Making the most of compliance
With the pressures of globalisation, liberalisation of local markets and growing competitiveness, legal compliance is often overlooked. Martin McGuinness looks at the benefits of integrating it with risk and process management
Compliance means knowing what the rules of the game are and sticking by them. Knowing that there are rules and also penalties for breaking them gives rise to business risk. These risks come from the environment in which an organization operates and the objectives it sets itself within it. They are therefore a direct product of activity within that environment.
These risks are directly related to organizational objectives and the appetite for risk in the marketplace which leads to development of key performance indicators and, at an activity level, to performance indicators. In today’s environment risk arises from an ever increasing amount of legislation. Each dictates its own set of rules and in turn provides a focus of interest for individual stakeholders. Managing these varied relationships requires the development of an internal control system designed to ensure:
- effectiveness and efficiency of operations
- reliability of company reporting
- compliance with applicable laws and regulations
Compliance therefore dictates that an organization must have knowledge of relevant legislation and know the most significant risks facing it. Ignorance of the law is no defence. Interested parties are not only the directors of the company who will ultimately be responsible for non-compliance, and the various regulators who want to know that their rules are being implemented, but also financial investors, partners and insurance companies. In fact, all stakeholders want to know that their investments, liabilities and other interests are not likely to be adversely affected by an organization’s potentially negligent activities.
Achieving compliance
With the focus on ensuring that an organization’s reputation remains intact, how does it guard itself from non-compliance and ensure that it has been, and will continue to be, compliant with the rules of the game? A compliant organization suggests that relevant, verified data is available to demonstrate achievement of business and regulatory objectives. This requires a management information system that ensures information is appropriate, timely, current, accurate and accessible.
To know that it remains compliant the organization needs to have competent staff operating within defined policies and processes who are producing the required evidence. In addition, self-assessment and independent verification activities will be designed into these processes, with the whole programme subject to formal continuous evaluation. Remaining compliant in the long term requires an intelligence operation that will quickly allow the organization to react to changes in the market, identify their activities affected and quickly address new risks that arise from the operating environment. This calls for the development of clear policies, processes and subsequent controls. The types of controls implemented will vary on the organization’s size, complexity and operating environment and can take any of the following forms:
- senior management reviews against organizational objectives, critical success factors and key performance indicators
- functional or activity management, self-assessment and reporting against process performance indicators
- assessment of information control systems to ensure the required security and accessibility of data
- segregation of duties for critical activities
Risk, rules and processes
Business risk is a direct product of an activity within an organization’s chosen marketplace. The less activity there is means there is less exposure to risk. The activities of an organization are always defined within its business processes and therefore their importance within the context of compliance management must never be underestimated. Without well-defined and consistently applied processes an organization leaves itself open to the risks arising from non-compliance which in today’s marketplace can mean loss of reputation, revenue and lower share price.
Defined processes are important as they are the means to achieving the organization’s objectives. They are there to support the achievement of the long-term vision and also to ensure consistent delivery of the mission. They are also the means by which the organization performs the activities designed to demonstrate compliance with the rules imposed on it from both internal and external sources, eg EU directives, national legislation and various product or service standards.
In addition, processes give purpose and meaning to individuals within the organization by defining in detail their roles and responsibilities within a process. This clarification of roles provides clear demonstration of the division of responsibilities required by international legislation such as Sarbanes-Oxley. They also describe the interactions between individuals and groups allowing a much clearer understanding of the internal customer relationship cycle. The development of defined, compliant business processes also satisfies the statutory obligation to provide adequate information allowing employees to operate within an acceptable risk environment. Finally, processes are the conduits for managing data and knowledge. They describe its routing and manipulation and guide the users to exactly where it is stored.
Achieving true integration
In order to achieve true integration of rules, risk and business processes, the set of rules applicable to an organization needs to be defined to determine which policies are required and where within the processes the activities designed to ensure compliance need to be. Remember that individual processes often demonstrate compliance with a number of different rules so the relationship between all rules and processes must be accurately mapped. Additionally this provides a clear path to where evidence of compliance is stored.
The next step requires a critical review of the organization’s business processes for identifying risks. These risks should be considered against the control activities that provide mitigation resulting in acceptable residual risk. Once identified, risks should be aligned not only with activities but also with the originating rule to show that full consideration has been given to the requirements.
According to the Institute of Risk Management: ‘This process allows the risk to be mapped to the business area affected, describes the primary control procedures in place and indicates areas where the level of risk control investment might be increased, decreased or reapportioned.’ Mapping out processes, aligning these processes with the rules and identifying risks against activities within the process satisfies a number of requirements, both statutory and business related, and lifts the subject of integrated management systems to a higher level.
All levels of the organization benefit from this approach as it provides a true line of sight between vision, mission and the individual’s role in achieving the organization’s objectives. Within the context of past, present and future compliance, it provides top management and staff working in quality, health and safety, environment and operations with the satisfaction of ensuring provision of adequate information with links to clear controls on the various processes.
It provides integration across the myriad of requirements, maps directly to the sources of data on performance against objectives and defines the responsibility for individual activities in support of the objectives, which ensures a consistent performance of business activities. It also provides the required agility to react to market changes.
This approach creates a platform for change management and communication of change within the regulatory environment encountered, and ensures mapping to sources of definitive evidence in the form of accurate records providing auditability at any time.
In addition, it maps directly to sources of not only explicit knowledge but also to tacit knowledge. It does this by identifying individuals holding the required qualifications and experience and who can provide reliable analysis and interpretation of the data produced as a result of the process. This is vitally important in a world of ever increasing requirements that are being managed by fewer staff with the knowledge management implications regarding training, retention and ensuring ongoing competency.
Within the context of enterprise risk management this integrated approach provides top management with clear visibility of risk and its alignment with the activities of their organization – thereby ensuring clear ownership of risk. It puts risk and activity in context within a local, national and international legislative perspective and ensures it is managed within the organization’s appetite for risk exposure. Risk reduction is thus driven proactively through the process rather than waiting for confirmation from auditors. In addition, it ensures risk is considered at the highest management levels.
Achieving a status of true integration is no mean feat but is one that all organizations must aspire to. In today’s world of globalisation, tighter national and international regulation, increased competition and higher stakeholder expectation this sets a challenge for the traditional quality, safety and environmental management community.
Organizations must broaden their outlook on compliance and recognize that the policies and processes that they are championing can have wider applicability.
They must educate themselves in the global aspects of business and national and international legislative compliance. They must learn to achieve this integration or suffer the consequences when new requirements come along and the traditional, blinkered approach results in a whole new management system being developed that the business doesn’t want and, with stretched resources, can’t even implement.
About the author
Martin McGuinness is a senior business analyst with BusinessPort. For more information contact e: martinm@business-port.net or visit www.business-port.net
