Blogs
2025: The Year of Stricter Corporate Governance—Is Your Organization Prepared?
- IT & Cyber Compliance
- 18 December 24
5 min read
Introduction
Corporate governance aims to ensure that companies are managed with accountability, transparency, and integrity. These frameworks evolve over time, with regulators changing and adding new rules in response to events in the macroeconomic environment. In 2024, the UK government updated the Corporate Governance Code, and the US Department of Justice updated the Evaluation of Corporate Compliance Programs. Here’s what the updates include.
UK’s Updated Corporate Governance Code
First established in 1992 by the Cadbury Committee, the UK’s Corporate Governance Code established Principles that stress the importance of good corporate governance and its impact on long-term sustainable success. In 2018, the Financial Reporting Council (FRC) issued some revisions focused on improving corporate culture, increasing board accountability, and fostering long-term value creation. Since then, the country witnessed a number of corporate scandals that highlighted the need for strengthening corporate governance frameworks. As a result, in January 2024, the FRC published the revised UK Corporate Governance Code (the 2024 Code).
The 2024 Code aims to “enhance transparency and accountability of public limited companies in the UK and support their growth and competitiveness.” Companies listed on the London Stock Exchange will have to start complying with the 2024 Code from 1 January 2025.
While the 2024 Code does not vary drastically from the 2018 revisions, it operates on a “comply or explain” basis. It presents five separate sections, each of which encapsulates some Principles and lays down some detailed provisions. Here is a short summary of each section:
- Board Leadership and Company Purpose: The board is responsible for defining a clear company purpose aligned with its values and strategy to drive long-term sustainable growth. This includes engaging stakeholders and shareholders to ensure transparency and integrity, aligning workforce policies with company values and goals, and monitoring company culture. It also empowers the board to take corrective action as needed.
- Division of Responsibilities: The UK Corporate Code emphasizes balancing power and oversight by clearly defining board roles. It advocates separating the chair and CEO roles to prevent authority concentration and ensuring sufficient independent non-executive directors to challenge and support management.
- Composition, Succession, and Evaluation: The 2024 Code outlines provisions for board structure, succession planning, and performance reviews. It calls for a diverse, skilled board, transparent succession plans, and regular evaluations of effectiveness.
- Audit, Risk, and Internal Control: The Code requires boards to implement transparent corporate reporting and robust risk management systems to safeguard assets and shareholder interests. It underscores the role of an audit committee in overseeing compliance and integrity.
- Remuneration: The updated Code stresses fair, transparent remuneration aligned with long-term goals, introducing malus and clawback provisions to recover payments in cases of misconduct, poor performance, or miscalculations.
What Must Organizations Do to Ensure Compliance with UK’s Updated Corporate Governance Code?
Compliance with the five sections of the 2024 Code is mandatory, with a focus on outcomes-based governance reporting. Key steps for aligning with the 2024 Code should include:
- Reviewing current governance practices to align with the 2024 Code’s principles and provisions.
- Assessing and monitoring organizational culture, ensuring it is embedded across the organization.
- A clear understanding by HR and legal teams to understand remuneration principles and establish clear compliance processes and policies.
- Developing a common risk and control nomenclature and collaborating with stakeholders to identify and record key risks, both existing and emerging.
- Documenting comprehensive risk management and internal control frameworks with clear processes for:
- Risk identification
- Risk and control assessment
- Risk mitigation
- Risk and control monitoring
- Issue management
The US Department of Justice’s (DOJ) Updates to the Evaluation of Corporate Compliance Programs (ECCP)
The US Department of Justice introduced the Evaluation of Corporate Compliance Programs (ECCP) in February 2017. It was built to be a set of guiding principles for prosecutors to use when deciding whether to prosecute an organization for misconduct. Since then, the ECCP has been updated and revised several times to incorporate evolving standards and address new and emerging compliance challenges. And in September 2024, the DOJ announced some updates to the ECCP. The 2024 updates introduce the following key points:
- Navigating Risks of Emerging Technology: The 2024 updates include criteria for companies to assess and manage AI-related risks and emerging technologies risks in their business operations and compliance strategies.
- Protecting and Encouraging Whistleblowers: The update focuses on encouraging and protecting whistleblowers and individuals who report misconduct. As per the update, the DOJ will assess how corporate policies and training programs encourage a culture of speaking out, how the organization treats those who do report misconduct, and how it protects them from retaliation. Organizations must ensure there are clear and accessible channels for reporting misconduct.
- Leveraging Data for Compliance: The DOJ will evaluate organizational compliance functions based on data access and the analytics tools available to leverage data to improve compliance processes.
- Lessons Learned: The updates to the ECCP expect companies’ training modules to include takeaways from previous incidents within the organization and other companies in the region or within the same industry.
- Compliance Integration Post M&As: The updates cover mergers and acquisitions (M&A) and highlight the importance of effective compliance processes in the post-M&A phase.
The 2024 updates to the ECCP also place greater emphasis on clear, comprehensive, and documented policies and procedures and consistent enforcement of policies and disciplinary measures where required. They also highlight the importance of third-party risk management and require organizations to ensure due diligence and monitoring of third-party risks.
What Must Organizations Do to Ensure Compliance?
To realign compliance strategies in line with the 2024 ECCP updates, companies must:
- Conduct comprehensive risk assessments, customized to industry and geographical operations
- Document policies and processes clearly to ensure seamless compliance
- Communicate policies to employees and ensure they understand the risks and mitigation strategies
- Provide continuous training with relevant use cases to reinforce compliance.
- Establish anonymous reporting processes for misconduct and protect whistleblowers from retaliation
- Enforce policies consistently, ensuring appropriate disciplinary actions are taken
- Conduct regular audits to assess program effectiveness and drive continuous improvement
Leverage data effectively to identify trends, detect issues, and proactively manage risks
How MetricStream Can Help
The MetricStream Corporate Compliance solution provides a centralized platform for overseeing various components of an ethics and compliance program, such as policy management, a unified library of compliance obligations, compliance assessments, surveys, third-party compliance, and case and incident management. The Regulatory Change Management product allows customers to automate the identification, curation, and extraction of relevant regulatory changes and obligations while mapping these obligations to policies, risks, and controls.
With MetricStream, your organization will be empowered to:
- Foster a positive ethics and compliance culture while driving policy adoption through a consistent communication and adoption strategy.
- Mitigate regulatory fines by proactively identifying risks, issues, and blind spots within the compliance framework and related controls.
- Ensure third- and fourth-party compliance with targeted compliance surveys and assessments.
- Enhance the efficiency of the compliance function by automating control assessments and testing processes.
Want to find out more? Request a personalized demo today!
Jump to Topic
Related Resources
Blogs
Navigating the NIS2 Directive: Essential FAQs for Compliance Success
- IT & Cyber Compliance
- 13 November 24
5 min read
Introduction
The NIS2 Directive, effective as of October 17, 2024, marks a significant milestone in the European Union's efforts to bolster cybersecurity. This directive is a crucial update from its predecessor, the NIS Directive (2016), expanding requirements and strengthening cybersecurity obligations for critical sectors across the European Union (EU).
The new directive has expanded scope, new risk management and incident reporting requirements, and stricter financial penalties. We answer some of the top FAQs on NIS2 to guide your organization through compliance.
What is the NIS2 Directive?
The NIS2 Directive is the EU's enhanced regulatory framework for cybersecurity network and information systems, setting a high common level of security to protect essential and important entities in sectors like energy, healthcare, digital infrastructure, and finance. These organizations are now required to implement stronger security measures to ensure resilience against cyber threats.
How Does the NIS2 Directive Differ from the Earlier NIS Directive (2016)?
NIS2 expands both the scope and depth of regulatory requirements. Key changes include:
- Stricter Cybersecurity Obligations: Enhanced security measures now apply across an expanded range of sectors.
- Extended Scope: The directive applies to medium and large enterprises, with a focus on critical infrastructure and suppliers, even if they are outside the EU.
- Incident Reporting Requirements: New timelines mandate that incidents be reported within 24 hours, with a follow-up report due in 72 hours.
- Increased Accountability: Leadership is held accountable for compliance failures.
- Stricter Penalties: Fines can reach up to €10 million or 2% of global turnover, whichever is greater.
Which Organizations Are Subject to NIS2?
NIS2 targets medium and large organizations, especially those involved in critical national infrastructure, with some exemptions. It applies to organizations with a minimum of 250 employees and €50 million in annual turnover for essential services, or at least 50 employees and €10 million in turnover for important services. Member states have the discretion to make exceptions for high-risk entities that fall outside of these parameters.
List of essential sectors covered under NIS2
- Energy (electricity, oil, gas, district heating and cooling, and hydrogen)
- Transport (air, rail, water, and road)
- Healthcare
- Water supply (drinking water, wastewater)
- Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers)
- Finance (banking, financial market infrastructure)
- Public administration
- Space
List of important sectors covered under NIS2
- Digital providers (online markets, search engines, social networks)
- Postal services
- Waste management
- Foods
- Manufacturing (medical devices, electronics, machinery, transport equipment)
- Chemicals (production and distribution
- Research
NIS2 regulations cover not only essential and important services but also extend to their entire supply chain. This means that subcontractors and suppliers, regardless of location, must meet the same security standards as required by NIS2.
What Are the Core Requirements of NIS2?
The NIS2 Directive mandates:
- ICT Risk Management: Proactive identification, assessment, and management of cybersecurity risks.
- Supply Chain Security: Organizations must assess and manage risks from third-party vendors.
- ICT Incident Reporting: Timely and structured reporting of incidents, with specific deadlines.
- Corporate Accountability: Leadership is directly responsible for compliance.
- Business Continuity: Robust business continuity and resilience plans are essential to maintain operations during disruptions.
What are the Incident Reporting Timelines Under NIS2?
Under the new essential and important entities must notify any incident with significant impact without undue delay.
- Within 24 hours: An early warning, including initial assumptions about the incident type, should be sent to the competent authority or CSIRT.
- Within 72 hours: A full notification report is required, detailing the incident assessment, severity, impact, and indicators of compromise.
- Within 1 month: A final, comprehensive report must be submitted.
To streamline this process, the Directive encourages Member States to:
- Simplify incident reporting through a single-entry point, minimizing administrative burdens
- Facilitate easier reporting for cross-border incidents within the EU
Does NIS2 Impact Non-EU Companies?
Yes, NIS2 also applies to non-EU companies that provide essential services within the EU. Sectors like healthcare, digital infrastructure, and transportation are particularly impacted, even if services originate outside the EU.
What is the Role National Governments in NIS2 Compliance?
Member states oversee enforcement by designating authorities to monitor compliance, enforce penalties, and ensure that all organizations within their jurisdiction align with NIS2 standards. Additionally, national governments guide organizations in adhering to the directive’s rules.
Has the NIS2 Directive come into effect?
Yes, the NIS2 was formally adopted in 2022, and EU member states were required to implement the directive into national law by 17th October 2024.
Preparing for NIS2: How to Get Started
To meet NIS2 mandates, organizations must strengthen cyber resilience by focusing on proactive risk management and robust incident response. Start your NIS2 compliance journey by:
- Mapping your compliance status by assessing and aligning current risk management practices with NIS2 standards to bridge compliance gaps.
- Adopting proactive risk management by regularly assess and mitigate cyber risks with clear accountability and thorough incident response procedures.
- Establishing a unified risk view by centralizing risk data, aligning digital risks with organizational assets, processes, and compliance needs.
- Managing vendor risks by maintaining oversight on ICT vendor risks, ensuring continuity and compliance through systematic assessments.
- Developing business continuity plans by preparing recovery plans with prioritized assets and tested crisis communication strategies.
How Can MetricStream Help?
MetricStream’s CyberGRC platform simplifies NIS2 compliance with built-in frameworks, automated incident reporting, vendor risk management, and robust continuity planning tools. With MetricStream, organizations can efficiently manage cyber risks, streamline compliance processes, and respond swiftly to incidents, aligning seamlessly with NIS2 requirements.
The NIS2 Directive signals a new era of cybersecurity compliance. As the directive takes hold, staying informed and proactive is essential. For more detailed guidance on the next steps and how to ensure compliance, download our comprehensive eBook today.
Request a personalized demo today.
Jump to Topic
Related Resources
Blogs
3Ps of Stepping Up Your Compliance Program - People, Process, and Product
- Compliance Management
- 05 June 24
5 min read
Introduction
Amid growing pressures from corporate boards and top management for a strong compliance posture, massive regulatory fines and penalties continue to make the headlines.
Earlier this year, the US Securities and Exchange Commission (SEC) slapped more than $81 million in penalties against 16 firms for their failure to maintain and preserve electronic communications. In August 2023, the regulator imposed $289 million in penalties on 11 Wall Street firms for “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.”
The first question that comes to my mind is: Could this have been avoided? Yes, of course!
For a successful and robust compliance program, it is important to level up the three core elements – people, process, and product. These are the critical building blocks of not only compliance but also the overarching governance, risk, and compliance (GRC) program.
Let’s look at how organizations can improve these three elements:
People
For a compliance program to be effective, it is essential that not only the compliance team but also employees across departments and business units are aware of the different compliance mandates, regulatory updates, and actions that can potentially lead to compliance violations.
It is important to note here that the “people” element is also crucial from a regulatory standpoint. In the US, laws and regulations such as the Sarbanes-Oxley Act (SOX), Dodd-Frank Wall Street Reform and Consumer Protection Act, and others hold compliance officers and executives accountable for non-compliance or compliance violations. Earlier this year, the Financial Crimes Enforcement Network (FinCEN) imposed a civil penalty of $100,000 on a former compliance officer for “willful violations” of the Bank Secrecy Act (BSA) and its implementing regulations.
Here are some of the key measures that organizations can take to build a compliance-first workforce:
- Document regulatory and policy requirements
- Define and document employee responsibilities and accountabilities for ensuring compliance depending on their role
- Conduct compliance training to improve employee awareness
- Establish open and effective communication channels that help employees promptly raise any issue or concern
- Encourage reporting of potential violations, such as misconduct, fraud, etc., even anonymously
Process
Establishing and reinforcing robust, well-defined processes—compliance framework, strategy, policies and procedures, and more—are critical for a successful compliance program. In today’s rapidly evolving regulatory landscape marked with frequent new regulations and regulatory updates, the agility of the compliance program is particularly important. Organizations must embrace a responsive and agile approach that enables them to easily revise corporate policies and controls in line with regulatory changes.
An important process of compliance management is implementing and monitoring organizational controls. Controls could range from regular fire drills for employee safety and hotlines for reporting abuse or discrimination to due diligence of third-party vendors to ensure their adherence to compliance. Organizations should have well-defined processes to regularly test and monitor these controls to proactively identify and address any gaps or weaknesses.
Product
Technology-based software products are the most important element for ensuring continuous compliance in today’s complex regulatory environment. Technological breakthroughs have triggered a paradigm shift towards automated, autonomous compliance. Organizations should embrace and adopt technological advancements and automate compliance processes wherever possible. Automation enables compliance managers to eliminate cumbersome administrative tasks and instead focus their time and attention on more value-added activities, such as analyzing audits to identify areas of improvement.
Here are some areas where organizations can benefit from technology-based software products:
Simplified Relationship Mapping
A strong compliance program is supported by a well-mapped-out view of various regulations and regulatory requirements, policies and procedures, risks, assets, controls, and business functions. Organizations can leverage technology-based software solutions that enable them to establish the relationships between these elements in a centralized repository for a holistic, 360-degree view of the compliance posture.
Optimized Control Environment
The effectiveness of a compliance program is directly related to the efficacy of organizational controls. Organizations today need to adhere to multiple regulations, which often result in duplicate, overlapping, and even conflicting controls. While managing such a complex control environment is already daunting, the challenges are exacerbated when organizations rely on a manual, excel sheets-based approach that inevitably results in oversight and blind spots.
Strengthening the compliance program requires streamlining the control environment. This can be achieved by harnessing the power of automation and AI-powered tools, which help perform automated, continuous testing and monitoring of controls, and gain insights into duplicate and redundant controls, patterns of under- and over-testing of controls, and more. These actionable insights are critical for optimizing the control environment and enabling better-informed and timely business decisions.
Efficient Regulatory Horizon Scanning
Today’s global organizations are required to be compliant with various laws, regulations, and standards from regulatory authorities worldwide. Given the rising number of new regulations and frequent regulatory updates, staying on top of the fast-evolving regulatory landscape has become extremely challenging. AI-powered tools help organizations simplify the process by regularly scanning the regulatory horizon to capture relevant updates and alert concerned personnel. These solutions further accelerate the compliance process by providing insights into the impacted policies, controls, and business functions.
Systematic Issue and Action Management
Technology-based solutions help streamline capturing, investigating, and resolving all non-compliance issues. It accelerates issue management and reduces the repeat occurrence of issues through a closed-loop remedial action process. AI-powered capabilities can enhance the process by providing recommendations for categorizing similar issues and action plans based on past issues. Automatic alerts and notifications, delivered to the appropriate personnel, keep the process on track and ensure that all issues are taken through timely investigation and remediation.
Timely Reporting
Organizations need to regularly provide comprehensive reports to the board, regulators, investors, and other stakeholders to demonstrate their strong compliance posture. Technology-based solutions can standardize and automate the reporting process by enabling organizations to generate reports based on key compliance metrics and powerful dashboards that provide real-time visibility into the overall compliance status.
For a deeper dive into the key strategies that can help you avoid compliance fines, download our eBook “How Strong Is Your Compliance Program?”
How MetricStream Can Help
MetricStream Compliance Management helps organizations adopt an integrated approach to ensure compliance with cross-industry regulations in a manner that minimizes redundancies and costs while strengthening visibility into compliance posture. It streamlines various compliance activities and processes, including:
- Mapping regulations to processes, assets, risks, controls, and issues
- Identifying, prioritizing, managing, and monitoring areas of high compliance risk
- Performing control testing and monitoring
- Creating and communicating corporate policies
- Identifying, capturing, and managing regulatory updates
- Generating reports with drill-down capabilities
Want to see it in action? Request a personalized demo today!
Jump to Topic
Related Resources
Blogs
Building Compliance Resilience in the Changing Regulatory Landscape
- Compliance Management
- 09 November 23
6 min read
Introduction
In 2022, the number of regulatory events monitored by Thomson Reuters across 190 countries was 61,228, equivalent to an average of 234 daily alerts. This is a staggering number, indicating not just the volume of regulations that companies have to keep pace with, but also the rate at which they are evolving. The risk landscape today is undoubtedly more complex than ever before, leaving regulators with no choice but to introduce new policies and modify existing ones to safeguard businesses and consumers. For organizations operating in highly regulated industries like healthcare, banking, energy, and financial services, keeping pace with regulatory changes is a significant challenge. For those that have capable and scalable regulatory change management practices in place, the concept of agile risk and compliance management extending into adaptable and effective resiliency strategies should be a natural progression.
The Changing Face of Risk and Compliance
Organizations today are navigating a tumultuous world. The risk landscape is constantly evolving with new threats emerging every day. And businesses themselves are in a state of flux. An organization can have the best legal and compliance team and can educate its existing employees about regulations and compliance, but there are people leaving and new people joining every day. The changing dynamics and awareness levels within a business constantly change, keeping compliance professionals on their toes. Regulations keep changing as well, adding an additional dimension to the challenges compliance teams face.
And to add to the complexity, many have come to realize that risks of all types are increasingly interconnected. As an example, COVID-19 started as a health and safety risk, but its impact on global business practices soon morphed into escalated IT compliance, cybersecurity, and privacy risks, extensions of compliance and behavioral risks, and third-party management risks. As borders closed, and production slowed, risks associated with shipping, transportation, and delivery delays grew, while the potential for bribery and corruption along the supply chain flourished. All of this required compliance programs to upscale and adapt, as well as build compliance resilience, standards, and expectations as challenges grew.
The scale and velocity of risks related to the initial healthcare challenges of COVID-19 accelerated much faster than many had anticipated. And now, many industries around the world are paying more attention to and seeking proactive clarity on internal and external risks of all sorts – before they disrupt entire industries. And compliance practices are central to how any business manages its risks associated with and stays aligned to its values, practices, and regulatory environment.
Building Compliance Resilience is a Top Priority
Compliance risk and resilience strategies are comprised of two key elements, each a reflection of the other, like the two sides of the same coin. Compliance risk program agility allows a business to quickly gauge a situation, risk, or compliance challenge and enact defenses, controls, policies, and issue management to respond to it. A compliance resilience strategy is a predefined set of triggers, processes, people, systems, sequences, and measures that are designed to enable a rapid recovery from a compliance failure or business disruption. Together, they define an organization’s ability to build programs that can minimize compliance damage and enable as much recovery as possible with minimal chaos or disruption.
In most cases, a full risk and resiliency program necessitates a strategic shift from legacy compliance management practices that have been periodic and segmented. Too many compliance programs have traditionally conducted risk assessments monthly, quarterly, or even less often, and have separated functional roles within the department across teams and regions. Yet, in an interconnected risk environment, as we have today, this approach is no longer sufficient. Thankfully, many organizations are breaking down those silos today, and joining functions to create a single, integrated compliance approach that is unified, collaborative, and includes strategy, processes, and technologies. Especially where organizations in highly regulated industries may have held on to separate functional compliance departments, the urgency of a unified and strategic approach to compliance risk, remediation, and resiliency is clear.
At the same time, we see a greater focus on accountability for performance, awareness, informed decision making and reporting in compliance teams from stakeholders across the business and among global regulators. As within businesses, the risk events in the last few years have increased awareness of the importance of capable organizational risk and compliance management – and resiliency initiatives – across markets, governments, and global regulators. Therefore, it should come as no surprise that risk and resiliency management is becoming a more commonly regulated obligation. Many of these emerging and evolving risk and resiliency regulatory actions define specific program requirements, standards, structures, validation, and practices to ensure compliance teams are actively pursuing assertive, holistic, and adaptable risk and resiliency programs that can best weather evolving risks, events, and challenges.
Technology—A Must for Agile Compliance Risk and Resiliency Management
A modern and resilient compliance function that aligns to emerging regulations includes a well-defined, well-executed, and agile risk management strategy that allows for program adaptation as risk factors change. It also necessitates defined roles, tasks, and robust, tested processes and measures in a resiliency program. To best centralize access to compliance-related information, controls, testing, and aggregate results, a technology platform that includes automated processes, data sharing and integration, and intuitive analytics is essential.
As a critical element to ensuring compliance programs are effective, awareness of anticipated and current changes to enacted regulations is indispensable. An active regulatory change management program that enables horizon scanning – alerts on proposed and anticipated legislation – and change updates on relevant regulations helps enable compliance programs to adapt to shifting market expectations, standards, and rules.
Further, compliance technology platforms often include advanced analytics capabilities that capture, curate, integrate, and interpret disparate and distributed relevant datapoints. They can enable the ability to draw usable insights from these data and ideally, use AI to recommend the most appropriate courses of action to reduce risk impact and recovery requirements. And to be truly resilient, a compliance management platform must ensure risk and resiliency automation and tracking, reporting, clear workflows and tasks, collaboration tools, controls and policies, and protocols that allow for the acceleration of any recovery processes. Ideally, an organization can acquire all of this in one cohesive platform that integrates with other enterprise systems like HRMS, that can facilitate new employee onboarding, training, and attestation, or ensure employees moving to different roles can stay updated on applicable regulations and their roles in ensuring compliance risk and resiliency effectiveness.
Most importantly, a compliance platform must ensure a defensible and accurate system of records that can be accessed easily to demonstrate compliance processes, aberrations, exceptions, and approvals. This is invaluable during program audits, investigations, or investigations.
A Resilient and Agile Compliance Strategy is Now a Business Imperative
Modern organizations exist in an evolving risk and compliance landscape. Agile and adaptable risk management and resiliency programs are no longer an option. As compliance program expectations escalate, building risk and resiliency programs defined by risk profiles, adaptable to ever-changing risk environments, and designed to trigger automated and proportionate responses is ideal. Technologies built specifically to enable adaptable compliance program effectiveness and efficiency, compliance risk and resiliency management, regulatory change management, and comprehensive reporting are available today to help organizations get ahead of emerging challenges, regulations, and organizational demands.
Learn how MetricStream’s BusinessGRC can help you achieve a connected, intuitive, and holistic approach to risk and compliance management. Leverage MetricStream’s Regulatory Compliance management to effectively manage a wide range of compliance requirements, including cross-industry regulations, regulatory engagements, cases, and surveys.
Request a demo now.
Find out more on how to master compliance in highly regulated industries.
Jump to Topic
Related Resources
Blogs
What Compliance Isn't: Debunking 6 Common Myths
- Compliance Management
- 29 June 23
4 min read
Intoduction
In the fast-paced and ever-evolving business landscape, compliance has become a critical factor that can either propel organizations to success or leave them vulnerable to severe risks and penalties. However, the many challenges in compliance management-44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates--often cause compliance to be viewed as a burdensome cost to the business or simply a checklist item to be ticked off.
In this blog, we debunk common myths about compliance, highlighting its true value and importance in today's dynamic business landscape.
6 Common Myths About Compliance
Myth: Compliance is a Burden to the Business
Contrary to popular belief, compliance should not be viewed as a burdensome cost but as a critical component of business success that strengthens consumer confidence and helps mitigate risks before they materialize. While it does involve investments in resources, time, and training, compliance ultimately helps businesses establish trust with stakeholders, mitigate risks, and safeguard their reputations. By adhering to regulatory requirements, organizations demonstrate their commitment to ethical practices and ensure the well-being of their customers and employees.
Myth: Compliance is Just Another Checklist Item
Effective compliance goes beyond being a mere item on a checklist. It encompasses valuable activities that help improve financial safety, protect assets, and drive growth and should be approached as an integral part of a company's operations, policies, and culture. Risk-based compliance programs are designed to identify, assess, and mitigate risks proactively, rather than simply fulfilling regulatory obligations. By adopting a comprehensive approach, businesses can prevent potential violations and drive sustainable growth.
Myth: Compliance is an Internal Policing Mechanism
Although compliance involves enforcing policies and procedures, it is not solely focused on penalizing policy violators. The primary objective of compliance is to be a guiding force focused on helping, training, and supporting employees by establishing a framework that encourages ethical behavior, promotes transparency, and prevents misconduct. It aims to create a culture of compliance where employees are educated, empowered, and motivated to make the right decisions.
Myth: Compliance is a Reactive Exercise
While some organizations choose to prioritize compliance only during audits or regulatory exams, this approach is flawed. Compliance should be proactive, i.e., ingrained in the fabric of a company's operations and decision-making processes from the start. By being proactive, businesses can identify potential risks, implement appropriate controls, and continuously monitor compliance to prevent violations before they occur. This proactive stance ensures that compliance is an ongoing effort rather than a reactive response to external pressures or during times of crisis.
Myth: Compliance Belongs to a Single Team
Compliance is an enterprise-wide endeavor. To establish an effective compliance program, collaboration across departments is crucial. Compliance should not be limited to a specific team or function; instead, it requires involvement and cooperation from all levels of the organization. By fostering a culture of compliance throughout the company, businesses can ensure that everyone understands their role in upholding ethical standards and meeting regulatory requirements.
Myth: Compliance is a Stand-Alone Process
Rather than being added to existing business functions, compliance works best when it’s made part of existing processes so that it becomes part of the organization’s DNA. Integrating compliance seamlessly into existing business functions is essential for its effectiveness. When compliance is treated as a stand-alone process, it becomes disconnected from the core operations and often fails to address the unique risks faced by the organization. To overcome this, businesses should incorporate compliance considerations into their day-to-day activities, policies, and procedures, aligning them to the broader goals and values of the company.
Position Compliance as a Strategic Enabler with MetricStream
Businesses are increasingly viewing compliance as a valuable tool that enhances efficiency, credibility, and long-term value creation. When compliance is approached as an enabler rather than a chore, it becomes intertwined with strategic decision-making processes—and can be integrated into business plans, product development, and operational activities.
MetricStream Compliance Management simplifies and enhances organization-wide compliance programs that govern your business, enabling you to navigate through a complex network of regulations and regulatory changes effortlessly. By aligning policies, standards, regulations, and controls, you can eliminate inefficiencies and unnecessary duplication. It also enables you to identify risks at an early stage and foster improved collaboration and communication across teams.
Want to learn more?
Download our new eBook: Why Compliance Matters Both in Good and Bad Times: 10 Steps to Build an Always-On Approach to Compliance
Jump to Topic
Related Resources
Blogs
Incoming! Are You Prepared for What’s Next in Regulatory Compliance?
- Compliance Management
- 07 June 23
4 min read
Introduction
Cybersecurity and data privacy, ESG and climate change, operational resilience, artificial intelligence (AI), and so on. The focus areas of regulatory authorities worldwide are constantly growing both in number and in scope with the evolving risk landscape and stakeholder expectations. Still, recent developments, innovations, and risks seem to outpace regulatory efforts. The good news is that this is starting to change now.
In the past couple of months, we have seen significant regulatory activity around the world. From the US to the EU, the UK, Singapore, India, and beyond, authorities are relentlessly striving to establish the regulatory perimeters on cybersecurity, risk management, business continuity and operational resilience, ESG and sustainability, and other areas for critical industry verticals.
Cyber Risk and Financial Sector: Top Focus Areas
The spiraling number of high-impact cyber incidents in recent years, including the Colonial Pipeline ransomware attack, the SolarWinds hack, WannaCry ransomware, and the Microsoft Exchange Server hack, among others, has underscored the need for stringent cyber laws and regulations.
To secure the US digital ecosystem, the White House released the National Cybersecurity Strategy in March 2023, which focused on defending critical infrastructure, addressing threat actors, and strengthening resilience. It was closely followed by the Securities and Exchange Commission (SEC) proposing new cybersecurity rules for public/listed companies and other selected financial entities, which, if adopted, would require them to dramatically level up their cybersecurity risk management approach.
The proposed rules are likely the first of many to be aligned with the National Cybersecurity Strategy. Considering the acute focus on safeguarding critical infrastructure, other industry regulators are expected to soon follow suit.
[For a deeper dive, read the blog on SEC’s Proposed Rules on Cybersecurity Risk Management by MetricStream’s Agnishwar Banerjee.]
Unsurprisingly, the SEC noted that the “interconnectedness” of market entities amplifies cyber risk. A cyber incident at any organization can impact several other connected organizations, resulting in a systemic failure. This holds true for organizations operating in any industry. Businesses today operate as a complex ecosystem of third-party suppliers, technology providers, and partners, with growing digital dependencies.
Similar regulatory initiatives are also in the works in other countries. European regulators are focusing on strengthening the “digital operational resilience” of the financial services sector. In 2022, the European Council adopted the Digital Operational Resilience Act (DORA) to bolster the IT security of financial entities such as banks, insurance companies, and investment firms. The act will come into force in January 2025.
Likewise, in the UK, the supervisory authorities – the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) – are focusing on critical third parties in the UK financial sector. In the discussion paper (DP) 3/22, the regulators have laid out potential measures to strengthen the resilience of critical third parties (CTPs) services to the UK financial sector.
This is just the beginning. From the current focus primarily on financial institutions, soon there will be similar efforts for other industries and sectors – not just limited to public/listed companies but more comprehensive and inclusive of all participants.
And not just IT and cyber, businesses across industries and geographies are bracing themselves for a regulatory deluge on multiple fronts – diversity, equality, and inclusion (DEI), ESG and climate change, cryptocurrency regulations, AI regulations, and many more.
Which brings us to the question – Are you prepared?
The Answer Lies in Technology and Automation
According to a recent Ponemon Institute study, the average annual cost of non-compliance is around $14.82 million. The ever-increasing number of regulations and regulatory updates warrant a technology-driven approach to compliance. The regulatory change management process – scanning the regulatory horizon, capturing the latest updates, analyzing the impact on internal policies and controls, identifying and remediating issues, reporting, and more – is a continuous process and requires a continuous approach. Think automated compliance, if you will.
Manually carrying out these processes is not only labor and time-intensive but also prone to errors. Today, organizations can leverage cutting-edge tools and technologies that can do these tasks for you in a more efficient and accurate way, allowing you to better focus on areas that require human expertise. By facilitating an integrated and centralized approach through seamless mapping of regulations with organizational processes, business units, controls, assets, policies, etc., these software solutions provide contextual information in a timely manner and help accelerate the compliance process.
The time to act is now. Including compliance and regulatory change management in the organizational digital transformation strategy is a must today. Businesses need to identify compliance areas and processes that could be automated to improve efficiency, relieve the burden on overwhelmed compliance teams, and enhance preparedness for the next and future wave of regulatory changes.
We understand the importance of demonstrating strong compliance for building trust and confidence with the board, customers, regulators, and other stakeholders. We also understand how organizations can leverage technology as an enabler of compliance automation and resilience. MetricStream Compliance Management and Regulatory Change Management products are purpose-built to help organizations stay on top of evolving compliance requirements.
To learn more about MetricStream Regulatory Change Management, request a personalized product demo.
Jump to Topic
Related Resources
Blogs
Navigating Change: Leveraging Technology to Strengthen Compliance Resilience
- Compliance Management
- 26 April 23
7 min read
Introduction
The cost of non-compliance is rising. In a recent study, the Ponemon Institute found the average cost of non-compliance to be around $14.82 million per offending business. And while the practice of compliance continues to expand, organizations are finding that they cannot afford to rely on a traditional approach to compliance. For many organizations, there are two compliance practices, with some overlap – corporate compliance that focuses on the conduct at the organization and includes creating, distributing, training on, and getting employee (and third-party) attestation to a code of conduct, behavioral policies, and relevant processes and procedures, and regulatory compliance that focuses on organizational alignment with applicable regulations, standards, and frameworks. Corporate and regulatory compliance best practices are essential to a well-run business. Yet changes in compliance expectations, its position in an organization’s approach to holistic risk management, and the influence well-run compliance programs can have on the success of a business are driving changes in compliance best practices.
Globally, the narrative is gradually shifting from simply managing compliance requirements and meeting obligations to building dependable programs that deliver organizational compliance resilience. But what does it mean?
Compliance resilience refers to the ability of an organization to weather rapid changes and respond to them without compromising the compliance function or the integrity of the business. These changes could be either external to the organization, such as regulatory updates requiring recalibrating of regulatory requirements and obligations, or internal to the organization, such as changes in business practices – working from home or the office – changes in personnel, partnerships, and processes, that challenge compliance norms.
External Changes: New Regulations and Updates
According to Thomson Reuters’ Cost of Compliance report, financial services firms across 190 countries saw an average of 246 regulatory alerts every business day in 2021. This equated to more than 64,000 alerts annually, marking the second-highest annual volume of regulatory alerts since 2008. Keeping up with this flurry of regulatory updates is no ordinary feat and requires a multi-pronged approach. Here, compliance management technology plays a key role.
- Regulatory Horizon Scanning
Establishing a systematic process for staying on top of pending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. Awareness of legislation and regulations in development can help organizations prepare for and anticipate changes. For example, it is not uncommon for one regulatory body to release an update only to be followed by another agency with similar jurisdiction and stricter demands. A business that is made aware of the proposed legislation can more easily adapt their programs to the anticipated stricter code once, rather than having to adapt their approach twice. Tracking relevant regulatory development from around the world, across hundreds of jurisdictions and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of human error and compliance violations. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.
There are a number of solution providers that offer regulatory horizon scanning capabilities – tools that regularly scan the regulatory environment, such as government and regulatory bodies, enforcement agencies, supervisory authorities, etc., for updates, and capture and relay it to relevant personnel in a streamlined and automated manner. This helps the compliance team save a lot of time and effort, which they can now utilize to analyze the regulatory alert and assess its impact.
Learn how a Leading UK Financial Institution is leveraging MetricStream’s integration with CUBE to identify, capture, and manage regulatory changes in a simple and automated manner. Click here.
- Regulatory Change Alerts
Establishing a systematic process for staying on top of impending regulatory changes is essential for boosting agility in compliance management and strengthening compliance resilience. However, capturing these alerts from around the world, hundreds of jurisdictions, and thousands of regulatory authorities is a daunting task. A manual approach will inevitably result in a growing backlog of regulatory alerts that need further analysis, increasing the probability of compliance violation. It also makes it challenging to consolidate compliance data from different business units and geographies and compare trends across different assessment periods.
Software designed to streamline regulatory change management can reduce the time and resources required to ensure the organizations is aware of, identifying, and aligning to evolving regulatory requirements. AI tools that can help identify applicable regulations, curate those regulations so only relevant regulations are reviewed, and extract requirements from relevant regulations can save even more resources, time, and costs. Systems that establish a centralized repository that maps regulatory requirements to organizational risks, controls, processes, and policies can help accelerate the process. Software that enables the identification of specific sections of policies that are impacted due to a regulatory update, save significant effort, allow for a more adaptable, agile, and resilient compliance approach.
- Obligation Management
Effective obligation management, i.e., identifying, extracting, and meeting compliance obligations from regulations, contracts, policies, etc., is essential to strengthening compliance resilience. Given the sheer volume and complexity of regulatory requirements and the tendency to bury actual obligations within large documents, organizations can no longer justify manual methods. Leveraging AI-powered capabilities and automation can enable organizations to quickly and easily identify and extract relevant regulatory obligations from relevant regulations at scale, including tagging it, classifying it, and surfacing it for a faster, easier, and more accurate review.
AI-driven obligation management is a game changer for many, with an ability to accelerate regulatory change management processes and accuracy immeasurably. And an easily and rapidly aligned organization is going to be able to adapt to changes in compliance requirements with less effort.
- Compliance Risk Assessments
It is imperative for organizations to proactively manage compliance risks, i.e., the risk of non-compliance with regulations, frameworks, and standards, which can jeopardize an organization's financial standing, legal position, and brand reputation. To improve compliance posture and resilience, organizations need to continuously assess compliance risks and mitigate them in a timely manner.
Performing compliance risk assessments requires identifying relevant federal, state, and local regulations, determining if internal controls and policies are in compliance with the identified regulatory requirements, identifying if there are any gaps, and taking necessary risk mitigation steps. That said, it is critical to constantly draw from cross-industry best practices to enhance an organization’s compliance risk assessment, and to effectively manage compliance expectations.
Software solutions can help streamline the entire process with well-defined workflows around creating surveys to reviewing, approving, and distributing them, and collaborating with various business units and teams to gather and update responses, etc. Technology-based solutions not only help organizations save time and effort but also enable them to manage compliance risks proactively and effectively prioritize risk mitigation efforts, ensuring optimum allocation of resources.
Internal Changes: Compliance Team and Workflow
The centerpiece of implementing a compliance program and executing the workflows is the compliance team. From the chief compliance officer (CCO) to compliance managers, analysts, and associates – everyone plays a crucial role in strengthening compliance resilience. Organizations need to properly define and document roles, responsibilities, and accountabilities for each of the compliance personnel; provide comprehensive training on the laws, regulations, and company policies that apply to their day-to-day job responsibilities; and ensure seamless collaboration within the team and externally with risk, security, and other functions. That said, it is critical to have a business continuity plan in place – the course of action if there is an expected or unexpected unavailability of a team member due to retirement, a departure from the firm, management restructuring, etc. While having well-documented standard operating procedures (SOPs) in place definitely helps, organizations must also deliberately encourage a culture that promotes performing at the next level. Running mentorship programs can help employees easily step into the shoes of a senior team member if need be.
What’s Next
Anti-corruption and competition laws, data and privacy regulations, prevention and control of fraud, cybersecurity regulations, anti-money laundering (AML) and counter-terrorist financing (CFT), sanctions policies, ESG regulations, and more – the list goes on. Regulatory scrutiny and oversight will only amplify going forward, making it exceptionally challenging for organizations to build trust and credibility with regulators, particularly in the uncertain business environment. It underscores the need for building compliance resilience in line with business goals and objectives.
Companies that fail to broaden their outlook and approach face greater possibilities of penalties, litigation, loss of contract, negative publicity, loss of reputation, and in some cases, complete corporate collapse. Organizations need to create an environment that reflects transparency and efficiency in the management of regulatory requirements and obligations. Compliance resilience – centered around the principles of proactive and agile approach and business continuity – can empower organizations to withstand internal and external changes.
To explore how MetricStream can help you stay on top of regulatory change and boost compliance resilience, click here.
Jump to Topic
Related Resources
Blogs
If You Think Compliance is Expensive, Then Try Non-Compliance
- Compliance Management
- 09 March 22
5 min read
On Your Bike
Last year, just when summer was abruptly ending, I decided to buy a bike. The timing could not have been worse. At best I accomplished one week of what I classified as proficient riding, and that was navigating a flat path, as anything else in my vicinity would have been uphill and painful.
A week later I locked my bike up in a well-weathered shed that had a secure padlock. If anyone wanted my bike, they would have had to break the padlock.
I am reminded of this story as I recently had a conversation with the head of a security and risk management division, who told me that not that long ago to secure your documents you would physically place them in a filing cabinet, put a key in, turn it, and lock it-- job done.
Well naturally this still exists, but now we have more secure, efficient, and quicker ways to safeguard documents and data. The advances of digitalization have brought us so many reasons to be cheerful. Look how we can work remotely, store terabytes of files in one click, and send relevant photos, media, and documents across the world in seconds.
Just to set the record straight: when I say things have become more secure – it depends on who you ask! Cyber security is all the rage and making front news in national papers: it’s not just companies that need to secure themselves, it is even countries that are worried about their IP domains and distributed denial of service (DDoS) attacks. Networks, organizations' infrastructure, passwords, and even mobile devices have to ringfence themselves against these attacks. The stakes are high, and risk has to be managed, be it systemic or reputational.
Recently, MetricStream partnered with the International Compliance Association (ICA) on a webinar titled: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
I was fortunate to be part of this discussion.
Some of the topics we delved into were:
- How are risk and compliance professionals tackling cyber risk?
- How risk quantification helps with strategic decisions?
- The role of the compliance professionals in cyber security risk management
Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
Cyber: The Dark Side of the Force
It’s great to see how innovation and technology can help solve so many things. Unfortunately, there is a darker side. There are cybercriminals who are trying to steal your online data and cause as much havoc as possible. It’s not just a job for CISOs or CROs to manage this. It falls to all teams including compliance professionals.
Cybercriminals may try a thousand times to infiltrate the same organization and unfortunately, it takes only one attack to be successful, and if you are breached, the results are catastrophic and you will have to re-think your entire business and cyber strategy.
There is a significant difference between information security and cyber security, the first protects your classified information whereas the latter is a component of information security and protects your networks and computer systems. You need to be in control of both.
Another cybercrime that has dominated the headlines recently is ransomware. It is the most profitable form of cybercrime and with the current geopolitical landscape, cyber-attacks and ransomware are dominating the Eastern Europe region and the world stage.
Cybersecurity is a Business Risk, Not Just a Technology One
Organizations need to show their customers that their data is secure. Being compliant is important to give your customers confidence that you are protecting their data, but it is not the same as being cyber secure. By understanding your risks, mitigating the right risks for you, and transferring residual risks, organizations can start to make and prioritize decisions based on their profile. Compliance professions should be connecting with the cyber and security professionals as in real terms the cost of compliance continues to rise and if you think compliance is expensive, then try non-compliance!
We Are in This Together
Companies don’t have to try and work this out in isolation, and sometimes using spreadsheets to manage this will not give you the breadth, depth, or real-time view that you need. To really get in front of risk you need a governance, risk, and compliance (GRC) solution that has a federated data model, meaning whether organizations need to understand their ESG score, their cyber threat vulnerabilities, and risk quantification they can have one amalgamated solution that is connected and seamless. They can thrive on risk!
Every organization will be at a different stage in its cyber maturity and development, but what if you can actively manage cyber risk through an IT and cyber risk and compliance framework that aligns with established security standards so you can pass IT audits more efficiently and obtain buy-in from top management.
MetricStream is here to help you with pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53. We can map policies to IT controls and policy exceptions so you can be set up for success. You can learn more by visiting our website or booking a demo.
The compliance professional is so much more than just compliance, they hold the integrity of the client’s data as well as the ethics of an organization. In many ways, we must go back to basics. Having a solid governance structure that considers your third-party risks and builds a threat intelligence framework is critical.
“Don’t forget it takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Stay safe.
In my next blog I will discuss what cyber means for the resilience of an organization and how you need to think three or four steps ahead of the game.
Watch the Webinar: Best Practice Guide: How to Tackle Cyber Risk as a Compliance Professional
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk’ ’blogs:
An Ounce of Prevention is Worth a Pound of Cure
Don’t Aim To Be Perfect, Aim To Be Anti-Fragile
Jump to Topic
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.