The heightened level of legal and regulatory scrutiny facing companies today is convincing many to reevaluate, redesign and improve their existing compliance programs. An effective compliance program will be less costly in the long run if properly designed and implemented. Technology is an important element in any compliance program, as it provides the opportunity to leverage the resources dedicated to this critical business need. A well-designed and implemented compliance IT plan will enable an organization to properly embed policies, monitor results and investigate and report on success or failure, and do so without straining limited resources.
The current landscape of corporate compliance is made up of a lot of fragmented processes and procedures. Not surprisingly, compliance-related technology, if used at all, is usually just as fragmented. With fragmented processes, procedures and technology, there is an increased likelihood that an organization's program is not maximizing its effectiveness, that data gathering and reporting at the enterprise level is burdensome and that opportunities are being missed to leverage technology more broadly within the organization's compliance activities.
When formulating a new compliance function or reinvigorating an existing program, it is a best practice to incorporate the role that technology can play right from the beginning. The most successful way to accomplish this is to form strong links between those responsible for compliance and senior members of an organization's IT function and other key technical resources. This starts with a clear articulation of the company's compliance objectives and priorities as well as a discussion about how technology could be used to help support these requirements.It is then up to the technical resources to turn these requirements into a plan of action, such as a technical design document that details the software, hardware, internal/external resource needs and overall project timing.
A well constructed technical design document will help to minimize future compliance-related IT system design and implementation costs, ease the "change management" burden necessary for a successful implementation and allow an organization to have a consistent, enterprise-wide technology approach. The technical design document is used as the blueprint for the implementation of the IT infrastructure and provides the specific capabilities that the IT system must deliver in order to improve the overall compliance program. Some level of prioritization is necessary to determine which IT systems will provide the most value to the organization's program. Based on this prioritization, a phased system implementation typically takes place in which each implementation phase is intended to satisfy one of the organization's compliance priorities. This type of phased implementation helps to control costs, puts less strain on internal IT resources and allows the organization to build momentum around the IT-compliance initiative.
How do companies use technology to help promote compliance? In July's issue of The Metropolitan Corporate Counsel, our colleagues described the components of successful compliance programs:
1. Identify and Evaluate Compliance Risk
2. Set Compliance Policy
3. Embed Compliance Policy
4. Monitor
5. Investigate
6. Report
There are many examples of technology being used to support each one of these components. Here are a few:
Identify And Evaluate Compliance Risk
We see this critical starting point for a robust, enterprise-wide compliance program supported by both "off the shelf" and homegrown risk management systems. Many include not only a compliance risk but also an enterprise-wide risk management capability. These types of systems should share some basic features:
- Identify the risk and related legal and regulatory requirements
- Map the areas of the business impacted by the risk
- Identify key people who are responsible for managing the risk
- Document the policies, procedures and other controls that are in place to address the risk
- Evaluate the size of the risk
- Identify any gaps and plans to address the gaps
These systems allow companies to have a single automated source for tracking risks and the activities undertaken to address these risks. Beyond the benefit of making it much easier to manage overall risk, these systems centralize all risk information so that data is easily retrievable by regulators or other third parties, or when a company becomes involved in merger activities.
Set And Embed Compliance Policy
A common best practice is to incorporate a robust internal web portal to support an organization's objectives in communicating and embedding compliance policies within the company. Consolidating all of the compliance content and messaging through a single interface translates into a more effective compliance experience for employees. Typically, the portal will include policies and procedures, educational materials, key contact information (such as the ethics line or other avenues for escalation of issues) and other compliance resources.
Online compliance education is another effective use of technology. There are a number of high-quality training vendors who work with companies to develop the curriculum for implementing and distributing online training via the company's compliance portal. In-house developed audio and video webcasts to broadcast important compliance messages to the target audiences is also quite common. Combining a webcast with a simple online registration or acknowledgement tool is a low-cost way to distribute compliance messages and account for attendance.
In the context of communicating and embedding policy, there are numerous tools available that support these objectives for addressing a particular risk. Some examples include:
- Outsourcing corporate functions such as Internal Audit and R&D has triggered a need to protect trade secrets, company financial data and other sensitive information. To this end, companies are now encrypting emails and attachments between third parties to control distribution. The next generation of encryption will be at the data level, where companies will be able to control access to data, as well as limit distribution.
