The ’12 Golden Rules’ that reduce the risk in compliance decisions.
Last week an old client called me. He wanted to discuss a risk management framework we had implemented a number of years ago. He wondered what would be the most effective approach for their transition to a Risk-Based Compliance Management System. (In this case, the word ‘system’ was used to define a set of methods, procedures and routines created to carry out specific activities, perform tasks or solve problems. Also, an organized, purposeful structure that consists of parts that continually influence one another in order to achieve the objectives of the system. I provide this definition for ‘system’, so as not mistake it for technology.)
During the course of the conversation, he explained how day to day compliance, in general, had become a struggle and was taking an inordinate amount of time, and costs were escalating.
In a discussion of more than 2 hours, I outlined for him how the highest level of effectiveness can be achieved without implementing all new frameworks or technologies. Though, I will say that technology, such as AI and machine learning can add huge value to decision making and the compliance management process. I’m sharing my ‘12 Golden Rules’ which are central to setting up a reliable Compliance Management System necessary for the new era of technology, business and regulations; post the hectic implementations of the past decade.
Compliance occurs in different parts of an organization, by different actors in varying roles and levels of responsibility. It is not just a department, it is integral to the modern way of business.
Actors in key business areas have compliance obligations. Each actor has to make a choice each time they transact or interface with a customer. They can choose to be 100% compliant or some level that is less than 100%. By most companies’ policy, compliance is not a choice, but with human nature, everything is a choice. The exposure to risk occurs when an actor chooses their free will and own moral compass to take the next step. Remember also, the lower the percentage of compliance, the higher the cost to the organization.
The following are our “12 Golden Rules” which are proven to achieve the highest level of effectiveness for a Risk-Based Compliance Management System:
- Accept that compliance may not be at 100% all the time. How will you deal with those employees who will not comply 100% and find it is easier to ask for forgiveness than to ask for approval before stepping outside the boundaries of the rules.
- Know and communicate where the compliance boundaries are and what the consequences are for breaching them. How are these gaps articulated in your risk management framework and system, expecting that less than 100% compliance will be the case?
- Compliance is not designed to be reactive or to close the barn door after the horse has left the barn. Are your teams clear on the specific objective that provides the electrifying reason for compliance and how it is achieved?
- Obtain the analytics that provide you with analysis of repeating patterns – you need to decide which patterns you will interrupt. How are you integrating this feature into your identification and mitigation of emerging compliance risks?
- Decide which logic and criteria you will use to interrupt patterns. Have you assessed precisely what capabilities you have or need for managing your compliance system more effectively?
- Risk and compliance are not mutually exclusive; yet each has clear objectives and distinct roles. Do your teams understand how to infer the two in each decision or choice they make?
- Determine if your compliance teams need to be trained. Does everyone in a compliance role know how to interpret the analytics that relate to their specific oversight of regulations?
- Stop trying to continuously improve – – Start to continuously adapt. If your environment is continuously changing, have you considered discarding what exists and designing a build for adaptability?
- View compliance as a complex system that operates effectively when people are using technology to supplement knowledge, awareness and mindfulness. Is your organization seeking to leverage advanced technologies, almost to the exclusion of people?
- Determine where your organization is on the ‘Compliance Maturity’ continuum, then compare that to the organization’s ‘Risk Maturity’. How many gaps do you identify between the two maturity levels?
- Align the Compliance Management Strategy to the organizational strategy. Then align the Compliance Management Strategy to the risk management strategy across all lines of business. Do you have a history of creating a compliance strategy for each new regulation and then ensuring it is aligned to the organization strategy?
- Integrate risk and compliance management into the organization’s strategy to create new value, improve efficiency, improve decision making and increase customer confidence. Have you identified where quantitative and qualitative value is created through better compliance execution? (aside from only reducing the negatives)
Management has an imperative to execute on a compliance model that is consistent with the organization’s culture, risk tolerance/appetite, objectives, strategies and capabilities; and that will generate new value with the investments and opportunities they choose to pursue.
Uvidi Consulting works with companies that are creating innovative programs to more effectively and efficiently execute their strategies. We share our provocative thinking and pragmatic solutions that help you to Raise the Bar and Close the Gaps in your organizational capabilities.