Compliance management must be able to address a wide range of risks:
- anticorruption;
- anticompetition;
- data privacy;
- cybersecurity;
- trade sanctions;
- money laundering; and
- operational threats—the list is endless.
Compliance officers need a method to track all those risks and to measure how serious a threat each one is to your organization.
The most rudimentary risk-assessment tool is the spreadsheet. It does not work well. Spreadsheets are prone to error, lost data or simple mix-ups: supervisors affirming a control is effective when their subordinates haven’t finished testing, for example. An effective risk-assessment tool is both standardized and flexible.
The tool should be able pre-populate the questions you will want to ask of business operating units or third parties. It may use templates of standard questions to assess a risk quickly. Ideally, it will also let you add, subtract or reconfigure specific questions, so you can get the most precise and customized risk-assessment possible.
Risk assessments should also be as current as possible. That means your risk-assessment tool should pull the latest data from a single repository of relevant information and present it in an easy-to-understand dashboard format that will let compliance managers then take deeper dives into gaps, inconsistencies or other questions that might emerge based on what the tool is telling you.
A risk assessment identifies the gaps between a company’s controls, policies and procedures; and the risks that the company actually faces. Especially for a company building its first compliance program, those gaps can be large, and the organization will need to take many steps to close them.
A risk-management tool guides the compliance program manager as he or she tries to implement those changes. Controls need to be identified and tested; weak controls need corrective steps; those steps need to be assigned to a control owner; deadlines need to be set; and follow-up testing needs to be done.
Ideally, your risk assessment and management tools work hand-in-glove. That configuration could, for example, let a compliance program manager view all data in a heat map or a grid: risks on one axis, effective controls on the other. Then the manager could drill down into specific risks or controls to see the latest action on remediation. This exciting tool is available in the country and can be demonstrated. Let me know if a demo is desired.
Perform due diligence on business partners is also fundamental to the modern compliance program. The compliance function must be able to identify the controllers and beneficial owners of third parties, whether those parties are customers, suppliers, joint-venture partners, resellers or some other relationship. Then those controllers and owners must be screened against various watch lists (especially designated nationals; politically exposed persons). The company itself should be evaluated for past regulatory trouble, adverse media reports and so forth.
Those are repetitive, tedious tasks, which make them prime targets for automation. Meanwhile, your enterprise needs to develop policies and procedures to put your human resources to best use—considering exception requests, applying additional oversight, overriding denials and the like.
To manage all levels of due diligence under one roof, it is ideal to be able to store all data in one place so you never have to worry about manual processes failing you.
From the perch of the compliance officer, you need to see all of that data consolidated into one “full picture profile” of every third party. So those procedures performed by humans should exist within a system that captures all their data via web form or a similar mechanism (no spreadsheets allowed!) and combines it with the automated data.
Again, the automation system is available!
As we can see, effective compliance programs have many moving parts. The grease that keeps all those pieces moving smoothly is unity of operation and automation of tasks.
That is, the compliance program be able to perform due diligence on third parties and train them as necessary on conduct issues. Ideally, one unified system will automate due diligence checks and then issue alerts for follow-up training as appropriate. Or, the risk-assessment tool works in tandem with the due diligence system, to identify high-risk third parties that need the additional scrutiny.
That unity can come from a collection of tools that attempt to integrate or a single provider of comprehensive compliance technology.
The fundamental structure of a compliance program, however—the capabilities a program must have—cuts across circumstance, industry and size. Whatever drives you to start a compliance program from scratch, the final product should always strive for these basic features.
And let me say it again, the comprehensive compliance technology is available. It’s easy to demonstrate it to you.
Let me close by reiterating that risk management is a key in compliance management; you cannot do without it.
Comments are welcome—contact me at Schumacher@eitsc.com.