Blogs
Our European GRC Summit Roadshows and the Instagram of Risk
- Artificial Intelligence
- 02 November 21
4 min read
Introduction
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
London Calling
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
Cycling through Denmark
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
High-End Shopping in Zurich
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
Jump to Topic
Related Resources
Blogs
Powering What’s Next in Compliance Management: Compliance Evangelist Tom Fox Breaks It Down
- Compliance Management
- 05 October 21
9 min read
Introduction
I recently had the privilege to sit down with Tom Fox. Tom is the author of the award-winning FCPA Compliance and Ethics blog, 18 best-selling books on compliance, including the just-published 2nd Edition of the Compliance Handbook, and publisher of the Compliance Podcast Network – the only network of podcasts for compliance leaders. A renowned expert across all aspects of compliance – corporate, regulatory, ESG, you name it – he’s known by the well-earned names “the Compliance Evangelist” and the “Voice of Compliance.”
As we all contemplate what’s next as we recover from the pandemic, navigate multiple regulations, and adapt to the ever-changing demands of our organizations, I asked Tom his thoughts on what’s trending in compliance today and tomorrow. As always, he had thought-provoking insights to share, including:
- Nothing matters more than document, document, document – except data, data, data
- Risk management is business today – and it’s no longer a once-a-year activity
- ESG is the trend of the year
- Reputation matters: Remember the court of public opinion!
Here’s a lightly edited transcript of our conversation. Thank you, Tom!
Q. Hi Tom, Great to see you! Let’s start with this idea of what's next. Obviously, we're all experiencing unprecedented volatility, a tsunami of change. When you think about what’s next for compliance, what are some of the trends and key things that are o
TF: Let’s speak about both compliance and risk management. I started a podcast last year called “Compliance and Coronavirus” because I really wanted to focus on what the COVID-19 pandemic meant for people in our profession and really everyone in the corporate world.
Probably the two most propitious things I learned in that about 50 podcast series were one, a gentleman said, I think in October, “We've had five years of change in six months of coronavirus.”
The second was the risk management part, where another guy said, “We've gone from disaster recovery to business continuity to businesses as usual.” Now the risk management world is business.
You have to prepare for risks from a worldwide pandemic to the Suez Canal being shut down, to riots at the U.S. Capitol, and everything in between. That’s just business now.
So, the types of services that you and I bring to the compliance community have only become more important in all of the things that we used to talk about. They are exponentially more important now. So that's part one, but part two is where is all of this going down the road? And that part is largely around data and the use of data.
In June 2020, the Department of Justice released an update to the Evaluation of Corporate Compliance Programs. And for the compliance professional, they specifically said a couple of very important things.
- Number one, compliance and the chief compliance officer have to have access to all of the data in your corporation. If it's siloed, if it's not structured, it doesn't matter. Compliance has to have access to it. And even more important is that you use that data.
- Number two, we used to talk about a risk assessment being done every two or three years, and then you plan it out as one, three, and five-year plans to mitigate those risks. But now risk assessment must be conducted not every three years, not even every year, but when your risks change.
And -- your risks are going to change. You must put a risk management model in place and then you monitor that risk, all the time. And the data that you garner from that monitoring is looped back into your risk management solution through an ongoing/continuous approach to risk management -- risk assessment, continuous monitoring, continuous improvement-- all tied by data.
Everyone -- from the compliance professional to the risk management professional -- now has to utilize data to manage risks. That's how business is going to survive and thrive going forward.
Q. What about regulations? Are there other specific areas of regulatory compliance or regulations that compliance pros in that area need to be thinking about when it comes to what's next?
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
Q. What about regulations? Are there other specific areas of regulatory compliance or regulations that compliance pros in that area need to be thinking about when it comes to what's next?
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
And that's just one area from the regulatory sphere. The U.S. Securities and Exchange Commission (SEC) has made it clear that they expect companies to not only have ESG programs in place, but also report on those programs accurately. That is not only a regulatory requirement that could lead to regulatory enforcement, but would also help to meet investor expectations, stakeholder expectations, shareholder lawsuits, and everything in between.
The second perhaps most ubiquitous phrase is SPACs: Special Purpose Acquisition Corporations. Those are utilized to bring a privately held company and make it public. But it's different than the typical IPO process where you go 12 to 18 months, you have regulatory approval, you have filings with the regulator, you have investors like you, and may have the opportunity to review those filings, to determine if we want to invest in it. And you have an opportunity to put your Sarbanes Oxley or SOX controls in place.
When you're a SPAC, you don't have an 18-month run-up. You have “today's Tuesday, tomorrow's Wednesday. Go!” You now have all the obligations of a U.S. public company. Are your internal controls in place? Are they effective? Have you tested them? The answer is no.
It’s incredibly important for the risk management professional to think about those things. And if you think you may be acquired by a SPAC you have to be moving towards those.
Those are just a couple of areas that the regulators have made clear that they are going to look at SPACs very closely. If on the day, you become a U.S. public company, you don't have Sarbanes-Oxley 404 controls in place, the SEC may take a very dim view of that. And certainly, you open yourself up to potential investor and shareholder lawsuits.
But I think that as important as those are, they actually pale beside public opinion. And I think the greatest danger to a corporation now, certainly from a financial perspective, is negative publicity.
The social amplification and speed of social media make it mandatory that you have policies and procedures in place to detect anything and then prevent it. And if not remediate as quickly as possible, then at least be able to communicate that to all of the stakeholders that are now seen as a part of a corporation.
Q. If you had one piece of advice for compliance professionals thinking about what's next, what would be your summary piece of Tom Fox wisdom?
TF: In the past, I’ve always said the three most important things are: document, document, document.
I've amended that out to data, data, data.
You need to have a data expert, a data scientist, or someone who can work with data on your compliance team because either you're going to have to work with the data or more importantly, have someone who can work with the data. You can help shape the story that the data tells.
As the chief compliance officer, you can certainly see the trends, but you have to be able to work with data. If you don't have that training and you can't really pick up those skills in this part of your professional life, you're going to need to bring those skills into your compliance program.
I see compliance really moving towards a business process and a business function. And that means data and using data to determine if a potential violation is on the horizon and using that same data to tell your story to all of the stakeholders of a corporation--your shareholders, your employees, your third parties, those who you do business with, localities where you may be doing business.
And most importantly, if the government comes knocking, that's where the “document, document, document” part comes in because you can tell your story to the government as well.
Q. So what are you doing next in your career? You mentioned your book. What’s happening next for Tom?
TF: Well, about a year ago, I was contacted by LexisNexis, the preeminent legal publisher in the United States and the world. I was very honored that they selected me to be their first author to lead their compliance library that they make available. I'm extraordinarily pleased to announce that in June Lexis Nexis published my latest book, the 2nd Edition of Compliance Handbook.
I'm going to continue to grow the Compliance Podcast Network. We’ll have 70 podcasts on the network by the end of summer and I'm looking to grow the network. The thing I love about podcasting is I get to interview the top experts in every form of compliance: IT compliance, HR compliance, anti-corruption compliance, AML compliance, environmental compliance, you name it. I've learned so much by interviewing people.
So, I'm going to continue to learn and grow and hopefully be a resource to the compliance community going forward.
Thanks, Tom, for sharing your insights about what’s now in compliance – and what’s next. To learn more about Tom, visit his Compliance Podcast website.
To learn how MetricStream can help you address your compliance needs and help you manage what’s next, click here.
Jump to Topic
Related Resources
Blogs
Power What's Next with Integration and Technology.
- Compliance Management
- 02 September 21
4 min read
Introduction
What’s happening with risk management and compliance professionals as they manage today’s vast wave of changes – from increased regulatory pressures and a skyrocketing number of legislations to master? How are they managing what’s next in the COVID-19 era?
To understand the current state of compliance programs and processes as well as the impact of the pandemic on compliance management, MetricStream conducted a comprehensive survey of compliance professionals across industries and geographies.
We learned a lot, including:
Managing third-party risk compliance is a huge challenge. Nearly half -- 48% -- of organizations found it challenging to track third-party compliance while 44% stated that their biggest challenge was to manually conduct compliance assessments.
Staying ahead of regulatory changes remains a key issue. Regulatory authorities worldwide keep regulations at par to protect the interests of businesses, customers, and relevant stakeholders, leading businesses to cope with a tsunami of ongoing changes. As just one example, banking sector companies alone cope with an average of 220 regulatory alerts a day, compared to just 10 back in 2004.
