So first of all, why we need a compliance capability or function? Organisations today have regulatory requirements that they must comply with. As an example, if the organisation’s mission is to provide healthcare services in the US, then HIPPA and/or FDA will be a regulatory requirement. Now, if part of the organisation’s business strategy is to go public (IPO) in the US, you will need to comply with SOX requirements.
Also there are industry best practices or frameworks that an organisation can adopt as part of its business or IT strategy such as ISO, NIST, COBIT which will then be part of its compliance requirements. Also, last but not least, an organisation’s internal policies should also be considered as part of its compliance requirements. The following figure illustrates what I’ve just mentioned:
Why it is important to be compliant?Well, to simply put it, being non-compliant with regulation requirements might imply quantifiable losses to your organisation (financial sanctions, impossibility to offer in the NYSE, etc) along with non-quantifiable losses, such as image and reputation loss. So, in other words, non-compliance creates a risk to an organisation. If you do some googling for HIPPA or privacy breach and you’ll get what I’m meaning.
What happens when you are not complaint with your own policies? Well, internal or external auditors will have a finding (risk), which will require a remediation plan and funding to rectify the non-compliance… Plus someone above you in the corporate chain will not be happy.
Why implementing a compliance capability is good?A compliance capability will provide the organisation the resources required to understand compliance requirements, communicate them, assist in achieving a complaint state, maintain it, manage the risks associated with non-compliance situations and track their rectification.
In order to implement this capability, it is necessary to define a framework, like the one shown in the following figure:
Process Management
The first step for implementing a compliance capability is to plan the capability itself in terms of policies, procedures and human resources. Depending on the organisation and the compliance scope, the number of human resources will vary.
Also, the capability’s policies and procedures need to be developed. These will specify how the capability’s governance is to be achieved and how it will relate to other capabilities at an enterprise level and other governance functions (i.e. IT and Information Security).
Things like principles, roles and responsibilities, KPIs, assess compliance (determine compliance requirements, build SOA), track and rectify non-compliance issue (register) amongst others.
Changes in processes across the enterprise might be required in order to create interfaces for compliance reporting.
Risk Management
Any non-compliance issue will trigger a risk to the enterprise. Because of this, it is very important that the compliance framework is inline with the enterprise risk management or IT risk management framework. Each non-compliance situation must have it’s risk assessed tracked as part of the organisation’s risk profile until rectified.
Based on the organisation’s risk appetite and tolerance it is possible to assign to each non-compliance issue a risk rating.
The compliance policy and non-compliance issue management procedures should establish how this interface will work.
Monitor and Evaluate
In order to evaluate the organisation’s current compliance posture, information can be fed from the following sources:
- Using internal / external audit reports
- Using self-assessments
- Executing internal compliance assessments
- Reviewing operational KPIs.
Communication and Training
The organisation needs to be aware of the compliance requirements and the capability itself. In order to achieve a good compliance, the people need to know where to go with questions.
Key things to consider are:
- Create a compliance focal role: This role will be responsible to answer all questions on compliance requirements and can also interface between business units and the organisations compliance capability. It can be one resource or many resources distributed across the organisation.
- Awareness and training: The compliance capability must ensure that awareness and training happens at an organisational level. Why? What? When? and How’s should be part of the awareness and training.
Hope it helps!