Compliance work has started to mature. Over the years thousands of companies have spent large amounts of money establishing compliance departments, making employees take ethic courses and create and distribute their internal guidelines, expectations & policies. But, are compliance just about training personnel and make them aware?
I think one of the greatest threats to good compliance work, is the pure mass of expectations and requirements given from not only legislators (domestic & foreign) but also from your customers & partners which of course are also affected by the same requirements. We need to remember that compliance is much more than just ethics and the fight against corruption. As a principle, the company must be compliant with all laws & regulations.
In this article I would like to highlight the need for the requirement to go beyond the “mere training” in order to be compliant in accordance with todays standards.
I have the last year talked to numerous compliance officers, and they are all faced with the same challenge. It is easy to distribute laws, policies etc. into the organisation. The compliance officers have done “our part of the work”- now – it is up to the rest of organisation to follow our advice and guidelines. Yes, the compliance officers give advices and help out as best they can on ad-hoc basis, but usually it is only scratching the surface.
What the compliance officers tell me is that the real challenge is how to implement new policies and work processes into their organization, and documenting the effect of the compliance work performed in the organization. If all three elements were in place, they reckon it would be a complete compliance program.
Popular speaking, I call that the Compliance U-Turn, which graphically could be shown like this;
SENDING LAWS, REGULATIONS & POLICIES “SOUTHWARDS”
Requirements, consisting of both external and internal rules, are growing in numbers and complexity. Stakeholders, whether it is internal top management or shareholders/media, expect entities to be compliant at all times and in all situations.
It is important for a company to address the expectations by clear and precise referrals, policies and guidelines (The Downward Facing Arrow). Extracting key issues to be addressed within the company, instead of just stating, “follow all applicable rules for data privacy”.
Not allowing for necessary translation of what the requirements really mean, and for a practical and factual implementation afterwards will mean you fly blind and where (unnecessary) incidents can blow up to unprecedented proportions.
IMPORTANCE OF TRANSLATING AND IMPLEMENTING RULES INTO THE ORGANISATION
After a precise and concrete description of what the company expects from each employee, the next challenge is how these requirements and guidelines are communicated. The goal is to have these fully integrated into operations, from sales to HR, from development to warehouse (The Horizontal Facing Arrow).
Sending emails to employees are usually not 100 % successful. So you distribute the word or pdf files into a file folder structure or similar. Even in such circumstances, the requirements represent an ad-on/ad-hoc requirement, which in practice functions as a library you visit from time to time.
The challenge with library visits, is that they do not document what you have been doing. The concept of a library is, as you may know, to be quiet. So perhaps the whole concept of a library is wrong? How often have we not been looking for solutions, surfing in the company intranet site looking for answer? And then on the Internet, because the guideline found on the intranet site was incomplete. The operations cost is huge – everyday, instead of using that time on productive tasks.
Should we instead integrate the library into operations?
When an auditor visits your company, they ask for documentation, and you need to produce evidence that you are compliant (The Upward Facing Arrow).
For many years, it was enough to show to the auditors your written documentation and procedures. How they actually was used, well perhaps not so important. However this has changed now. Giving evidence is now about how e.g. Sales actually is abiding data privacy, showing a clear link between the law, regulations, and guidelines – documenting these through the different actions/omissions from Sales. However, this has proven difficult for most companies.
So far, most IT systems only give partial assistance. Most users still use files folders to store and access information. Compliance monitoring is done trough Excel sheets. This means usually that you just get a glimpse of the actual status a few times per year. Documenting compliance on a short notice request takes time and resources.
Taking into account that Excel sheets first was used in 1985, it is time to allow compliance officers to have IT tools that is not over 30 years old.
Here at Computas, we are now embarking on an exciting journey combining unique tools with state of the art advisory from our partners. More information will be posted on this blog in the near future.