Risk Management and Compliance: Shift Left for Operational Transformation (Part 1)
Part 1: Compliance – A New Business Necessity
Compliance is the process of making sure that the applicable laws, regulations, ethical practices, and internal policies are followed by the organization. Achieving compliance is an on-going organizational effort which involves planning, collaboration and on-going management.
In this 2 part series we’ll cover the emerging need for compliance, the challenges and obstacles organizations face on their way to achieve compliance and some fresh ideas and solutions.
Compliance is all about sticking to the rules. Meaning, you need to comply with relevant legislation, as well as any internal or external standards. Compliance is the process of making sure that the applicable laws, regulations, and ethical practices are followed for the organization. Compliance covers internal policies and rules, industry regulations, as well as international, federal, and state laws. It also lays out expectations for employee behavior, helps people to stay focused on their organization’s broader goals, and helps operations run smoothly. Compliance should be an ongoing process and should be integrated with strategy, vision, and execution best practices.
Being compliant has emerged as a business necessity, more than ever before. Global organizations face an acute need to meet various regulations, standards, and compliances pertaining to their respective industry. There are multiple challenges to meet these needs. The top three common challenges across industries are:
- Silos – the added risk of compliance experts being siloed from the rest of the organization
- Lack of Visibility – the added risk of compliance experts being removed from Portfolio management
- Outdated Processes – added execution and operational risk from old processes and procedures
What is most interesting is that by modernizing your processes and procedures, embedding risk management and compliance directly into your day to day processes and tearing down silos in that process, you can actually increase visibility significantly, thereby tremendously improving your ability to maintain compliance and manage risk more effectively!
Silos
Silos are created naturally because we tend to want to hire the best of the best in a particular area, and these subject matter experts (SME’s) tend to have very deep knowledge in their area of expertise, which is great! However, this can cause challenges and make companies less efficient and reactionary when these SMEs do not come together and collaborate regularly. Tearing down silos is one of the biggest challenges any company faces, yet it also yields the greatest positive impact on compliance and risk management, and it is critical in understanding and meeting compliance needs.
In companies, there are isolated teams, roles, and activities with their own sets of requirements. These silos create a lack of seamless integration, disconnected systems, and lack collaboration. When risk management and compliance responsibilities are confined in silos, chances are that the work being conducted and the technology used to carry out responsibilities is just as disconnected. That makes it very difficult to efficiently manage compliance across multiple business lines, functions, or locations where compliance experts and risk managers actually rely on the teams themselves to tell the risk managers and compliance experts the areas which should be of most concern. And with no easy way to exchange data, multiple people end up chasing down the same information which results in duplication of effort, waste of resources and multiple, clumsy, and inefficient systems. With low or non-existent compatibility between various silos, it is difficult for senior management to get an insightful overview of their company’s current compliance status, and it becomes difficult to perform a timely assessment of the compliance risks.
For teams, one of the biggest challenges they face is just trying to know and adhere to all of the regulatory and compliance requirements. It is extremely challenging when you think about the fact that these team members are asked to focus on their areas of expertise, so they won’t often know about all of the ever-changing industry regulatory requirements let alone the evolving company compliance requirements.
Let us take for example a finance accounting team. They are expected to be experts in the day to day accounting activities, but they may not know all of the changes in financial law, financial regulations, or tax code each year, and they certainly may not know what changes were made last month to your information technology policies which govern a shared drive. Your legal team would certainly know the legal changes and your technology department would absolutely know the information technology policy changes, but your finance accounting team may not. This means that while each of these SME’s is able to operate at their peak in isolation, they are not able to necessarily provide the best possible outcomes to the company when they are working in silos, decreasing efficiency.
Lack of Visibility
A lack of visibility is inherently created by these silos, which in turn significantly increases risk and drastically decreases efficiency. Without an integrated view of compliance-related activities, it’s nearly impossible to identify gaps and inconsistencies in how compliance is tracked and managed until an audit is conducted and those gaps and inconsistencies are then identified, which no one wants to have an audit finding. This means damaging risk can easily slip by undetected or unaddressed because you either were not aware that a violation had occurred or could not gauge the full impact of a gap until it was too late. The increase in cross-functional operations has led to a rise in the number of applicable regulations, which has made it very difficult to shuffle between many solutions. With increases in the number of compliance management activities, it is hard to gain a holistic view of the company to create relevant actions, both in terms of driving business strategies and in understanding anomalies associated with their critical assets.
We can also see very clearly how the lack of visibility significantly and negatively impacts the teams doing their work day-to-day, which in turn exponentially increases the company’s risk. Let us take for example a Financial Model Development SME and a Financial Model Risk Management SME. While each of them has extensive knowledge and experience in their respective fields, and each is critical to the companies financial health and stability, in silo these two roles are less effective at the holistic development and management of financial models which are used for planning and reporting than they would be if they worked together more collaboratively.
While the developer is responsible for staying up to date on the groundbreaking and industry-leading development methodologies and practices, they are not keeping up with all of the legal and regulatory changes in the financial industry that may impact their model development, nor are they keeping up daily with all the other internal and external policy changes, legislation, and industry-leading risk management and compliance processes. The opposite is also true for the risk manager or compliance officer.
The model developer spends weeks if not months developing a model and testing the model before they come to the end of the process where they now need to submit for risk management or compliance review, and at that time the developer may be notified of legal, regulatory, or policy changes in addition to any identified risks which need to be mitigated either from the technology risk management team or from the financial risk management team. The model developer must now go back and redo their development work and testing work before they resubmit for compliance and risk management sign off. This inefficiency is the result of a lack of transparency and often outdated processes.
Outdated Processes
Too many companies are still taking an old-school approach when it comes to the execution of compliance needs. Regulatory and legal changes, internal and external policy changes, as well as the industry standard and precedent changes which occur all the time, not just once a year. Often, it is almost like The Telephone Game for policies. National policy changes, which impacts a company policy, which impacts an organizational policy, which then impacts a team policy, process, or procedure. However, the challenge is that teams are not always immediately notified or aware of these changes and oftentimes it’s not until they receive a notice of compliance violation, or worse yet, an audit finding. This is a direct result of the silos, lack of transparency, and outdated processes. Compliance needs changes at the speed of business, so strategy and process must also change quickly.
You can see this throughout companies in organizations, teams, and in project management. Quoting Scaled Agile, “Traditional waterfall practices often mandate that full system specifications are defined and committed to in detail, up-front, long before all the real system behaviors can be known. Worse, the sequential nature of phase-gate development produces large batches of work, long cycles between system integration points, and late feedback. In addition, compliance activities are typically deferred until the end of the project, providing little insight into compliance progress. This often results in missed deadlines, disappointing business or mission outcomes, lower quality, and substantial (and late) compliance challenges. In contrast, high-assurance Lean-Agile development builds in quality incrementally—early and throughout the development lifecycle.“
Conclusion
In this first installment we defined compliance and explored multiple challenges on the way to fully achieve it. In part 2, we’ll discuss the idea and implementation of ‘shifting left’ risk and compliance activities.