Strengthened regulatory enforcement standards and the promise of improved business performance are transforming and elevating the role of enterprise governance, risk and compliance (GRC) management. Yet, without a clear understanding of the hidden costs of an ineffective approach to GRC and the rewards that await the well-run enterprise, organizations are at risk to materially overspend and underperform. Too many companies are taking a fragmented and inconsistent fire brigade approach to managing the compliance function - regulation by regulation. This has proven to be both expensive and ineffective. Increased demands for measurement of compliance programs by both boards of directors and regulators have heightened the need to develop a centralized approach to GRC management for all related processes. This article assesses the forces behind these changes and introduces a technology-based approach to compliance management that directly maps GRC tasks and operations to the standards and sentencing guidelines used by regulators, auditors and the courts.
The Stick: Regulatory Enforcement Standards
The federal government has passed several new statutes that are driving a fundamental shift in how companies view the management of compliance. HIPAA, Graham Leach Bliley, the USA Patriot Act and, most notably, the Sarbanes-Oxley Act have forced large companies to focus on compliance management as a strategic imperative. Companies must comply and therefore manage against multiple statutes and regulations simultaneously over multiple business units and jurisdictions. However, the good news is that the U.S. Sentencing Commission has recently clarified their sentencing guidelines to remove any confusion as to the enforcement standard for an effective compliance program - regardless of the specific regulation under consideration. Companies need to focus on this standard, tie their compliance management initiatives to it and be able to explain how they have done so when they come under regulatory enforcement scrutiny.
Figure 1: Future Technology Nervous System for Enterprise GRC Management
What Matters Most: Who Judges and How
Internal auditors, external auditors and regulators will form their own views on an organization's compliance efforts. When it is time for this compliance management effort to be judged by the courts, it will be the court's opinion that counts and no other. While the specific regulations for HIPAA, Sarbanes-Oxley, etc. are obviously unique, the common thread that runs through all of them is that each is externally audited and, when necessary, adjudicated in the same court systems. While many organizations are tempted to tailor a compliance program for each regulation, the simple fact is that there is one standard for compliance that is applied by the courts. Because the regulators and the courts determine penalties based upon a common set of sentencing guidelines, those guidelines naturally emerge as an organizing principle that can dramatically simplify compliance management and reduce the risk of penalties.
More specifically, the United States sentencing guidelines provide for substantial reductions in fines based on "effort to comply," as long as the effort is communicated in ways enforcement agencies and the courts can understand and measure. In other words, being prepared for regulatory scrutiny can save millions of dollars in lost resources, sales and fines. "Being prepared" means tying GRC efforts to the published enforcement standard.
The enforcement standard is not a complex legal tome filled with legal jargon; it is a conceptual framework composed of seven basic elements.1 Make no mistake - auditors, regulators, prosecutors and judges are all intimately familiar with the "seven(teen)" elements of an effective compliance program. The seven elements can be summarized as follows:
- Define and document policies, procedures and controls.
- Demonstrate a commitment from the top of the organization including high-level oversight of compliance programs.
- Use due care in delegating authority throughout the organization.
- Effectively communicate and prioritize compliance policies, procedures and controls.
- Audit, monitor and report ongoing efforts including the establishment of a whistleblower system.
- Uniform enforcement and remediation.
- Ongoing process improvement to prevent further/future offenses.
According to Pricewaterhouse-Coopers, "If you are serious about doing compliance and not just window dressing, you have to do the seven steps."
Surprisingly, few in compliance management and IT have ever heard of this standard. In a recent poll by Axentis, Inc., fewer than five percent of more than 100 people polled in compliance management had heard of this standard, and even fewer in IT know that it even exists. Yet often these are the people charged with defining a corporate strategy to manage this effort.
The best practice for GRC management that has emerged begins with defining a framework approach that will meet the enforcement standards and also impose a discipline on the organization to define a road map that both compliance managers and IT can understand. To be effective, a GRC framework must:
- Define criteria against which compliance projects will be internally measured.
- Provide a means to define internal audit standards that will align with external audit standards.
- Operationalize the seven steps of an effective compliance program.
Organizations that can demonstrate that they have applied the seven elements to their compliance process are unlikely to ever see the inside of a courtroom. They will see reduced fines and will operate on a "principle of least surprise" that will be appreciated by employees, compliance managers, auditors and regulators.
The Carrot: Creating a Real-Time Business Performance Road Map
While compliance management initiatives are typically conceived as defensive tactics to appease auditors and regulators, the good news is that a GRC framework mapped to the seven elements can also serve as an effective management tool able to drive better operational performance, improve quality and ultimately increase a business' valuation.
Many involved with their organizations' Sarbanes-Oxley Section 404 compliance project are realizing that both documenting internal controls and defining which are material drives clarity as to where the risks are in the business and where the gaps are in the internal control framework. This epiphany is bound to improve management effectiveness. Anecdotal evidence of business process efficacy is being displaced by a quantifiable dashboard whose primary purpose is not compliance but the empowerment of management teams to make better decisions on allocating resources and otherwise take business risk. Organizations are quickly realizing that compliance management and business intelligence are closely linked.
Early published analysis is putting hard numbers behind these early observations. The General Counsel Roundtable found that each additional dollar of compliance spending saves organizations, on average, $5.21 in heightened avoidance of legal liabilities, harm to the organization's reputation and lost productivity.2
GRC Management: An Enterprise Application Unlike Any Other
GRC presents a number of unique and challenging requirements that call for special consideration. To be consistent, efficient and effective, a compliance system must touch each employee, partner and customer. It must monitor every process and have some level of integration with all business applications and systems. Yet, compliance is clearly a minority component in the vast majority of use cases and, therefore, cannot dominate a user's experience or constrain the operations of core enterprise systems such as enterprise resource planning (ERP), customer relationship management (CRM) or HR. Integration, security, authentication and scalability requirements place it squarely in the enterprise technology space. Highly specialized processes, lightweight user access and contextualized document and content creation, management and delivery tied to specific regulations and sentencing guidelines bring GRC management systems into the vertical application arena.
The tension between enterprise infrastructure and application requirements is behind the popular perception that compliance management is an IT burden. The fragmentation of compliance activities across business functions, applications and roles makes compliance performance difficult to measure and to monitor.
Conversely, when a centralized approach can be implemented in such a way that ongoing operations are not interrupted or unduly altered, compliance management quickly becomes a real-time window into ongoing operations and an impressive business performance utility.
According to David T. Wittman, chief compliance officer at First Data Corp., "Through experiences gained in enforcement and corporate compliance leadership positions, the formula for effective compliance has emerged in the form of three simple components: commitment, process and frequency. Much has been written and talked about regarding leadership commitment as the foundation of effective compliance, but implementation approaches are just now emerging. Experience tells us that implementation is largely dependent on managing compliance as a process, not a project. The U.S. Sentencing Commission agrees and just strengthened the enforcement standard that applies to all compliance processes. Learn it, and use it, for effective compliance. The last component, frequency, is the ultimate key to creating truly ethical and compliant organizations. A varied, constant flow of information and reinforcement slowly drives ethics and compliance process into the fabric of a company."
Figure 2: The Seven Elements of an Effective Compliance Program
Implications for EAI, Middleware and ECM Providers
As a strategic approach is adopted, purpose-built applications that focus on one regulatory issue such as Sarbanes-Oxley will become obsolete. French Caldwell, research vice president at Gartner, states that "enterprises that choose one-off solutions for each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach."3 According to John Hagerty of AMR Research, "Sarbanes-Oxley has raised the specter of compliance to a new level as it moves from a tactical response to a broad-based strategic plan ... Companies are now beginning to plan for managing multiple governance and compliance initiatives in a systemic and repeatable manner at an architectural level."4
A framework approach to GRC management will allow both existing technology and new technology to be quickly tied into a consistent methodology for managing governance, risk and compliance, driven by a focus on market-driven conceptual methodologies such as the COSO framework, Basel II and Turnbull. This GRC framework must allow for tactical compliance projects to be completed by the various business units within a strategic vision that will allow for centralized oversight with delegated day-to-day management.
Most companies are not ready for this type of approach and will continue to buy point solutions in a race to meet deadlines. However, focusing IT on making sure that these point solutions can be leveraged to other compliance activities and processes is critical. IT must also focus on how well these point solutions can be connected to the rest of the future-state GRC framework. In one or two years, organizations will be ready to transform this function, and the effective integration to numerous existing systems will be required. EAI and middleware providers will benefit, as well as the process- and systems-oriented consultants who understand the potential to turn compliance to a true driver of business performance.
In the meantime, the next wave will be integrating business performance management and document and content management-focused compliance systems into an operational risk compliance central nervous system and then to business intelligence. When this is in place, the incremental addition of other systems and applications over time will allow effective enterprise-wide data mining, resulting in a real-time governance, risk and compliance program.
Next Generation Compliance Management
Imagine the day when corporate agility is driven by compliance management. For example, the ability to make acquisitions will rely on an effective compliance system. One will need to not only effectively assess any operational and reputation risk from a possible acquisition, but also, once the acquisition is complete, the effective and efficient integration into a cohesive governance risk and compliance system will be a critical driver of success. A compliance culture often drives corporate culture, and corporate leaders are beginning to use compliance as a leadership tool to drive their organizations to a single culture, one with process discipline and measurement.
In the end, every large organization will need to transform the way governance, risk and compliance is managed. There will be early, middle and late adopters, often driven by the regulatory scrutiny specific to particular industries. Regardless, it will be a competitive disadvantage to manage this activity the same old way. The capital markets are already punishing corporations with poorly run compliance programs. According to a study by McKinsey, 57 percent of institutional investors base their investment level in a company on the quality of its corporate governance.
IT needs to get on board and be viewed as a strategic partner in driving this process. IT must become current in the lexicon of compliance managers. They will then be able to reconcile the apparent paradox that compliance management cannot meet the demands of every constituent: senior management, regulators, capital markets, compliance managers and IT themselves. In fact, as in so many other cases, it will be technology that will enable compliance to reach its full potential as a driver of increased productivity and corporate agility in a dynamic market driven by globalization and the requirement to operate in multiple compliance jurisdictions seamlessly.
- In March of 2004, the Ad Hoc Advisory Group to The U.S. Sentencing Commission amplified and strengthened the seven elements with ten supplementary points of clarification intended to eliminate ambiguities and to synchronize the guidelines with Sarbanes-Oxley and other emerging regulatory requirements. The new guidelines will be submitted to Congress, and will take effect November 1, 2004, unless Congress disapproves them during a six-month review period.
- "Seizing the Opportunity, Part One: Benchmarking Compliance Programs," copyright 2003, Corporate Executive Board, General Counsel Roundtable.
- Gartner says enterprises implementing Sarbanes-Oxley "Quick Fix" solutions in 2004 will no longer use those systems by the end of 2005. April 14, 2004.
- "Planning For a Sustainable Active Compliance Architecture," Thursday, February 26, 2004.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access