risks and compliance breaches. Ensuring effective, reactive action and defining responsibilities, thresholds and deadlines is crucial to resolving risk issues before they blow up, costing far more money (and potentially far more reputational damage) to fix. Potential risk incidents within an organisation are often quite similar, or follow a similar structure and response pattern, defining incident models will ensure a standardised and comprehensive response process. To ensure that your framework is fireproof, it is recommended that you implement workflow processes to manage risks as well as implementing controls and tests against a variety of scenarios.
In order to effectively respond to incidents and to ensure that reported breaches are escalated correctly, an incident model that streamlines the process and reduces risk should be defined. Incident handling routines and escalation routing should include defining the sequence of steps, the individuals responsible, and the precautions to be taken prior to resolving the incident, timescales for resolution, escalation procedures, and evidence preservation.
Completing this work manually is possible, but consumes a huge amount of resources and time - and with the constant deluge of new regulations requiring assessment, can be tricky to provide for. Many organisations are now beginning to use workflow solutions to take the heavy lifting out of risk system deployment and management, leaving those responsible more time to dedicate to higher value work.
Remediate & Refine
Detecting compliance deviations based on your previously defined and documented framework will allow you to compare “as-required” processes with “as-implemented” processes more easily. At this point your current state will still require some testing in order for you to recognise gaps and see where certain processes are failing to adequately address and mitigate risks. This is where identifying compliance issues across your implemented compliance framework, processes and procedures comes in. As with the last step, this can be made much more efficient with technology which allows you to use the data your business systems are already generating, in order to alert risk managers to breaches and issues before they become a huge and expensive issue.
An efficient deviation handling system should also implement a mechanism to discriminate incidents of compliance deviation based on their relevance and to objectively categorise them. Figuring out whether or not a compliance deviation will result in damage to your company, your product, or your reputation, and whether or not it will result in financial or legal repercussions is an important part of the detection process, allowing you to then manage and correctly escalate incidents and to ultimately identify any potential for “process hardening.” In this case you may want to consider adding extra steps to existing processes, making compliance deviation less likely and adding an extra firewall to ensure that end users do not accidentally act in a non-compliant way due to lack of documentation or discrepancies in your compliance framework.
Monitor & Mitigate
Once you have set the wheels in motion and your framework is in place, it is of equal strategic importance that you continue to monitor and report on compliance related behaviour, while mitigating non-compliance and identified risks. Responding to incidents consistently and in a timely fashion, whilst implementing and enforcing routing logic should go hand-in-hand with the continuous reassessment of risks.
The benefit in having your compliance framework mapped out and documented in workflows and processes is that you can collect data over time to ensure that nothing goes undocumented, and ensure evidence related to any incident is kept on record. This is not only often a legal requirement when it comes to auditing and external checks, but also useful to ensure that your compliance and risk related processes are operating at an optimum level and that ultimately, you stay well ahead of the competition.
Manage & Improve
Within a holistic and ongoing risk and compliance management system is a consistent focus on seeking and acting upon ideas to improve. Monitoring and reporting continual compliance allows you to have an overview of where your organisation currently stands in terms of desirable behaviour and what the current state of compliance is, meaning you can start working on the gap between your current and future state. It also allows you to reward and promote compliant behaviour and improvements. Mitigating non-compliance and identified risks is also a continual task, as the regulatory landscape is constantly in flux.
As part of this holistic approach, ensuring that HR policies avoid mutual accountability and promote open communication, appropriate escalation and whistleblowing reporting is a crucial foundation. Personal accountability as well as the involvement of suppliers, investors, clients and regulators in creating and developing action plans will aid in the promotion of a transparent compliance culture.
These steps are of course not the definitive or final word on how to undertake an organisational transformation. They are however based on expert experience and lessons learned over the course of decades of compliance system design. They are intended to provide you with the mind-set and insights to steer your organisation through the complex, often messy, but ultimately rewarding process of transformation. We encourage you to adapt and augment the steps to match your organisational context, while taking note of the underlying themes of communication, inclusion, collaboration, and smart monitoring.
Effectively translating strategy into action is the cornerstone of transformation, we hope this guide will support you in creating positive behaviours and mitigating threats you will encounter as your organisation embarks on this journey by providing insights from others who have gone before.
Article courtesy: Signavio