Compliance regulations are increasingly dictating the choices that businesses are making regarding revenue generation strategies across all sectors. As a result, strategies that focus on revenue streams are being directly impacted by the cumbersome technicalities of meeting the legal and privacy requirements of today’s compliance regulations.
The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is a prime example of the growing tapestry of regulatory compliance. It affects players across a broad spectrum, including many not normally considered to be in the health care industry (banks, lawyers and accountants to name a few). HIPAA’s purpose is to “provide health care coverage continuity, ensure greater accountability and simplify administrative functions within the health care industry.” It reaches much farther than that and frequently results in complicating administrative functions, rather than simplifying them. Companies must now divert a substantial amount of resources away from the development of innovative solutions, and apply them to regulatory compliance and other legal requirements. While a necessary expense, compliance and legal departments are all too often viewed as dead weight, since they are perceived to provide no direct tie to the creation of revenue.
With that as a background, it is critically important to focus your compliance efforts on what really matters – ensuring that you are getting the information you need into your security, privacy, and fraud management systems as effectively as possible. Key to accomplishing this task is to incorporate your compliance and legal staff as part of the solution rather than part of the problem. This means that legal, compliance and risk management should be involved at the earliest stages of new business development. They should also be an integral part of every project team whose focus is on the development of new products and services.
To address this:
1) Conversations with legal departments have to become more equal. This means that executive level staff must gain a stronger understanding of the real risks and benefits of regulation and compliance. Familiarity will even the playing field and allow decision makers to listen and act from a point of understanding rather than from a place of fear. Bigger legal departments do not equate with excellence in compliance. In short, make sure that you ask the right questions when addressing compliance requirements.
a. Why was this requirement put into place?
b. How was it dictated (by what body)?
c. What is the cost versus the benefit of this requirement?
d. How does it affect other stakeholders?
e. Can I streamline this process through better work flow management or and other technologies?
2) Compliance requirements must be considered at the earliest stages of new product/service development. Incorporating regulatory requirements into the planning stages of business development efforts allows them to become a seamless component of the development process. Thus, in place of later compliance reviews being seen as impediments to new business development (as they often impose new project requirements), compliance needs are simply another planned for and anticipated element in the project development lifecycle.
The biggest benefit of effective compliance planning lies in gaining a stellar reputation with regulators, customers, and business partners. The product development process can be restructured in ways that support innovation. This includes a view of compliance as a component part of business development and innovation in which legal, regulatory, technology, and vendor risk management costs are viewed as a normal part of the business development process.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad