Part of working in a regulated environment entails finding ways to optimize compliance activities.
In my previous articles, we explored the importance of having documented processes, checkpoints or controls to avoid deviations, as well as the importance of multi-functional collaboration to reduce the impact to our organizations. This time around, we are going to tackle how to optimize our regulatory compliance efforts and processes to reduce business impact while increasing organizational agility.
Contrary to pharmaceutical, aerospace and nuclear environments, where regulatory compliance efforts are obvious, other industries are trying to understand their merits and how to best adapt to the impact of regulations. These companies struggle with the balance between “rigor vs. deployment speeds.”
U.S. regulations have been around since the 1887 Interstate Commerce Act. At that point in time, the focus was the physical safety of individuals. Although time and resources have evolved, the focus of today’s regulatory bodies remains on the mitigation of risks to the consumer, most of the time your customers. This is the importance of compliance, because even if you can afford the hefty fines and penalties that come with non-compliance, can you really afford to lose your customers if they feel you have inflicted unnecessary risks on them?
The main challenge of implementation is that with so many regulatory bodies, lack of risk exposure identification will give the impression of new and unexpected rules showing up almost weekly, with no apparent shortage of new elements with which you must comply.
So where do we begin?
It is important to remember that compliance is neither a single department responsibility, nor an audit-driven event. A matured program, starts with enterprise risks, and it is governed by the executive leadership of the organization, as it implements processes that will help significantly reduce the risks associated with non-compliance. This includes, but is not limited to, the fines established by the regulatory bodies represented by the dreaded auditor.
When you engage with our team our initial assessment will serve as the baseline for the overall compliance infrastructure, regardless of the regulation. Our assessment focuses on six areas to determine the maturity and health of our customers’ compliance program:
Enterprise Risk Management Outputs – Looking for the value at risk and information classification.
Rule Interpretation – Assessing the responsible parties for interpreting the actual regulation, the process followed and how the impacted areas are determined.
Policy Documentation – Evaluating the policies that document how the regulation was interpreted, the impacted areas identified and the overall approach to compliance.
Procedures and the Operational Controls – Reviewing the procedures that document how the processes will be executed in the impacted areas, the controls that will be in place to ensure compliance and the way that the controls will be tested to ensure effectiveness.
Control Monitoring and Testing – Reviewing the process followed to periodically evaluate the strength of the established controls, as well as the tests performed to those controls to ensure they are effective.
Report and Address Deficiencies – Looking at the management report that details the results of the control testing, as well as the remediation plan for identified deficiencies.
We use this initial baseline to provide remediation and optimization advice based on regulation requirements, best practices for your industry and the risk exposure according to your organization’s size and the customers you serve.
What we often hear is “the cost of compliance is outrageous,” or “all of those controls will not allow me to do business efficiently.” Our team recommends a balanced approach based on risk exposure, likelihood and impact. The following considerations are key:
Process: Your controls should be embedded seamlessly in your day-to-day processes. A strong process has integrated checks and balances to reduce deviations, and it is monitored periodically to identify any irregular activity. This is not only important for compliance purposes, but also to avoid inefficiencies that will ultimately impact your profitability.
Technology: In today’s world, processes are strongly supported by a variety of technologies. Those technologies offer you the capability to leverage systematic controls that are pretty much painless to the users.
People: People in your organization are your most important asset. An engaged workforce, with the appropriate skillset to perform their duties, will excel in performance and will become your eyes and ears in your day to day processes. Supporting that workforce with continuous communication and training is your most important preventive control.
Ultimately, you must remember that compliance is not only a corporate responsibility, it is a direct responsibility to your customers to protect your organization and the way you do business.
By Neysha Arcelay, Precixa