In the survey, we found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business. That’s neither efficient nor effective – how can you possibly keep up?
Engaging the front line is essential. 57% of respondents said that they engage with the frontline to respond to queries related to policies, regulations, processes, and controls. Frontline employees are the eyes and ears of the business and can often spot important trends and risks before the rest of the business. It’s encouraging that more than half are incorporating frontline feedback – a trend we hope to see continue.
The use of technology is not yet where it needs to be. Just 19% of organizations use standalone compliance management platforms. That’s shockingly low! And, only 19% of respondents said they use compliance management software as a component of a larger GRC platform – implying 80%+ are not managing compliance in a consistent, integrated way.
Combined with the manual scanning of regulatory changes, we’re seeing a key theme: automation and technology drive effectiveness and enable you to move valuable resources to strategic work, yet so few are taking advantage of it. There is work to be done. Enhancing regulatory and internal compliance assessments and improving employee awareness with more compliance training emerged as the top future priority areas. Training is key to creating a culture of compliance and coping with today’s fast-changing demands. Unless combined with more strategic technology, however, they are not enough.
In the words of the report: “As the world gears up for a post-COVID economy, organizations must also focus on fully integrated technology platforms that can automate and improve compliance with an ever-evolving regulatory framework. The post-COVID future will bring about greater uncertainties and greater changes in regulations and organizations must prepare for this now.” Only by getting ready now will we be empowered for what’s next.
Going Digital: The Only Way Forward
To navigate today’s regulatory landscape efficiently and effectively, organizations need to embrace digitization and automation. Technology-based compliance management solutions can help streamline and automate the entire process—establishing a centralized repository of regulatory obligations and mapping them to policies, risks, controls, and processes; identifying, tracking, and analyzing regulatory changes; identifying and prioritizing high-risk areas; creating, updating, and aligning policies; managing various regulatory engagement activities, and more.
[Read more: 3 Best Practices for a Proactive Approach to Compliance (eBook)]
MetricStream can help you power what’s next. We offer a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products help structure and streamline various aspects of the compliance function, enhancing overall efficiency. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.
Here’s a case in point: A leading health insurer was seeking to integrate all regulatory compliance processes so that the insights that ultimately rolled up to the senior management and board would provide a complete, accurate, and real-time view of enterprise-wide compliance. It embarked on a GRC journey with MetricStream and implemented an integrated GRC solution beginning with compliance issue management, followed by compliance risk management, policy management, case management, and audits. Today, an efficient and standardized compliance program is in place with timelier visibility into risks and other areas of concern.
[Read more: Leading Health Insurer Integrates Regulatory Compliance Efforts, Saves Time and Costs (Case Study)]
What’s next is never sure – but what’s certain is that what got us here won’t move us forward. The compliance function must adapt, automate, streamline, and collaborate with technology to power the future and turn risk into a strategic advantage.
Read more of what the compliance professionals had to say. To download the State of Compliance report, click here.
Want to see MetricStream in action? Request a demo by clicking here.
Jump to Topic
Related Resources
Blogs
Power What’s Next in GRC with MetricStream’s Brazos Software Release
- Compliance Management
- 19 August 21
3 min read
Introduction
The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.
Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.
Simplifying Regulatory Complexity
Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:
- Fully packaged, real-time curated regulatory intelligence from 1,000 supervisory bodies and 2,500 collections of regulatory/legislative materials facilitating efficient management of regulation overload.
- Certification and sub-certification processes enabling the creation of accountability chains.
- Contextual intelligence on policies allowing compliance teams to easily identify the policy section related to regulations, risks, and controls.
- Artificial Intelligence (AI)-powered action plan recommendations based on semantically similar compliance issues reported in the past for quick and easy resolution.
- Multiple enhancements to the Mobile App that simplify searching policies, tracking regulatory changes, and managing compliance assessments and regulatory engagement activities.
Quantifying the Impact of Cyber Risks
Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.
Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.
Powering Next-Gen Vendor Risk Management with AI
Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.
We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.
With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:
- High configurability capabilities across the MetricStream Platform.
- Enhanced frontline capabilities to anonymously report compliance cases.
