With compliance staff vastly outnumbered by employees, the challenge is to leverage the resources that are available to most effectively promote a compliant culture. The key is to create a proactive and connected compliance program and the supporting infrastructure framework that is nimble enough to monitor and respond to changing regulatory and internal requirements. Experience has shown that organizations that implement a comprehensive and proactive compliance framework are more prepared to appropriately mitigate risks in a timely and systematic manner.
The following are common components of proactive frameworks:
- Identifying and evaluating organizational risks
- Embedding policies and controls
- Communication, education and automation
- Investigating issues and incidents
- Monitoring and measuring effectiveness
- Internal and external reporting
With technology, similar goals of unified platforms that support the processes within a proactive framework have become critical to operational success. Organizations that acquire or develop technology platforms that can support the processes and easily scale and change with regulatory or internal requirements have been the most successful.
Unified GRC technology platforms must effectively manage all of the following processes and data:
- Risk factors
- Risk assessments and rankings
- Internal audits
- Issue and incident investigation and escalation
- Policies and procedures
- Programs and training
What we have described is an ideal state for organizational GRC management. The path to this ideal state is littered with road blocks, such as distractions within business units and cost scrutiny from executives. While many organizations have struggled to unify and optimize both process and supporting technologies, a few have succeeded by using high-profile events to jumpstart their activities, thereby bridging the gap between top-down and bottom-up compliance programs. If successful, the momentum created and learning generated will benefit future compliance initiatives.
One process, which is a great candidate for centralizing within organizations with sustainable supporting technology, is the process of issue and incident investigations. Standardizing and centralizing this process, in conjunction with the implementation of technology automation, can be leveraged as a building block for an effective GRC process and technology framework.
Most organizations do have a mature triage investigation process. The process often focuses on identifying the root cause of the issue, which often reveals failures in the following areas:
- Policy issuesï¾—lack of or failure to comply
- Procedural failures
- Control deficiencies
- Training or certification deficiencies
Organizations are often capable of coming up with corrective actions when faced with a crisis. Those recommendations, while appropriate for this single event, are often isolated within a single business unit and do not contribute to global solutions. Therefore, compliance professionals who centralize incident and issue investigation can have much greater visibility and insight into the trends and root causes, correlating directly to the inventory of organizational risks and facilitating proactive and informed prioritization of those risks.
The necessary glue to all of this is a unified technology platform that allows for visibility into the other processes so the connection points can be made between the root causes and corrective actions. We believe the launching point can be an effective issue investigation and root cause analysis solution.
Organizations today understand that compliance is no longer an option and must be woven into the fabric of their organization and everyday business processes in order to be effective. They also understand that the utopian GRC framework may be unrealistic during the first phases of their projects. One path to success lies in creating a centralized issue investigation and root cause analysis program while focusing on high-profile issues and leveraging the tools for a more proactive, unified and sustainable compliance practice.
Tim Strong, is a director at Duff & Phelps, can be contacted at tim.strong@duffandphelps.com. Shaheen Javadizadeh is Vice President of Sales at Mitratech. Contact Shaheen at sjavadizadeh@mitratech.com.
