WE all know that managing compliance risks can seem like a daunting task. In fact, a survey of compliance officers published by Nasdaq in late 2018 found that 55 percent of respondents named fully understanding regulation and how it impacts their business as their top concern for the next 12 months. In order to manage compliance risks, it is crucial that you take a systematic approach to identifying, mitigating and reviewing the compliance risks your business faces on an ongoing basis. Here are the six essential tips to take into account when evaluating your approach to compliance risk management.

1. Always start with a risk assessment

You can’t manage compliance risks if you don’t understand what your risks actually are. Without a thorough and scientifically justified risk assessment of all the elements that make up your compliance program; your policies, due diligence and tone at the top, will accomplish little if they do not address the right risks.

There is no one-size-fits-all approach to risk assessment. Compliance departments typically have limited resources; applying the same approach to the entire organization will inevitably lead to resources being spread too thin as they will end up being overallocated to low-risk markets. It is thus key to assess the risks faced by your business first in order to prioritize and address them appropriately.

2. Understand the latest enforcement policies

Compliance risks typically encompass a number of areas, including data protection—both personal and sensitive data—cyber security, fair competition and anti-corruption. As part of your risk assessment, you should ensure that you understand the requirements imposed by all applicable laws and regulations. However, beyond understanding the letter of the law, it is important that you stay up-to-date with the latest guidance and enforcement policies released by the enforcement agencies as prosecutors wield significant discretion when deciding whether to prosecute misconduct. Doing so could potentially be enormously beneficial if problems do arise, as you will have been able to tweak your compliance program to qualify for leniency.

3. Don’t forget to build a culture of ethics and compliance

The tone at the top of your organization is crucial. Senior leadership should clearly communicate to middle managers, and the rest of the organization, the type of ethical conduct expected from each and every employee—themselves included. Beyond words, actual conduct matters; mere lip service has never convinced anyone.

Figuring out “what actually works” may also require a bit of experimentation. Novartis, the pharmaceutical giant, implemented a system where employees are only eligible for bonuses if they meet or exceed expectations of their values and behaviors.

On a more practical level, you should ensure that you deliver training in a way that is easily accessible to employees and engages them in a way resulting in them actually retaining the message. Failing to do so might render training meaningless. It has to be understood that for instance data breaches happen in operations.

In the same vein, using technology to easily collect conflict of interest declarations and signatures on important policies reduces the “annoyance factor” of manual processes and will drive engagement with your compliance efforts. That kind of software is available in the Philippines.

4. Ensure people feel free to speak up

A strong ethics and compliance culture in your organization is essential to ensure people feel free to speak up if they see misconduct in the organization. No matter how many procedures you have in place, employees will not feel free to blow the whistle on misconduct in the organization if they are not confident they can do so anonymously and without fear of retaliation.

Unfortunately, even the strongest internal controls can occasionally be circumvented by ill-intentioned employees. Once internal controls have failed, the only defense against the misconduct escalating further is a culture where employees are able to speak up. In an organization with a strong ethics and compliance culture, employees are your allies in ensuring that misconduct, when it does occur, is actually reported.

5. Continuously monitor and update your compliance efforts

AS your business is continuously changing, your compliance efforts should change in lock step. It would be a mistake to think of managing compliance risks as a one-time exercise of writing policies and setting up processes. You will only know whether your policies and procedures are effective if you evaluate them on a regular basis. Always ask yourself how you can best measure your impact. One key benefit of compliance technology is that it can give you insight into large amounts of data at a glance via useful dashboards and automatically generated reports. Again, a suitable software can be recommended.

6. Free up time and resources using automation

IT is evident that managing compliance risks is not an easy task; it requires managing lots of complicated processes, a myriad of stakeholders, as well as fostering a culture of ethics and compliance.

The complexity of compliance management and understanding that the safe journey into data protection needs automation inspired me to create a cooperation with Straits Interactive, a company in Singapore that has developed the online Data Protection Management System, to equip professionals, managers and executives with the competencies to perform their jobs in data protection. The DPMS is not only assisting in the compliance with the Philippine Data Privacy Act (DPA) but also with the EU’s General Data Protection Regulation (GDPR) and privacy regulations in countries like Singapore, Malaysia, Australia, etc.

Comments are welcome, please contact me at [email protected]