- Improved mobile capabilities for regulatory compliance, IT compliance, and audit.
- Content Integration Service that leverages REST APIs to import content from external sources.
- Better collaboration and improved cross-referencing in audit workpapers within Microsoft Word.
We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.
To know more about Brazos Release features, click here.
Jump to Topic
Related Resources
Blogs
Mitigating Regulatory Risk with Integrated Compliance Management Approach
- Compliance Management
- 02 June 21
3 min read
Introduction
The growing focus on data privacy and protecting the rights and interests of customers and key stakeholders has resulted in a flurry of regulations at the global, national, and state level. The already complex regulatory landscape that organizations are required to wade through saw a fresh wave of regulations and numerous regulatory updates in the past year due to the COVID-19 pandemic.
To put things in perspective, banking sector companies today have to handle an average of 220 regulatory alerts per day compared to just 10 regulatory alerts per day back in 2004. The numbers are expected to only surge going forward as regulators will spare no effort to protect against the risks posed by rapid digitalization, volatile geopolitical environment, and other uncertainties.
Government regulations get translated into corporate policies which form the very foundation of a strong compliance program. With the mounting number of regulations and regulatory updates, ensuring an effective compliance management program has become a daunting proposition for organizations. A considerable number of firms still use the traditional approach and often end up in different policies, templates, and layouts that are scattered, inconsistent, and redundant, leaving most of the employees unsure about the latest policy applicable to them.
Regulatory Risk Mmanagement
Regulatory risk management is the proactive process of identifying, assessing, and mitigating the financial, operational, and reputational risks that changes in laws, regulations, or standards may pose to a business, industry, or market.
Integrated Compliance Management
To mitigate regulatory risk in an efficient manner, organizations need to adopt an integrated approach to compliance management. But how?
There is no one-size-fits-all approach to compliance. It depends on each organization’s unique set of requirements which depend upon multiple factors such as the industry it operates in, the number of regulations that it must comply with, the maturity of the compliance program, the jurisdiction it is based out of, and many more.
However, there are certain core elements of a compliance program that every organization follows:
- Obligatory Rule Mapping: Creating and maintaining a repository of regulatory obligations and mapping them to policies, risks, controls, and processes.
- Regulatory Change Management: Identifying, tracking, and analyzing regulatory changes and assessing their impact on business.
- Compliance Risk Assessment: Identifying compliance areas within the organization that are high risk and then managing and monitoring those high-risk areas on priority.
- Compliance Control Assessments: Testing and continuous monitoring of compliance controls to ensure their effectiveness and alignment with evolving regulations, policies, and standards.
- Policy and Document Management: Creating, updating, and aligning policies with evolving regulatory requirements and ensuring that employees, third-parties, and partners are aware of the latest applicable policies.
- Case and Incident Management: Establishing consistent procedures for case and incident planning and administration, recording, triaging, routing, investigating, tracking, and closure.
- Compliance Advisory: Evaluating compliance functions to identify any loopholes or gaps, preventing compliance breaches, and devising mitigation and remediation measures in a quick and efficient manner.
- Regulatory Engagement Management: Managing various regulatory engagement activities, including examinations, meetings, and requests for information, and engagement-related documentations.
These processes, along with the technology that supports them, a common data architecture, and a risk-based approach, enable organizations to respond in an agile manner to the fast-changing regulatory landscape.
Having said that, a strong compliance program is one that is enforced with a culture of compliance across an enterprise. Particularly in the current remote working setup, compliance teams need to be thoughtful and purposeful in building a culture of compliance. A top-down approach is critical to that end—the impetus should come from the executive management and board. Clear policies and procedures, effective communication, along with recognition and disciplinary measures, will help set the expectations for individual employee behavior in the workplace and encourage a compliant mindset.
MetricStream offers a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products address multiple aspects of the compliance function, including a centralized library of compliance obligations, compliance assessments, as well as policy management, regulatory change management, regulatory engagement management, and case management. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.
Jump to Topic
Related Resources
Blogs
UK SOX is here. What do you need to do about it?
- Compliance Management
- 24 May 21
10 min read
Introduction
The UK SOX is here and as an organization, you may already have done all you need to ensure compliance, or you may be in the midst of it, or contemplating it. No matter which stage your organization may be at, it’s important to understand the legislation, its necessity, and how you can ensure you are on the right side of it.
What You Should Know About SOX
To understand the UK SOX, you must know more about its origin. The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley or SOX is a United States federal law that put in place new, and in some cases, more elaborate requirements that company boards (public), their management, and their accounting firms needed to adhere to. Some parts of the Act are also applicable to private companies like deliberate destruction of evidence to prevent an investigation. The bill with its extensive 11 sections came into force on the back of several corporate and auditing scandals that rocked the business world. With this bill, any public corporation board of directors are held more accountable, are liable to criminal penalties and their companies subject to regulations created by the Securities and Exchange Commission to ensure compliance. These top officials also must attest that their organization’s internal controls are strong enough to enable genuine and definitive financial statements.
For many years now, Financial Reporting Council (FRC) has been working on similar legislation for implementation in the UK. This came at a time when there were loud calls for audit reforms in the country. A mention of the UK SOX was first made by Sir John Kingman in 2018 as a suggested initiative in the recommendations for audit and regulation reform. Sir Donald Brydon recommendations include having the CEO and CRO provide the board of directors with a yearly attestation on the efficacy of the company’s internal financial reporting controls.
Since the US SOX was introduced in the United States, the quality of financial reporting from the corporate world has seen tremendous improvement. There have been some interesting, unexpected plus points too. Key among these is a reinforcement of the control environment, better documentation, hands-on participation by the audit committee, more standardized processes, and a reduction in human error. Introducing the UK SOX will help bring about similar benefits to the country’s booming corporate world.
What UK SOX Mean for UK Companies
To understand this, let’s make a start with which companies will come under the purview of UK SOX. This legislation primarily aims at providing protection to investors and insulating them from corporate fraud. The requirements laid down are strict and ensure better financial disclosure, stronger assessment of internal controls, corporate governance, and complete auditor independence. UK SOX requires that any organization trading on the Financial Times Stock
Exchange (FTSE) be SOX-compliant. Besides such organizations, if your company comes under the following, it is time to initiate SOX programs:
- Planning to go public
- Have been asked by internal stakeholders or by your external auditors to focus on the improvement of controls
- Have uncovered deficiencies in your system and are in the process of creating newer controls to fix them.
- Want to create a sustainable, long-term control monitoring system that can be continuously applied.
- Are looking to explore automation to drive down costs of handling a complex business system.
Once you understand how your company is positioned vis-à-vis UK SOX, here is a look at the kind of changes you can anticipate when getting compliant with the regulation. Several existing internal control measures will see some changes. For example:
Annual Effectiveness Reviews Will Become More Prescriptive: Currently, reporting the efficacy of risk management and related internal control systems are governed by the UK Corporate Governance Code for public companies and the Wates Corporate Governance Principles for large, private ones. Both necessitate that committees and boards conduct an annual review of how effective their controls are and include this in the annual reports that are made. Wates Principles make it compulsory to establish a monitoring and review process along with an internal controls set-up. There is no uniformity in the kind and the expanse of the procedures to support annual reviews and very rarely is operative effectiveness documented. The UK SOX will necessitate a change in this.
Internal Audit Committees will Look to Businesses for Enhanced Support: Boards and audit-related committees are going to need a great deal of information to ensure that their yearly internal control efficacy review is documented and established. Internal audit teams will be deeply involved in the compliance and implementation of UK SOX. They will, however, have to maintain their independence while doing so. You will find that they will increasingly initiate conversations around how the business can improve its controls. These are some of the key questions you can expect:
- Is there a company-wide internal control framework in place and is it a part of the working culture?
- What are the current support systems in place to ensure accuracy in the annual review?
- What are the gaps, if any in the current processes – possibly related to treasury, tax, or any consolidation activities related to non-payroll and contractual services?
- What are the IT controls in place for crucial financial systems?
- Where should efforts around possible risks be prioritized?
Such internal audits apply risk and control skills to help any business create a definitive framework to assess current statuses and possible areas of improvement. Some other changes that you can anticipate include:
- Creating a separate Internal Controls Statement that will need to be attested formally by both the CEO and CFO.
- The inclusion of broader entity controls that may so far not been included in the ambit of the assessment.
