How do you shape your risk and compliance program to create a risk-aware culture?
Compliance has traditionally been the driving factor behind many risk management initiatives within GRC, but risk and compliance are approached from very different perspectives. The scope of various jurisdictions and layers of regulatory authorities can be overwhelming and can quickly expand beyond your resources. Starting broadly, first review the applicable laws based on your geographic location, your federal regulations as well as local jurisdictions. From there, identify what additional territories you operate in, what industry-specific rules apply to your operations, as well as context-relevant authorities such as messaging or transporting goods, and then voluntary certifications or company initiatives that help support your business objectives.
Realize the Scope of Compliance Authorities
For example, a customer could initiate a transaction through a point of sale system online, in person at a store counter, or through a company’s call center. Outlining which applications, policies, and teams are involved in each point-of-sale process, the volume of sale for each method, and the regulations that each process is subject to, would be required to build an appropriate and effective governance model.
You may measure activity against a single standard for all three business processes to meet your operational and regulatory requirements. In contrast, other circumstances may require a specific policy and a unique set of controls for just one method. With this example, there are unique guidelines specific in exchanging payment processing data in addition to customer interaction and experience.
Use Compliance Regulations for External Context
Most enterprise-level businesses have a dedicated research team to identify applicable regulations and proactively address compliance needs apparent to their organization. Realizing the extent of your regulatory parameters is a critical piece to understanding potential impacts on your business and the severity of any particular activity. There are several research solutions available that track and monitor updates in regulatory actions the same way that an internal research team would. How can your business use this information in real-time to unify risk and compliance efforts? Leveraging readily available information to select an appropriate risk score, prioritize remediation efforts, or potentially apply cost-benefit analysis on what the best path forward for your business will be?
Balancing Risk and Compliance
Beyond external regulation, what additional conduct mandates does your company policy institute to foster positive business outcomes? Evaluating the scope of your corporate policy with your digital presence and operations is the key to building the foundation of a pro-active IT Risk Management program. Taking this perspective, you can evaluate optimal business outcomes when making strategic business decisions.
Eliminating the physical call center with an automated order processing service will change your risk and compliance landscape in this scenario. If the call center was outside the territorial reach of your existing operation, you might have eliminated the need to report into or adhere to those jurisdictional requirements. You also changed the customer experience, so while you’ve optimized your compliance obligation, the risk of your customers not completing a proposed transaction could result in a lost revenue opportunity.
A Risk-Based Approach
The compliance landscape is shifting with new initiatives changing the perspective of how companies are measured today. Ethics and corporate social responsibility are top of mind for board members and executive teams. Ensuring that operations are well intended and cause minimal to no unnecessary harm, even if unintended, is the ultimate goal and directive guiding pro-active risk management programs. Leading companies who have been able to successfully implement and change the culture of their operations to this way find that this translates into an umbrella safeguard addressing the majority of their compliance and risk obligations.
Implementing this practice is an all-hands effort and can be difficult to define at the leadership level, and more challenging to translate downstream to put into effect into business operations. If your risk management program is new or emerging, compliance is a well-defined and easy place to start for people to understand across your business activities, but this rarely translates into a valuable initiative for first-line business functions.
Review our blog on integrating processes across your risk management framework to standardize and establish measurable baselines to review activity in terms of your risk exposure.