Compliance and Technology
We need to start giving compliance a better foundation of basic knowledge, strategies and practical approaches. The compliance profession can adopt common solutions to problems for different companies. The fact that companies have their own distinct risk profiles and operations does not mean that they have to rely on distinct compliance solutions. No two companies are alike – that does not mean that the same number of different compliance solutions are needed.
We all hear about the need for compliance to embrace “technology.” But what do we mean by “technology”?
Let’s start to put some meat on the bones of this concept. I would divide compliance technology into three concepts:
- Intelligent Automation
- Data Analytics and Monitoring
- Reporting and Communications Systems
As I discuss each of these ideas, you may think that my description is basic and even elementary. But bear with me as we build some minimum standards and eventually take technology to some new and interesting areas, where block chain, artificial intelligence and other cutting-edge approaches can be embraced.
So, back to the basics.
Companies need to embrace intelligent automation as a first step. Three examples of basic technology are: (1) Governance Risk and Compliance solutions; (2) Third-Party Risk Management; and (3) Policy and Procedures Management. A GRC dashboard is a basic tool that creates a foundation from which a CCO can manage, monitor and collect information for analytical purposes.
Equally important is an automated tool to manage third-party risks – due diligence, sanctions screening, beneficial ownership and monitoring – are critical functions in managing third-party risks and an automated solution is a basic requirement for companies. As supply chain risks increase and compliance focuses more on reputational risks, a company has to have a single tool to mitigate risks from agents, distributors, professionals, vendors and suppliers.
Technology tools are able to collect data and apply analytics to the data to identify anomalies and potential red flags. These same tools provide for continuous monitoring functions.
Compliance officers also need to use technology for monitoring of employees and business partners. New programs facilitate monitoring of employees for cybersecurity, fraud, social media, gifts and entertainment, insider training, and conflicts of interest. These tools are invaluable for monitoring employee conduct, including computer use, emails, texting and messaging (if capable) and other communications systems. To implement these systems, compliance has to coordinate with IT, human resources, finance, security, supply chain, accounts payable and procurement departments. If data and monitoring capabilities exist, a compliance officer can develop data collection systems, build a compliance dashboard, and leverage data from these sources to build a larger picture of corporate employee conduct.
Another important area for technology is the management of policies and procedures. We all know that policy management is an important function of a compliance program. In this area, companies have to maintain a current code of conduct, policies and procedures, and make them accessible across the company. GRC technology tools often include sophisticated policy and procedures management functions. A unitary policy management framework is needed to ensure that each policy is regularly reviewed, updated to provide current guidance and management, and then communicated throughout the company. It is easier for employees to understand and follow policies and procedures that are current, regularly updated and accessible through the company intranet site.
As part of this effort, companies have to commit to measuring the effectiveness of their policies and procedures system. In this area, companies often rely on culture assessments, internal audit reviews, compliance audits, transaction testing, spot checks on specific issues, and number of violations and corrective actions.
Companies need to embrace technology to advance training programs and internal communications. With the advent of new technologies for training, companies have developed innovative programs relying on live, web-based and real-time video communications to implement engaging topics and testing programs.
All of this requires money and personnel. Compliance professional have to build the business case for these investments and, of course, the return on investment. This is where the rubber meets the road — silence in the face of resistance from senior management is not acceptable. Honest delivery of a measured justification to senior management is a must.