In business, change is inevitable. The compliance landscape is also constantly evolving. Agile compliance ensures businesses move with these changes.
Business today is dynamic. It is changing minute-by-minute and second-by-second. Employees, processes, technology, transactions, interactions, even business relationships are in a continuous state of movement.
At the same time, the regulatory and risk environment is constantly changing. There are 257 regulatory change events every business day in financial services coming from 1,217 regulators worldwide.
The challenge for compliance professionals is becoming agile. An organisation needs an agile compliance program to manage all this change and ensure the organisation remains in compliance with laws and regulations and the organisation's values, ethics, and ESG commitments.
Being knowledgeable about the law and regulation is not enough if the business process has changed and is no longer compliant or if that employee was not trained properly or failed to acknowledge that critical policy.
What is agile compliance?
Agile compliance is about embracing compliance as the bastion of the organisation's integrity. It ensures that the organisation can reliably achieve objectives amid uncertainty and change while maintaining its values, ethics, and obligations. It involves moving beyond minimum requirements and checklists to embracing the principles, values, and ethics the organisation is trying to achieve.
Compliance agility requires attention to four key areas:
- Compliance Strategic Plan
- Compliance Reporting Processes
- Compliance Information Architecture
- Compliance Technology Architecture
How do you deliver agile compliance?
Compliance agility is more than being resilient; it is the capability to maintain compliance amid change with risks and uncertainty hurled at the organisation from all directions.
Resilience is the ability to recover from a negative event with minimal impact. Agility is the ability to see what is coming at you, such as scanning regulations and risks on the horizon and preparing the organisation to navigate the environment and remain compliant.
I spoke at length on this subject at Skillcast's Transforming Compliance Summit.
1. Compliance Strategic Plan
Becoming agile begins with your compliance and ethics strategic plan. You cannot comply with what is not defined. Each organisation must have clear accountability for compliance, with a central head responsible for monitoring and reporting compliance.
However, compliance is a distributed effort as well. While it needs centralised oversight, it also needs federated collaboration and engagement across departments that play a part in compliance.
Compliance involves a breadth of areas (e.g., legal, accounting, IT, human resources, environmental, and health and safety name a few). As a result, it requires a clear charter for a cross-department compliance and ethics committee responsible for the overall compliance processes and reporting across these functions and roles.
2. Compliance Reporting Processes
Organisations need to define processes with workflow and tasks on the compliance that can be managed and monitored continuously. They should clearly define metrics, the information needed, when and how to gather information, reporting to deliver, and whom to deliver reports to, internally and externally.
This process starts with identifying compliance-related risks and metrics needed for compliance monitoring and reporting, identifying where and how this information is collected and assigning scheduled responsibilities to gather this information and compile it for reporting.
From there, reports are reviewed, refined, and delivered to the appropriate stakeholders within and without the organisation. Core compliance processes include policy management, communication, attestation, and training, whistleblowing, incident reporting, investigations, case management, and more.
3. Compliance Information Architecture
Delivering compliance reporting requires a robust compliance information architecture that breaks out and defines the detail needed for each area of compliance risks and obligations.
The organisation should establish clear and actionable compliance key performance indicators (KPIs) and key risk indicators (KRIs) for each element of compliance reporting for ongoing and continuous monitoring. Each compliance domain/risk area should have defined owners and subject matter experts.
4. Compliance Technology Architecture
A robust compliance technology architecture automates the compliance strategic plan, processes, and information architecture, ensuring accurate and timely compliance.
Technology makes compliance management, monitoring, and reporting more efficient (time and money saved), effective (accurate, fewer things slipping through cracks, thorough), and agile (keeping up with business and regulatory change to ensure compliance is relevant in a changing business).
This enables compliance accountability and responsibility structures through defined workflow and tasks, preventing things from getting missed. It automates the reporting process by removing the hundreds of hours spent in manual compliance reporting and assessments in reconciling and aggerating information in mountains of documents, spreadsheets, and emails.
How to stay agile
The writing is on the wall. Organisations need to rearchitect and realign their compliance strategies and architecture to address the needs of a dynamic, distributed, and disrupted business environment to be agile and maintain compliance amid uncertainty and change.
Compliance agility allows organisations to arm themselves with foresight and an ability to respond to any shifts in the regulatory environment. Agile compliance is the foundation of resilience and adaptability in an ever-changing world of laws and regulations. Staying agile paves the way to staying compliant. This is the future for all organisations.
About our guest author
Our guest author is Michael Rasmussen of GRC 20/20 Research. An internationally recognised authority on Governance, Risk Management, and Compliance (GRC). His expertise covers enterprise GRC, GRC technology, corporate compliance, and policy management.
Using his 28+ years of experience, Michael helps organisations improve GRC processes, design and implement GRC architecture, and select effective, efficient, and agile technologies. Sought-after as a keynote speaker, author, and advisor, he has been called the "Father of GRC", having been the first to define and model the GRC market in February 2002 while at Forrester.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!