- Along the same path, companies are required to maintain detailed records for high-risk activities in areas as diverse as airline maintenance, clinical testing and government contracting. This can be a very complex requirement in today's virtual environment. Many of our clients utilize end-to-end document management systems with sophisticated audit trails to monitor edits and changes to critical documents.
- Traditional customer relationship management systems have become a critical compliance tool in the pharmaceutical industry to control and track the distribution of pharmaceutical samples in order to respond quickly to audits. Some of our clients require salespeople to carry handheld devices so that data can be entered and integrated directly into the CRM system in real time.
- In financial services, there has been a proliferation of technology tools and services to assist in evaluating customers and monitoring transactions to spot money laundering and OFAC compliance issues. These systems help to identify, investigate and block suspicious financial transactions. We are starting to see other industries adopt similar technology as the regulators broaden their scope.
Monitor, Investigate, Report
Although there are a number of technologies currently available that can help address the monitoring, investigating and reporting of compliance activities, an emerging trend in compliance is the use of "dashboards." Although the concept and practice of dashboards have been around since Deming, gaining more popularity with such corporate initiatives as balanced scorecards and Six Sigma, only recently has dashboard technology caught on in any meaningful way within corporate compliance programs.
In order for an organization to gauge the success of its program, it must be able to properly monitor the effectiveness of the compliance initiatives in place. The organization must be able to quickly access, investigate, review and report on critical data in as close to real time as possible. In order to do this, performance metrics should be identified for each compliance risk initiative. When properly constructed, these metrics can provide an initial window into understanding the effectiveness of the initiatives in place and help identify suspicious activity.
Using a dashboard can help an organization answer the following: How do we know if we are meeting compliance requirements? Is our compliance and risk management program effective? How do we identify and measure critical risks to the organization? How do we capture what we are doing about them?
The dashboard allows an organization to gather and present all available performance metrics in a single, user-defined desktop environment that can be used to review the performance of the organization's initiatives. This makes it easier to alert the organization's decision-makers who can take action so that compliance can be managed to meet business expectations. It allows an organization to detect certain compliance anomalies, provides proactive alerts for timely resolution of problems, helps to resolve issues by providing the key data elements needed to create the proper solution, and can be used to view data at the most granular level for strategic analysis.
The dashboard can be built using various portal or business intelligence technologies that are available from a number of software vendors. Typically, a well-designed dashboard will include the following functionality:
- Drill-down investigation to relevant reports, analysis and scorecards
- Real-time reporting on key performance indicators that are defined within the compliance program and rooted in operational data
- Integration capability that supports the delivery of real-time analytic and operational metrics from a multitude of enterprise systems
One of the most valuable features of effective dashboards is the ability to combine data with visual and other queues so that the important information virtually jumps off the screen. Some of the most popular means of achieving this result include numeric rating scales, traffic lighting (Red/Yellow/Green), trend graphs, and deviations from preset targets or benchmarks. Having this data so readily available can help an organization properly direct staff time and energy into the specific areas that need improvement and provide the greatest benefit.
Today, organizations are seeking a formalized approach to managing enterprise risk and compliance. Many organizations view IT systems as tools that will allow them to ensure that compliance is being consistently and properly managed. A properly designed, integrated and implemented IT system, including functionality such as the compliance dashboard, will serve as a central repository of risk and compliance performance metrics that will help an organization in its analysis. Of course, like any other technology tool, a dashboard is just that - a tool, and not a solution in itself. Most companies will find that the data they receive from dashboards makes them more effective in identifying potential issues, but won't eliminate the need to roll up the sleeves and investigate whether the issue is actually a problem. Moreover, there is certainly a limit as to how much information can be automated or translated into data and metrics.
As one Chief Compliance Officer recently told us, you can have the best program in place, with state of the art training, certifications, metrics and audits, but none of it will completely ensure compliance. Unfortunately, companies can't afford to have compliance personnel sitting with employees as they work. The role of technology is to provide a window for the compliance team to have greater visibility into the activities taking place in the field. Technology can help significantly advance the objective of building a compliant culture by helping to identify where the compliance team should be spending their time and focusing their efforts.
Published September 1, 2005.