What’s the best way to bring your compliance function up to speed? Most people agree it’s to learn from the experts. The people who’ve been there, done that, and driven success for their companies to boot.
Compliance Week provided the perfect opportunity to mine the brains of industry giants for golden nuggets of compliance wisdom.
During their panel on Creating a Risk-Based Compliance Program, HMSHost’s Jon Stentz and Western Union’s Cherie Axelrod shared their expert insights into how best to leverage technology and data to drive both compliance (and business) forward.
If you’re ready to empower your compliance function to run like a well-oiled machine and drive value for your business, here are four tips from the people who know how.
1 – Get Your House in Order
Before you can have a functional and effective compliance program in your business, you must have the right technology in place.
Without the proper technology – and the data insights that technology enables – there’s no way a company can get the visibility it needs into its global risk. Without the right technology in a global company, trying to navigate data is like trying to navigate a treacherous and steep mountainside blind and in the dark – maybe someone can do it, but I sure can’t see how.
Neither could the experts on the panel.
“We use technology, not just within compliance, but as part of our entire company’s objective to be the best in the business, and to have an ethical business,” Stentz states.
What type of technology tools do they use? Well, that depends on the market.
In developing markets, HMSHost developed an e-learning tool and online method for training delivery.
“We couldn’t just fly around and give instructions all over the world and teach people how to do it,” Stentz states. “We created an online method for it.”
Now, not only does HMSHost translate training into foreign languages, but they’re able to track each employee who takes it. This enables them to collect rich data on what trainings are being taken by who and how many people complete it.
And that’s just one example of how technology can help.
2 – Assess Your Risk
One key to effective compliance programs, no matter what guidelines you look at, includes risk assessments. Yet only 40% of organizations actually conduct these assessments, according to a Deloitte survey.
However, the panel experts agree: conducting a risk assessment is the first step in gathering the data your team needs to make decisions.
“From a Western Union perspective, we have a continuum of risk,” Cherie Axelrod, Deputy Chief Compliance Officer at Western Union states.
“We start with the transaction itself, which we risk assess in milliseconds at the point of sale. Then we look at risk assessing the customer and the customer’s activities. Afterwards, we move on to new products, so as we launch new products, a new geography or new corridors, we risk assess each of those as they come into the network.”
Each year, Western Union conducts an enterprise-wide compliance and risk assessment. Country by country, corridor by corridor, product by product, they filter all the risk coming in through the business and use the results to inform their efforts.
Yet there are so many different ways to conduct these types of assessments. Your company’s approach could be as simple as a few basic questionnaires, or as detailed as HMSHost’s and Western Union’s heat maps, which we’ll talk about in a minute.
While guidelines provide basic parameters, they also leave plenty of leeway for companies to conduct a risk assessment that works best for their particular needs and industry.
3 – Plot What’s Hot
The next step after receiving raw data, according to Stentz? Time to look at the data (and therefore the whole compliance program) as a team.
A tool both HMSHost and Western Union prefer to use for mapping this data? A heat map of their companies’ risks on a global scale.
By compiling their data into a complex heat map, their teams can visualize exactly where they need to take action and pull together their game plan.
To analyze this data, HMSHost gathers together an internal team of experts for what they call the compliance committee.
“The compliance committee talks about the issues by gathering data in 37 specific areas that we concentrate on. Then we create a heat map to decide where our attention should be. It’s part of a loop,” Stentz states.
Essentially, this compliance committee uses the data they receive to rank risk in different jurisdictions differently and respond to them proactively.
“With the help of internal audit we do annual ethic surveys and surveys of specific areas, and with that feedback, we think about whether our policies and procedures are good,” Stentz mentions.
The real kicker though is that these insights shouldn’t stop at the boundaries of compliance. They should be used to inform the entire business.
4 – Integrate Metrics and Drive Compliance
“Data is okay if you are able to analyze it in a way that makes sense,” Mitratech risk and compliance expert Jason Cropper, who moderated the Compliance Week panel, states.
If you only have raw data without understanding what it means, or you understand the data but never use it to inform decisions, it won’t do you any good, the panelists agree. The trick is that risk assessment can’t just live in compliance. Rather, compliance insights should help drive the business too.
“This can’t just be a compliance exercise. If we build this beautiful compliance risk assessment and color code it, print it out, bind it and put it on a shelf – that doesn’t help the business,” Axelrod says.
In order to be effective, these compliance exercises can’t live in a silo. Instead, they should fully integrate into the business as a whole, thus enabling compliance to become part of the solution and identify any weaknesses.
When you understand, for example, exactly how much conflict of interests costs your company per year, Cropper mentions, you can clearly demonstrate the significant threat this noncompliance poses to your business.
When you use technology correctly, knowing the right metrics help identify risks to your organization so you can deal with them. With the right metrics, compliance can also show the board exactly what they can achieve with the right tools and how they can deliver more benefits to the rest of the organization.
So how did Western Union get to a point where they were able to integrate risk metrics into their business and use it to drive value for the entire organization?
“It’s been an evolution. It feels like we’re well advanced for some companies but we’re probably at the beginning or middle of where we want to eventually be in terms of using metrics. Are we using the right metrics? Are we looking at the right things? We’re always trying to assess that,” Axelrod explains.
Just like keeping up with regulatory requirements is a never-ending job, assessing risk and reviewing the risk-related data is also never over. The right technology helps companies “keep up with the Joneses” of risk management. And not just keep up, but forge the future where compliance meets business.
Trying to build a more effective compliance program? Here are some other resources you might enjoy: