Transforming Compliance Burdens into Better Business Returns

There is a quiet revolution underway inside board rooms and executive management suites; principles of accountability, transparency and improved financial performance are being translated into demands to quantify and measure as much operational activity as possible and to correlate that activity to the business plan. The larger and more complex the businesses are, the greater the sense of urgency (or even anxiety). Operational mandates are being handed down to better plan activities across the business, ensure proper measurement of those activities and to have the mechanisms in place to appropriately adjust targeted activities to yield better business outcomes - higher revenue and lower costs all within a defined level of risk.

The Business Paradox of the Decade

There are two conflicting drivers of this revolution (with the foundation, as always, being the normal demands of the capital markets to deploy capital most efficiently and with the highest return at the lowest defined risk). The first is globalization and the free flow of capital to lower cost countries. The second is enhanced demands by the capital markets for transparency and for better measurement of a business' risk versus other outlets for that capital.

Globalization is driving increased complexity in business. This is manifested in many ways. For example, many companies are pressured to outsource manufacturing or IT to China or India, despite apparent higher risk to intellectual property security. With any such outsourcing, there is the upside of lower direct cost but higher risk, which can result in higher indirect and unquantifiable cost.

The second driver is the higher demand for transparency, which is the need to quantify to the highest level possible what the risk of any business activity is relative to the upside that activity presents. This is manifested in a high level of punishment for any business that does not properly manage expectations of the capital markets for its relative risks and returns.

This business paradox is placing an increasing burden on corporate management to better plan, execute and measure in real time what is occurring in their many business activities. The paradox for these managers is that one of these drivers, globalization, is driving higher complexity into their business, making it harder to predict and plan, while the other, transparency, is demanding that planning and predictability actually improve. What is a CEO to do?

Help from an Unlikely Source: The Compliance Burden

The tension between complexity and transparency is driving a permanent shift in the role and even the very definition of compliance management. The increasing burden of regulatory compliance (direct cost, required resources, potential opportunity cost and the increased risk of negative results to reputation) has had the immediate impact of increasing business risk. Yet, paradoxically, the increasing compliance burden is forcing businesses to develop significantly more effective ways to manage the myriad process and reporting requirements stemming from "the burden." What is becoming clear is that through the development of more effective ways of managing compliance requirements, businesses are unexpectedly reaping material benefits to the ways and means of managing their business - of balancing the demands of complexity and transparency.

Compliance has, to most, been about policy and training management. It has been focused on creating an audit trail showing that the business makes a reasonable effort to define regulatory-driven policy and communicate it to employees. What has been lacking is process discipline and measurement to ensure that these policies are really made operational through repeatable, sustainable and continuously improving documented operational procedures. The lack of predictability and accountability has resulted in an environment where data that may indicate compliance failure cannot be readily detected, and gaps (failures) cannot be remediated in a timely fashion. Beyond early incident detection and response, poor controls also result in a lack of business leverage because without measurement, processes that work cannot be identified and replicated, and less efficient approaches cannot be isolated and improved. Synergy and economy of scale are lost.

Further, compliance management has traditionally been seen as a series of tactical projects, resulting in silos of activity that do not align with any centrally defined organizing principles around how people, process and content are managed. This further impedes any attempts at efficiency and, more importantly, makes it extremely challenging to communicate activities and results to regulators in consistent ways that they will understand. This starts to sound pretty generic and has less to do with regulatory compliance and more to do with how to run a business well. It starts to sound like a business intelligence problem.

Figure 1: The Healthy Business

The key to leveraging compliance management investments to the even higher purpose of improved business performance is to more broadly apply recent advances in compliance management to operations where similar improvements in transparency and process distribution promise to yield material returns.

Sarbanes-Oxley is Different

Compliance is raising business management shortcomings to the CEO and the board through regulatory mandate. Specifically, the Sarbanes-Oxley Act (SOX) has done this in a way that is distinct from earlier regulations. SOX includes both guidelines for proper behavior and a mandate to institutionalize documented controls, lines of communication and preventative measures to discourage future offenses as well as rapidly detect and correct gaps when they should occur. This begs two questions: Why did it take an act of congress to force the most sophisticated companies in the world to document material internal controls, and why is documenting financial controls any more fundamental than manufacturing controls, R&D controls or marketing and sales controls?

SOX has inspired an epiphany for those who chose to look beyond specific sections and deadlines. Leading global organizations are already acting on the realization that the disciplined organizing of people and process and the associated content in a way that not only conforms to requirements of the regulators, but also improves business intelligence, is only incrementally more effort than strict compliance management, yet offers an ideal means to dramatically improve business performance while directly addressing the demands of both increased transparency and complexity. SOX forces companies to define a framework for financial controls, and these organizing principles can be extended to any other activity that matters.

A control framework is a written plan for how a function will perform as a collection of organized and hierarchical processes that can be tied to any authority matrix, even when that matrix does not conform to the traditional reporting structure of the business. A control framework includes both structured and unstructured data, and transactional and behavioral processes as they interact in the company.

The healthy business recognizes both the inherent conflict and codependency of operational complexity and the requirement for improved transparency as well as the dual role of an effective risk management framework to drive both compliance and operational excellence.

At a recent meeting with a Global 50 client, the client told me that: "Sarbanes has been tough love, but now we see the opportunity to transform how we at corporate interact and bring value both to our operating units and from them to us at the corporate center. We are going to be able to evolve this federation of business units over time and constantly improve how we run our global business in a way we could not before." Synergy will become apparent, and businesses that do not fit can be sold with confidence in the knowledge that they do not fit.

What many companies are missing is the inclusion of this long-term thinking in how they are attacking Sarbanes-Oxley. For most, it is another regulation to be attacked one-off. Yet SOX presents an opportunity to create a disciplined approach to organizing around a problem. That problem can be driven by regulation or for any good business reason. More importantly, it forces an operational risk approach that includes the ongoing assessment and testing of relevant control frameworks.

This is not an ideal or theory. Leading companies are doing this now - albeit in measured incremental steps, but with an eye to the long term. Companies see that they can attack key process groups, whether manufacturing, R&D, marketing and sales, G&A and certainly IT. Ultimately, companies that can truly move to an operational risk approach most effectively will perform best and will have the greatest value. Many companies are muscling through their first cycle with Sarbanes-Oxley out of necessity. These companies will be able to take advantage of this opportunity in 2005 and beyond.

This is a race to quantify the business ecosystem and to the extent organizations get a head start, given the steepness of the learning curve and the opportunity to constantly improve, look for early adopters to realize substantial benefit over their competition. Every CEO should be challenged to speak the language of operational risk management; it will make compliance management moot and business performance the driver for every decision, whether regulatory driven or not.


Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access