Transcription
Betterpractices forcompliancemanagementHow technology can improve yourregulatory & policy compliance
Table of contentsBetter practices for compliance management1Managing the complexities of compliance3The main compliance challenges4Transform your compliance management6Where to start?7Case study108 compliance processes in desperate need of technology1201 Centralize regulations & compliance requirements1302 Map to risks, policies, & controls1403 Connect to data & use advanced analytics1504 Monitor incidents & manage issues1605 Manage investigations1706 Use surveys, questionnaires, & certifications1807 Manage regulatory changes1908 Ensure regulatory examination & oversight20Technology evaluation checklist221
Managing thecomplexities ofcomplianceCompliance requirements are complex and expensive fororganizations to manage. Every business sector faces an ever-growingnumber of regulations and they’re always So how can you keep up?Non-compliance fines and penalties imposed byWe’ve worked with many organizations to improve theirregulatory agencies are increasing—in some casescompliance management processes through purpose-dramatically. It’s likely that none of this is news to you.built compliance software.And you’re probably well aware of the statistics on theIn this eBook, we examine the challenges of compliancenumber of regulations—existing, new, and changing—that impact your business. The important question is:How is your organization responding?management, and explore the root causes. We thenshow you an approach that optimizes the interaction ofpeople, process, and technology to manage complianceThe reality is that many businesses and governmentrequirements and monitor risks and controls.agencies struggle to manage compliance requirementsLet’s start untangling this complex web of compliancebecause they use inefficient processes and outdatedor generic technology. This leaves them vulnerable andmanagement.without necessary oversight for effective compliance.3
The maincompliancechallengesWe know that businesses and government entities alike struggle tomanage compliance requirements. Many have put up with challengesfor so long—often with limited resources—that they no longer see howproblematic the situation has become.FIVE COMPLIANCE CHALLENGES YOU MIGHT BE DEALING WITH01 Compliance silos02 No single view of compliance assuranceIt’s not uncommon that, over time, separate activities,Siloed compliance systems also make it hardroles, and teams develop to address differentfor senior management to get an overview ofcompliance requirements. There’s often a lack ofcurrent compliance activities to perform timelyintegration and communication among these teamsrisk assessments. If you can’t get a clear viewor individuals. The result is duplicated efforts—andof compliance risks, then chances are good thatthe creation of multiple clumsy and inefficienta damaging risk will slip under the radar, gosystems. This is then perpetuated as complianceunaddressed, or simply be ignored.processes change in response to regulations, mergersand acquisitions, or other internal business restructuring.4
03 Cobbled together, home-grown systems04 Old software that’s expensive to upgradeUsing generalized software, like Excel spreadsheetsYou may be struggling with older compliance softwareand Word documents, in addition to shared foldersproducts that aren’t designed to deal with constantand file systems, might have made sense at onechange. These are increasingly expensive to upgrade,point. But, as requirements become more complex,difficult to maintain, and aren’t user-friendly, resultingthese systems become more frustrating, inefficient,in frustrated employees and inefficiencies.and risky. Compiling hundreds or thousands ofand regulatory reporting is a logistical, time-05 Not using automated monitoringconsuming nightmare. Spreadsheets are also proneMany compliance teams are losing out by notto error and have significant limitations because theyusing analytics and data automation. Instead,don’t provide audit trails or activity logs.they rely heavily on sample testing to determinespreadsheets to support compliance managementwhether compliance controls and processes areworking, so huge amounts of activity data are neveractually checked.Regulations are increasing: In 2017,Thomson Reuters Regulatory Intelligencecaptured 56,321 regulatory alerts from 900regulatory bodies worldwide. That’s 216updates per day, up from 201 in 2016.» Thomson Reuters Regulatory Intelligence, Cost of Compliance 20185
Transform yourcompliancemanagementGood news! There are some practical steps you can take to transformcompliance processes and systems so that they become way moreefficient and far less expensive and painful.It’s all about optimizing the interactions of people,Look, for example, at how technology like Salesforceprocesses, and technology around regulatory(a cloud-based system with big data analytics) hascompliance requirements across the organization.transformed sales, marketing, and customer service.This might not sound simple, but it’s what needs to beSimilar technology is now available which bringsdone. And, in our experience, it can be achieved withouttogether different business units around regulatorybecoming time-consuming and expensive.compliance to improve processes and collaboration.Compliance management technology has evolvedto unite processes and roles across all aspects ofthe organization.6
Where to start?Let’s look at what’s involved in establishing a technology-drivencompliance management process – one that’s driven by data and fullyintegrated across your organization.Step 1: Think about the desired end-state.The best place to start is the end. Consider theobjectives and the most important outcomes ofyour new process. How will it impact the differentstakeholders? Take the time to clearly define themetrics you’ll use to measure your progress andsuccess.A few desired outcomes: Accurately measure and manage the costs ofregulatory and policy compliance. Track how risks are trending over time, by regulation,and by region. Understand, at any point in time, the effectiveness ofcompliance-related controls. Standardize approaches and systems for managingcompliance requirements and risks across theorganization. Efficiently integrate reporting on complianceactivities with those of other risk managementfunctions. Create a quantified view of the risks faced dueto regulatory compliance failures for executivemanagement. Increase confidence and response times aroundchanging and new regulations. Reduce duplication of efforts and maximizeoverall efficiencies.Step 2: Identify the activities and capabilities that will get you the desired outcomes.What do you need to support your objectives? ConsiderThen identify the steps you’ll need to take or thethe different parts of the compliance managementchanges you’ll need to make to your current activityprocess over page.that will help you achieve your objectives. We’ve puttogether a “cheatsheet” to help this along.7
In relatively basic terms, the activities and capabilities needed for compliance management typically look like this:COMPLIANCE MANAGEMENT PROCESS01, 02, 03, 04Identify &ImplementComplianceControlProcedures11, 1205, 06Develop/ModifyAnalyticsIdentify& ancial &OperationalTransactionsProcesses& Controls8AnalysisResultsReport Results& UpdateAssessmentsManage Results& Respond08, 09, 1007
IDENTIFY & IMPLEMENT COMPLIANCECONTROL PROCEDURES01 Maintain a central library of regulatoryrequirements and internal corporate policies,MANAGE RESULTS & RESPOND07 Manage the entire process of exceptionsgenerated from analytic monitoring and from thegeneration of questionnaires and certifications.allocated to owners and managers.will ensure compliance with these regulationsREPORT RESULTS & UPDATEASSESSMENTSand policies.08 Use the results of monitoring and exception02 Define control processes and procedures that03 Link control processes to the correspondingregulations and corporate policies.04 Assess the risk of control weaknesses and failureto comply with regulations and policies.RUN TRANSACTIONAL MONITORINGANALYTICS05 Monitor the effectiveness of controls andcompliance activities with data analytics.06 Get up-to-date confirmation of the effectivenessof controls and compliance from owners withmanagement to produce risk assessments andtrends.09 Identify new and changing regulations as theyoccur and update repositories and control andcompliance procedures.10 Report on the current status of compliancemanagement activities from high- to low-detaillevels.IMPROVE THE PROCESS11 Identify duplicate processes and fix proceduresautomated questionnaires or certification ofto combine and improve controls and complianceadherence statements.tests.12 Integrate regulatory compliance riskmanagement, monitoring, and reporting withoverall risk management activities.9
Case studyHere’s an example of how an automated, data-driven approach cantransform traditional compliance management processes.A US-based multinational manufacturer and wholesaler transformed its regulatory compliance obligations (includingSOX, FCPA, and EH&S) through automation, dashboards and reporting, and advanced data analysis.COMPLIANCE REQUIREMENTSAFTER IMPLEMENTING TECHNOLOGY Sarbanes-Oxley (SOX). Details of all compliance requirements are nowmaintained in a central library. Foreign Corrupt Practices Act (FCPA). A range of emergency, health and safety (EH&S)regulations. Details of policies, processes, and controls areclearly linked to relevant regulations and compliancerequirements.CHALLENGES In-depth status is immediately available by selectingcategory (e.g., SOX, FCPA, PCI, SOC). A risk assessment uncovered certain complianceissues around data privacy in European operations,and the potential for money laundering amongcertain customers in Asia. Dealing with a large number of vendors,some with compliance concerns like conflictminerals, environmental standards, and productcomponent quality. Determining individual ownership for specific sets ofcompliance requirements is straightforward. Transactions are automatically monitored across sixcore financial and operational process areas. Non-compliant activities are identified usingadvanced data analysis. Ensuring compliance with 1,500 regulations. Identified anomalies and exceptions areautomatically flagged.PROCESS BEFORE Unresolved issues are now escalated for seniormanagement review.Each group used spreadsheets to track requirements,controls, and testing evidence. This made aconsolidated view of compliance status impossible.The staff spent thousands of hours emailing aroundforms and spreadsheets. They also wasted timechasing individuals for responses and compiling results.Executive management received a summary reportevery quarter highlighting any compliance concerns.The report was painstakingly amalgamated manuallyinto an overall corporate risk assessment report.10
11
8 complianceprocesses indesperate need oftechnologyThe last part of this eBook looks at eight best practices you can startimplementing to improve your compliance management right away.12
01Centralize regulations& compliancerequirementsA major part of regulatory compliance managementBy centralizing your regulations and complianceis staying on top of countless regulations and all theirrequirements, you’ll be able to start classifyingdetails. A solid content repository includes not only thethem, so you can eventually search regulations andregulations themselves, but also related data.requirements by type, region of applicability, effectivedates, and modification dates.13
02Map to risks,policies, & controlsClassifying regulatory requirements is no good on itsown. They need to be connected to risk management,control and compliance processes, and systemfunctionality. This is the most critical part of acompliance management system.Typically, in order to do this mapping, you need: An assessment of non-compliant risks for eachrequirement. Defined processes for how each requirement is met. Defined controls that make sure the complianceprocess is effective in reducing non-compliance risks. Controls mapped to specific analytics monitoringtests that confirm effectiveness on an ongoing basis. Assigned owners for each mapped requirement.Specific processes and controls may be assigned tosub-owners.14
03Connect to data & useadvanced analyticsUsing different automated tests to access and analyzeExtensive suites of tests and analyses can be rundata is foundational to a data-driven complianceagainst the data to determine whether compliancemanagement approach.controls are working effectively and if there are anyThe range of data sources and data types needed toindications of transactions or activities that fail toperform compliance monitoring can be huge. Whenit comes to areas like FCPA or other anti-bribery andcorruption regulations, you might need to access entirecomply with regulations. The results of these analysesidentify specific anomalies and control exceptions, aswell as provide statistical data and trend reports thatpopulations of purchase and payment transactions,indicate changes in compliance risk levels.general ledger entries, payroll, and expenses. AndThe requirements for accessing and analyzing datathat’s just the internal sources. External sources couldfor compliance are demanding, and truly deliveringinclude things like the Politically Exposed Personson this step involves using the right technology.database or sanctions checks.Generalized analytic software is seldom able to providemore than basic capabilities, which are far removedfrom the functionality of specialized risk and controlmonitoring technologies.15
04Monitor incidents &manage issuesIt’s important to quickly and efficiently manageThe system should also allow for an issues resolutioninstances once they’re flagged. But systems that createprocess that’s timely and maintains the integrity ofhuge amounts of “false positives” or “false negatives”responses. If the people responsible for resolving acan end up wasting a lot of time and resources. Onflagged issue don’t do it adequately, an automatedthe other hand, a system that fails to detect high-riskworkflow should escalate the issues to the next level.activities creates risk of major financial and reputationalSome older software systems can’t meet the hugedamage. The monitoring technology you choose shouldlet you fine-tune analytics to flag actual risks andcompliance failures and minimize false alarms.16range of incident monitoring and issues managementrequirements. Or it may require a lot of effort andexpense to modify the procedures when needed.
05ManageinvestigationsAs exceptions and incidents are identified, some turn intoEffective security must be in place around access toissues that need in-depth investigation. Software helps thisall aspects of a compliance management system. Butinvestigation process by allowing the user to documentit’s extra important to have a high level of security andand log activities. It should also support easy collaborationprivacy for the investigation management process.for anyone involved in the investigation process.17
06Use surveys,questionnaires,& certificationsGoing beyond just transactional analysis andThese automated processes also let you ask managersmonitoring, it’s also important to understand what’sto confirm they understand an organization’s positionactually happening right now, by collecting the input ofaround regulations and certifications (e.g., FCPA). Thisthose working on the front-lines.is one of the most important anti-bribery and corruptionSoftware that has built-in automated surveys andlaws for any organization operating globally. Usingquestionnaires can gather large amounts of currentinformation directly from these people in differentsurveys and questionnaires, you can check with yourmanagers to make sure they haven’t been involved incompliance roles, then quickly interpret the responses.any contravening activities.For example, if you’re required to comply with theAnd finally, automated surveys and questionnairesSOX, you can use automated questionnaires andbring huge value when performing due diligence oncertifications to collect individual sign-off on SOXthird-party or vendor compliance.control effectiveness questions. That information isIt can be very tedious and time-consuming to manuallyconsolidated and used to support the SOX certificationgather confirmation of compliance (e.g., SOC reportsprocess far more efficiently than using traditional waysand certifications). Automation ensures that requestsof collecting sign-off.are performed promptly and delays or responsesfailures are escalated.18
07Manage regulatorychangesRegulations change constantly and to remain compliantBefore the arrival of software solutions, any regulatoryyou need to know—quickly— when those changeschanges meant huge amounts of manual work, causinghappen. This is because changes can often meanbacklogs and delays. Now much (if not most) of themodifications to your established procedures orregulatory change process can be automated, freeingcontrols, which could impact your entire complianceyour time to manage your part of the overall compliancemanagement process.program.A good compliance software system is built towithstand these revisions. It allows for easy updatesto existing definitions of controls, processes, andmonitoring activities.19
08Ensure regulatoryexamination &oversightNo one likes going through compliance reviewsThere are big efficiency and cost benefits to using aby regulatory bodies. It’s even worse if failures orstructured and well-managed regulatory complianceweaknesses surface during the examination.system. But those financial gains pale in comparisonBut if that happens to you, it’s good to know thatwith the benefit of avoiding a potentially major financialmany regulatory authorities have proven to be moreaccommodating and (dare we even say) lenient whenyou can demonstrate your compliance process isstrategic, deliberate, and well designed.20penalty by replacing an inherently unreliable andcomplicated legacy system.
TechnologyevaluationchecklistWhether you’re looking to get a new compliance management systemor update your current system, we’ve shared the following key pointsfor you to consider.21
ARE YOU EMBRACING THE CLOUD?Cloud-based systems have been proven to be highly A RE YOU GETTING THE FULL STORYFROM YOUR DATA?secure and hold a lot of advantages over legacy on-Data analysis must support rules-based controls andsite applications.compliance testing. It should also support variousOne primary advantage is the continuousvisual and statistical analysis to provide insight intodeployment of enhancements. You no longer needoverall risks and trends.to deal with new version implementation. TheIt should be able to support rapid access to, andsoftware capabilities are constantly improving withanalysis of, multiple different data types andminimal impact, and updates are made with little tosources, including ERP, corporate databases, andno IT intervention.emails/formal communications. IS THE TECHNOLOGY PORTABLE?Additionally, logging of all analytic processes isan important capability seldom found in genericIt’s no longer realistic to run important applicationsanalytic technologies. Compliance requirementsstrictly on desktop or laptop computers. Executives,often mean that an activity log of everything thatmanagers, and specialists involved in compliancetook place is necessary for adequate documentationmanagement need to be able to access and updateand verification of procedures performed.systems using a number of devices, while working inany environment, from any location.Your compliance software needs to be optimized tooperate on those devices. CAN YOU ROLL-OUT RAPID CHANGESAND UPDATES?We talked earlier about the importance of reportingfor regulatory bodies, often in a prescribed format.Another important aspect of reporting is the abilityYour software should let you quickly re-configureto provide management with an overview of theand modify the system, both to take advantage ofcurrent status of the entire compliance managementnew capabilities and to implement new processesprocess. In fact, this ultimately may need to bewhen needed.closely integrated into an overall corporate riskThe better and more purpose-built the software, theeasier these types of tasks will be. HOW DOES SYSTEM PERFORMANCE RATE?System performance plays a major part in usersatisfaction. When an application is inefficient orslow, people become frustrated and stop using it.This applies to everything from screen input andresponse times, to the time it takes to consolidatethousands of reports and survey responses, and totest millions of transactions.A system that works well and transforms processingand response times can create whole new levels ofengagement from users.22 D O YOU HAVE DASHBOARDS TOSHOW CURRENT COMPLIANCEMANAGEMENT STATUS?management dashboard as part of the organization’sERM strategy.Compliance executives and others need specificviews into discrete compliance areas, gettingnot only an overall visual risk assessment for aparticular regulatory requirement, but insight intoinformation such as the percentage and monetaryvalue of anomalies identified, and the results ofremediation efforts.
Ready tofind out howComplianceBondcan simplify andcentralize yourcompliancemanagement? For an assessment of how your organization can integrate Galvanize technology to transformyour team’s value delivery, call 1-888-669-4225, email info@wegalvanize.com, or visitwegalvanize.com.23
ABOUT THE AUTHOR John Verver, CPA CA, CMC, CISAJohn Verver is a former vice president of Galvanize. His overallresponsibility was for product and services strategy, as well as leadershipand growth of professional services.An expert and thought leader on the use of enterprise governancetechnology, particularly data analytics and data automation, John speaksregularly at global conferences and is a frequent contributor of articles inprofessional and business publications.ABOUT GALVANIZE Galvanize delivers enterpriseOur integrated family of products—governance SaaS solutions that helpincluding our cloud-basedgovernments and the world’s largestgovernance, risk management, andcompanies quantify risk, stamp outcompliance (GRC) solution andfraud, and optimize performance.flagship data analytics products—are used at all levels of theenterprise to help maximize growthopportunities by identifying andmitigating risk, protecting profits,wegalvanize.comand accelerating performance. 2020 ACL Services Ltd. ACL, Galvanize, the Galvanize logo, HighBond, and the HighBond logo are trademarks or registeredtrademarks of ACL Services Ltd. dba Galvanize.All other trademarks are the property of their respective owners.
transform traditional compliance management processes. A US-based multinational manufacturer and wholesaler transformed its regulatory compliance obligations (including SOX, FCPA, and EH&S) through automation, dashboards and reporting, and advanced data analysis. COMPLIANCE REQUIREMENTS Sarbanes-Oxley (SOX). Foreign Corrupt Practices Act .
