Organizations can stay on the positive side of regulatory, compliance and ethical risks with clear roles, alignment in risk and controls, and automated testing, surveillance and investigations.
Organizations want to stay on the positive side of regulatory, compliance and ethical risks while increasingly looking at how best to bridge business and compliance objectives. As such, the promise of artificial intelligence and automation gives rise to hopes of reducing and optimizing operational and compliance spend. While regulatory technology (RegTech) has great value across industries and is gradually being adopted, organizations must first reassess their core processes and controls in order to drive more streamlined governance while enhancing risk management and mitigation. Whether called convergence, integration, transformation or optimization, all firms should look to three core elements in this process:
- Redesign skills and roles.
- Align risk and controls.
- Consolidate testing, surveillance and investigations.
Redesign Skills and Roles
Often undervalued and yet critical to streamlining efforts are the buy-in, skills and talent needed to set risk strategy and embrace changes in skills and roles. Compliance and ethics risk professionals must be change agents with great judgment as well as analytical and communication skills. This is even more critical in a time of advanced digital technology, agile business operations and changing customer expectations. They also must be supported by skilled compliance and ethics professionals with the human and technological savvy to understand and apply information to human interactions in a fast-changing global business environment increasingly impacted by disruptive technologies. Likewise, business leaders must appreciate and prioritize the efficacy of compliance and ethics risk prevention, detection and response above simply cutting costs.
As such, accountability for compliance and ethics is critical and should be both well understood and documented, with sufficient organizational stature and independent critical challenge. Compliance and ethics must also be an integral and respected partner with all areas, including its human resources and legal counterparts to drive forward ethics and culture programs; technology to drive automation, incident response and privacy programs; and the front line to streamline onboarding, operational control effectiveness assessments, and employee, transactional and vendor monitoring.
Align Risk and Controls
An alignment of risk and controls is needed to drive consistency around how to identify relevant compliance, ethics and reputation risks; how to conduct assessments that are aligned with and informed by the realities of the company’s business operations; how to leverage output and quantify potential impact for business purposes; and what should be communicated to key stakeholders.
Most organizations do not have a central point to manage how new risk assessment requirements are implemented and how existing risks are mapped to the appropriate functional level of business controls. Meanwhile, their leadership is seeking to view risks and controls through a single lens for multiple purposes and communicate this information consistently in automated dashboards. Improving the content such that it clearly ties to business objectives and reduces redundancy can help encourage the appropriate level of focus on the part of the right senior resources.
Consolidate Testing, Surveillance and Investigations
Inefficiencies across the organization usually increase based on the number of disparate testing, surveillance and investigation programs. This may lead to an inability to detect root cause and/or systemic issues. Increasingly, organizations are looking to both automate and consolidate testing, monitoring and surveillance activities through constituent standards, plans, scripts and reporting.
Likewise, prior disparate investigation units are increasingly sharing appropriate data and/or consolidating units in an effort to both gain greater efficiencies as well as to increase knowledge that may help to drive positive cultural and ethical change.
To get started, all organizations should:
- Inventory risk and control source systems.
- Standardize naming conventions, definitions and attributes.
- Rationalize risks and control inventories and align to common taxonomy.
- Inventory existing control testing, monitoring and surveillance activities.
- Assess testing, monitoring and surveillance objectives, scope, methodologies and granularity.
- Identify technology platforms, including data sourcing agreements.
- Identify available key behavioral analytic and control metrics.
For more information, visit kpmg.com/us/regandcompliancetransformation.
Amy Matsuo is the regulatory & compliance transformation executive sponsor at KPMG. Reach her at firstname.lastname@example.org.
Published October 8, 2018.