- An assessment of control exceptions and the addition of their evaluation being required by external auditors.
For a better understanding of what to expect, looking into the learnings from the US-SOX implementation can help. Here are some to consider.
A Dry Run Time of One Year: It can take up to a year to narrow down the scope, the design and be able to implement and train all your teams. Embedding these controls in your organization and ensuring their seamless functioning can take another year. If you are looking to be compliant with the UK SOX, then ensure you have at least a year to be able to implement a dry run to spot errors and fix them.
Lead from the Top: For compliance to become a part of the working culture of your organization, it is essential the management lead from the top down. This will ensure that you have an effective controls framework in place. Every employee should be trained and held accountable in the operation of controls to make them effective. Such training will also help spot defects that can be rectified. Engagement with compliance is best implemented as part of your employees’ job descriptions.
IT Remains an Integral Part of Framework: In the bid to ensure compliance with financial controls, it is often easy to forget how dependent you are on IT controls and a range of outsourced services. Work to identify central IT controls and/or those managed by third-party service providers to critical to a smooth functioning financial control system. The accountability for this must be set up by your organization.
Best Practices to Consider:
- Starting early will give you the advantage of having the time to iron out any deficiencies and ensure your process is seamless.
- Do not underestimate how much effort and investment is going to be needed to comply with UK SOX. It is multiple years, multi-million-pound effort.
- Work on getting the C-suite and the key business partners involved in spreading the word and implementing processes to get their teams on board.
- Work with what you have and build upon it. Using your existing content and compliance solutions to develop, upgrade, automate and re-populate the program is a great way to work.
Program Structure to Get UK SOX Compliant
Now that you understand what UK SOX means for your company, here is a look at the basic foundations that make up a SOX program. Here is what you will need to do:
You Need Not One, But Two Steering Committees: You will need to bring into place two SOX committees – one related to business processes and the other one for IT. Together these two committees can provide technical supervisory insights, be able to work on executive buy-in, and ensure the rest of the company is on board too. The steering committees will be able to create protocols and ensure frequent testing in year one. This is inclusive of double rounds of testing, time for management assessment of the program, and making way for corrections.
Educate the Team, Division-Wise: You must connect with and educate all the business teams that comprise your organization, and those over which UK SOX will have a direct impact. This is inclusive of the C-suite level executives. Help them understand its relevance, the parts they play in the process, and the impact on the department. Provide them with sample documentation and an explanation of the responsibilities they have and how to set benchmarks for successful implementation.
Flesh out the Process: Work on a detailed plan. No element is too small. Start with risk assessment and list out every process and system associated with it. Go through every process put down on paper to ensure that it still does what it is supposed to do. This will help validate continuing its use. At every stage, clearly define the process and who holds the responsibility for a particular control. Ensure that they know it and also are clear on what is expected of them.
In the process of building your own SOX program, you will pass through multiple stages of maturity. It will finally culminate in a situation where you will move from manual to automated processes to be able to ascertain control efficacy. Implementing any financial controls framework is spread over 18-24 months at least. Identifying key workstreams and the associated activities is the path to improving controls improvement and getting ahead on the compliance track. All the preparations you do in advance will establish crucial governance-based improvements and efficiency, irrespective of compliance with the UK SOX mandate.
Here are some key workstreams you can concentrate on:
A Clear Vision for Your Compliance Program: The idea behind any good quality compliance program is to ensure that it is quality-driven and cost-effective. Having a clear vision of what it should entail is key. It should have a clear purpose and vision, based on which an operating model is created, and the benefits accrued are what help in achieving the success you are aiming at. This is what your UK SOX compliance model will need.
A Formal Structure: Companies that have a formal structure in place, with qualified and aware stakeholders, well-defined roles and responsibilities across all teams, and strong management taking overall ownership will help a business get compliant and grow.
Putting Together Trained Resources: Companies need to assess their human resources and understand who fits into the necessary roles for compliance models. In some cases, existing resources may not be trained enough, and this will need to happen. In other cases, you may need to recruit new forces or bring in specialized expertise when required. Understanding where you lack resources is essential.
Top-down View of Risk Factors: To be able to arrive at a starting point for your compliance program, you need to have a top view of all the risks possible at multiple stages. This could be with your financial statement line items (FSLIs) or could be in one of the end-to-end business processes you have in place. This comprehensive view will give you the clarity needed on every process and related control.
Investment in Technology: Early in the game, you will need to invest in the right technology to help monitor all controls and related environments. This will help in the testing of controls as well, which in the long term can assure you of having transparent processes in place, bringing down the cost of compliance.
The UK SOX may seem like a massive undertaking, which in many ways it is. But its positive impact needs to be reiterated.
- Everyday operations will be guided by a strong set of well-defined controls.
- Manual tasks can be automated reducing time spent on an activity.
- Teams can be directed to focus on high-risk aspects of the business.
- Financial statements will always have high levels of consistency and accuracy.
- Auditing documentation can be made available in a minimum time.
- Financial operations and their smooth flow can be assessed at any moment.
- A close to real-time understanding of the financial health of a company. Its operational efficacy too.
There are some negatives such as an increased need for technology and people, which could lead to a rise in costs. Some tasks will take a longer time to complete to meet all compliance requirements. Additional paperwork is now going to be a part of the process. However, these outweigh the benefits that your company stands to gain.
Jump to Topic
Related Resources
Blogs
MetricStream and Thomson Reuters Partner to Simplify Regulatory Compliance Challenges
- Compliance Management
- 06 May 21
1 min read
Introduction
Did you know that there are more than 56,000 regulatory alerts produced every year from more than 1,000 regulatory bodies across the globe? This averages to 200+ updates every day.
The MetricStream Compliance Management offerings brings together regulations, processes, controls, risks, policies and cases in a central point of reference, so that customers have the visibility to effectively manage and monitor compliance.
Organizations need to be constantly updated about ever-changing regulations in order to be compliant. To facilitate this, MetricStream recently partnered with Thomson Reuters to help financial institutions and other heavily regulated businesses gain agility while simplifying their compliance challenges. The Thomson Reuters Regulatory Intelligence content will now be integrated with MetricStream Regulatory Change Management product.
For many organizations, the chaos of compliance acts like an anchor because of an unyielding array of new and constantly changing regulatory requirements, stemming from hundreds of disparate regulatory bodies, many organizations must manage hundreds of compliance changes per day. With MetricStream and Thomson Reuters working together, our customers will be able to consistently, quickly and effectively stay on top of regulatory change and manage its impact on the business.
Advantages for customers –
- With enhanced, agile and intelligent content libraries, customers will gain an easy to use solution to manage the complexities of compliance.
- Compliance professionals will get access to regulatory developments from over 1,000 supervisory bodies and more than 2,500 collections of regulatory and legislative materials.
- Compliance teams can subscribe to and leverage regulatory and risk intelligence content directly within MetricStream Regulatory Change Management to assess the impact of the regulatory changes on related policies, processes and controls.
Access to these alerts will enhance visibility and enable organizations to take better risk-aware business decisions.
Jump to Topic
Related Resources
Blogs
VerSanG – New German Law to Strengthen Business Integrity
- Compliance Management
- 22 April 21
5 min read
Introduction
COVID-19 pandemic notwithstanding, German legislative authorities are introducing a new law, touted to be more efficient than earlier versions, in handling white-collar crime. Detailed discussions spanning five years led to the draft bill titled Gesetz zur Stärkung der Integrität in der Wirtschaft (Law to Strengthen Integrity in Business). With a bid for approval that began in 2020, the government is looking at its implementation in two years.
What is the new regulation and how does it differ from the current law?
Currently all German white collar crimes are examined under the Gesetz über Ordundgswidrigkeiten (OWiG). However, this law has always examined white collar crime from an administrative viewpoint. Investigations are based on discretionary principles rather than on legality. This means that the concerned administrative authority is not obligated to initiate any legal proceedings if there is a law violation. Sanctions are limited to paltry fines, not commensurate with the fallout of large fraud cases. Additionally, the current law is also not applicable to frauds committed by German companies abroad.
With the introduction of VerSanG:
- Violations will now be titled as corporate offences as against the earlier corporate criminal offence. Exclusions will be offences against the corporation from within – such as embezzlement.
- The new law will be applicable only to those corporations with economic business operations. Among sanctions, dissolution of corporations is no longer an option.
- As opposed to the earlier provisions, an internal investigation will now result in monetary sanctions being reduced by half.
- Any corporation conviction will be made public.
VerSanG will be implemented to achieve the following objectives:
- To eliminate the principle of discretion and bring in the principle of legality. Prosecutors will now be obligated to initiate investigations based on the principle of legality. This will have to be done when it is established that legal limits have been crossed.
- Varied approaches to sanctions will come into force. A range of sanctions can be imposed and fines payable will go up. The court may also choose to warn and place a company under monitoring to ensure it can manage ideal compliance management systems (CMS). Monetary sanctions can be as high as 10 million euros for intentional offences; 5 million euros for negligent offences. Companies with average turnovers of more than 100 million euros will have to pay up to 10 percent of their average turnovers for intentional offences or 5 percent for negligent offences.
- Providing several incentives to companies to encourage efficient and precise CMS. This will bring down the number of corporate crimes that are committed or eliminate them completely. The objective is to get CMS to be preventive and where needed, repressive. An example – a company being investigated may be able to gain some benefit by showing their utmost cooperation with prosecutors.
- Crimes committed internationally will now be brought under the purview of the act’s sanctions, based on specific conditions.
There are Some Red Flags Though…
As with every bill, there are some red flags that have been raised by the committee looking into the bill in the Federal Assembly. The concerns raised can be summarised as below:
- In its current form, the VerSanG says that associations are required to meet specific compliance measures to stave off specific deeds. But, these measures have not been defined, leading to a non-transparent policy that can be problematic.
- The VerSanG excludes external advisors from defence proceedings if they are part of the internal investigation. This, the committee believes, will affect the association’s standing negatively and will increase the legal costs of the company.
- The move to calculate financial sanctions based on international company revenues prior to conviction has come under heavy criticism. The committee feels that the sanctions may be disproportionate to its current financial capabilities.
- There is opposition to the fact that the VerSanG looks at time of conviction rather than that of offense. This, combined with the financial sanctions imposed can have dire consequences on mergers and acquisitions transactions. It would also require complex examination of historical criminal liability risks.
What Should Companies Do Now?
Once the draft bill is published, it will take two more years before it is implemented. That is, after the two year period, it will come into force from the first day of the next quarter. This gives companies enough of time to ensure they are compliant with the new regulations.
Here is what companies will need to do:
- Legal and compliance departments of businesses will have to familiarise themselves with the new provisions of the law. While most of the provisions are applicable only in the case of a misconduct, the legal department will need to know what compliance regulations have to be in place, if the company is investigated internally. This will help provide full cooperation to any investigating authority.
- Besides ensuring the appropriate conduct when necessary, companies will have to test the efficacy of their current compliance programs. Considering how sanctions are much higher than they were, having a robust compliance program can prove invaluable in protecting the company from such sanctions. Ensuring that the documentation of these compliance programs is in place, is critical.
- To ensure compliance with the new provisions, companies will need to put a range of internal provisions in place to deal with situations of suspected misconduct. The draft bill indicates that larger companies specifically have to create, implement and maintain an internal risk compliance program. Any suspicious activity has to be immediately investigated and the loopholes removed in a systematic manner. The benefit is that all compliance investments currently made and those of the future will ensure better returns.
There is intense work on to ensure that the process to the publication of the VerSanG is done quickly. The two year period before it is brought into force pegs its implementation at the end of 2022 and the beginning of 2023. It is uncertain currently whether the ongoing pandemic may have any effect on these timelines. An explanatory memorandum to this draft act says that the two-year period is to ensure that organizations have the necessary time to implement measures mandated by the courts, agencies of law enforcement as well as the registry authority. Companies can also utilize the time to understand where they are most at risk in terms of compliance. One thing is certain, VerSanG will come into effect with minimal changes expected to the current draft. Being prepared is key.
How MetricStream Can Help
The MetricStream Regulatory Compliance Solution provides a common framework and an integrated approach to meet cross-industry regulations, such as the VerSanG. The solution enables a sustainable and repeatable compliance program with the help of a centralized library of compliance obligations, as well as capabilities for compliance risk management, control testing and certifications, regulatory change management, policy management, regulatory engagement management, and case management.
Jump to Topic
