Companies today need to take a holistic view of risk and compliance; it is no longer sufficient to let individual departments or teams be responsible for managing risk and compliance alone.
In the past, risks were mostly managed by a compliance team who reported into a Chief Risk Officer (CRO). This structure still holds true, and the role of the CRO has grown from reporting into the Chief Financial Officer (CFO) to holding a seat at the executive table.
However, in today’s fast-paced and technologically advanced business world, managing risk and compliance requires a combination of executive buy-in, understanding of risk management at all levels of the organisation supported by relevant technology. Companies who fail to do this have a higher chance of failing to meet their regulatory and compliance demands. The damaging effects of poor risk management are not just financial, but also reputational, which can in some cases be more punishing and harder to recover from.
Let us take a look at each of these three factors to understand how we can holistically manage risk and compliance in the organisation.
Executive buy-in to risk:
Whether it’s changes to security or regulatory compliance of any kind, organizations don’t like instituting new controls and steps in their workflow unless they are compelled—or at least until the executive leadership establishes compliance and risk as a priority and a goal. Risk and compliance management is a significant business risk factor, and its importance needs to be elevated to the CEO and the board of directors as well as the other high levels of management within the organization.
If you are not receiving the resources or structure necessary to implement and maintain risk and compliance, inform executive leadership of the urgency, what is necessary to put the tools, people, or processes in place, and also of the impact of non-compliance. A good, business-driven argument on risk mitigation will go a long way to winning the necessary resources. After all, the executive team is most likely to face the consequences of being found out-of-compliance.
Specifically, set aside time to brief your executives on:
- Why risk and compliance management is so important, and how it could impact your business and employees
- How do internal processes need to change, and how impactful will that change be?
- What are the market implications? How will customers and/or partners perceive your trustworthiness and diligence through your risk and compliance efforts?
- How can you train the entire organization on the appropriate risk and compliance measures?
- How will you track the level of preparedness and training across the organisation?
Risk management at all levels of the organisation:
In recent times, the saying “managing risk is everyone’s business” has become an oft-quoted and standard way of managing risk. It is a bit unnerving that many organisations just give lip service to this and let people in the organisation find out their own means of managing risk which becomes a highly inefficient and potentially unsafe way of managing risk and compliance.
Once you get the executive buy-in, your next step should be to empower and enable every single person in your organisation – be it employees, contractors or even visitors – to have access to tools to manage risk and be compliant with the relevant rules and safety regulations. Training people on how to identify and escalate risks become prime considerations at this point.
Think about how people would adhere to appropriate risk and compliance processes without getting overwhelmed or get detracted from their day-to-day jobs. People should also be educated that when it comes to compliance and risk, it is better to be safe than sorry, and staff should be empowered to call out risks without fear of retribution. In simple terms, at this point, management of risk is no longer a function, but should become a culture of the company.
Risk can span across multiple areas within the business environment, and a single risk factor can have numerous cross-organizational touchpoints. Vastly different business units such as information security, vendor management, compliance, business continuity, physical security and human resources are all critical aspects within an overall risk and compliance strategy.
Yet these separate areas within an organization can traditionally lead to a silo-based and inefficient approach to risk management, especially with regard to the manual efforts around the measurement, management and monitoring of processes and controls. Since the required information is often widely dispersed, individuals can spend a great deal of time on routine data-collection activities, often compiling information from spreadsheets, shared drives and other disparate systems.
Using a technology-based solution for compliance management or policy management helps integrates industry best-practice risk and compliance processes across the various silos within the organization in a more efficient and effective manner, thus enabling a much greater return on investment.
Some of the benefits of using technological solutions are:
- Significant reduction in implementation costs and IT spend.
- Elimination of redundant or duplicative activities.
- Improved information quality leading to enhanced reporting into management and regulatory authorities.
We have seen that risk and compliance management is easily manageable when we take a holistic view and understand the key ways of handling the same. Specifically using a combination of executive buy-in, empowering and enabling every person in the organisation to manage risk and be compliance, and using the right technology, companies can reduce their risk to a great extent.
And last, but certainly not the least, organisations and the executive teams should view investments in these areas as mandatory and allocate sufficient resources and budgets. The risks of non-compliance are far too great to be careless in this area and could cause irrevocable damage if not managed with sufficient care.