School is back in session, fall has begun, and we are approaching the start of Q4. Organizations of all sizes are finishing their financial plans for 2016 and likely conducting end of year internal fall housekeeping on projects and initiatives. This is a great time to dust off the approach to managing compliance with a program management discipline. In this two part blog series, I’ll focus on best practices in structuring your compliance programs, and how to address ensuring executive support and maturing the culture of compliance.
Structures for Compliance Programs
Each area of compliance has different expectations for what activities must be performed on an ongoing basis. While regulatory expectations are growing, there are common elements that can be leveraged with repeatable processes. Non-regulated organizations may leverage compliance programs simply for brand or good corporate governance. However, with the scale of regulatory oversight, and broadened areas of compliance for banking organization; risk and compliance teams can feel overwhelmed with both the complexity and workload to manage compliance. Whether you are managing compliance for privacy, remote deposit capture, consumer protection, there are synergies in having standardized methodologies for risk assessments, management reporting, and compliance documentation. Leveraging common approaches also enables stronger communication to executives and lines of business that see the same formats in how risk and compliance are communicated within the organization.
Focus on a risk assessment, and ensure you utilize resources from multiple levels within the organization. In many cases, the people closest to the day to day operations can spot issues or gaps, but may not be the best resource to quantify the implications to management. A cross functional viewpoint in conducting a risk assessment can be effective in ensuring that there are not “blinders on” in looking at the risks.
- Governance: Set realistic expectations for the governance committees and approvals. Process maturity can help with advancing decision making, but don’t create too many layers of approvals that burden the objective of the governance process.
- Policies, Standards, Procedures: Good policies are written in such a way that the compliance goal or objective is clearly understood in simple terms. Avoid putting too much operational detail into “how” you meet the objective, as controls evolve and you don’t want operational differences to create auditable compliance gaps. Focus on the “Whats”; let the standards and procedures convey the “Hows”. It is also critical that employees and executives understand the risks and implications for non-compliance – the “So Whats?”
- Education, Training, & Awareness: Recognize that while some compliance topics are appropriate for all employees, you may need to have layered training based on level of risk or accountability. Make the message personal and actionable so employees can understand in the scope of their job what they are being held accountable to do.
- Monitoring & Auditing: Don’t take the needle in a haystack approach and overengineer your compliance auditing efforts. You want your risk and compliance teams focused on the higher risk compliance areas, spending more of their time on the risks that can have the greatest impact. Document your assumptions for the approaches you took to monitoring and where you can leverage risk assessments across different compliance areas if there are common controls.
- Complaint & Incident Management: Monitoring the right metrics can help you identify leading indicators of a compliance issue. Ensure that you have defined escalation processes for complaints and incidents to get the right attention at the right levels in the organization.
Effective compliance programs need to be tailored to each organization based on risk appetite but also embedded in current organizational structures. While a “compliance in a box” sounds like a great idea, managing risk requires empowered and informed leaders to apply risk and compliance strategies to how they operate or conduct their business. Effective compliance program structures balance the impact to the organization with the likelihood of the risks.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs