Introduction
After years of dealing with constant regulatory changes and new risks, compliance is entering a new era marked by opportunity and growth. Organizations today leverage their compliance programs to not only build trust and confidence with regulators and avoid compliance fines, but also understand the organizational risks and potential exposures, protect the company’s reputation, and foster a culture of ethics and compliance.
Compliance experts and leaders are increasingly calling for greater collaboration with risk, assurance, and other business functions as stakeholders increasingly lean on compliance to guide them through the regulatory complexities and risks ahead. Strong compliance programs, clearly defined processes, and targeted technological investments will be key to meeting these demands.
As organizations strive to keep up with the demands of a fast-changing regulatory landscape, compliance priorities are also rapidly evolving. New generations of compliance functions will be expected to efficiently manage a wide range of new risks, while enabling the first line of defense to assume greater responsibility for compliance – all this, with limited resources and budgets.
Establishing an effective compliance program is no longer just an option for organizations; it is a necessity. It is incumbent upon Chief Compliance Officers (CCOs) to rethink their compliance strategy to improve agility and efficiency and enforce it with robust training and awareness plans. These efforts will help ensure that the company, its employees, processes, and technology are all aligned and focused on the same goals.
This eBook is intended to guide CCOs in their efforts to re-imagine their compliance programs to make them more future-ready and resilient. It discusses five transformative strategies for building a modern compliance program, the key capabilities that organizations should look for in a compliance solution, and much more.
5 Transformative Strategies for a Modern Compliance Function
- A Risk-Based Approach to Compliance
- Pervasive Compliance
- Empowerment of the First Line
- Integrity and Culture
- Innovative Compliance Technology
1. A Risk-Driven Approach to Compliance
To ensure that optimal resources and investments are directed toward the risks and regulations that matter most, organizations need to adopt a risk-based approach to compliance. While all the three lines of defense must work together to identify and mitigate risks, the onus is on compliance to identify and manage compliance risks proactively, while also helping their organization avoid potential regulatory or policy violations.
In Thomson Reuters’ Cost of Compliance 2023 Report, respondents identified implementing a demonstrably compliant culture, setting risk appetite, and evaluating the effectiveness of corporate governance arrangements as the top three areas where they expect more compliance involvement over the next 12 months.
2. Pervasive Compliance
Some organizations still have distributed and fragmented programs where each department—be it HR, IT, or quality—develops a different set of compliance processes, taxonomies, and systems. Not only is this approach inefficient, but it also limits visibility into compliance risks due to the lack of consistency and normalization in the reported data.
More mature organizations, by comparison, tend to follow a pervasive approach to compliance – one that standardizes processes, taxonomies, and frameworks for compliance across the enterprise, while at the same time supporting the unique compliance needs of each department. In a pervasive approach, compliance is centrally coordinated but managed in a more autonomous manner at the business unit or department level. Various departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments—be it policy governance, compliance risk management, regulatory change management, compliance case management, or regulatory reporting—the result is a lot of duplication of effort and data. For example, if the purchasing department assesses a third party for payroll without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort while contributing to data duplication and erroneous insights.
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. That way, instead of struggling with disparate silos of compliance data, teams can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls, and objectives where various data elements are mapped to each other in a many-to-many manner.
3. Empowerment of the First Line
Today, the success of a compliance program depends largely on the first line taking more responsibility for compliance and risks in their lines of business. But for the first line to become more risk-aware and to be able to take action, they need the right information and tools. Some banks have embedded contextualized compliance and risk data within trading systems or loan processes to help the first line make better risk-aware business decisions. Other organizations are setting up compliance advisory teams to guide and support the first line in understanding the risk implications of potential transactions.
There are many compliance management tools that can help meet the needs of the first line. For example, a centralized online policy portal can simplify access to the policies that the first line needs to ensure that a potential trade or business decision meets compliance requirements. Through the portal, employees can quickly view all the latest published policies, including new announcements, as well as attestation tasks. They can also request policy exceptions. Meanwhile, a centralized compliance management system can help consolidate all required compliance and control data in one place, so that the first line can better understand their risks, and also be better prepared for audits.
4. Integrity and Culture
Organizations with a strong culture of compliance, ethics, and integrity built into every aspect of their business are likely to face far fewer compliance risks than those that do not prioritize integrity. A strong culture is a core indicator of success, but it is also one of the most difficult objectives to achieve, as it has multiple dimensions and drivers that need to be managed. However, positive compliance must be built into the DNA of an organization through effective training, communication, and awareness programs.
Recently, one of the largest banks in the world admitted that the lack of a compliant culture was one of the core reasons for repeated breaches and fraud incidents. Their incentive structures were aligned more to growth than to ethics or integrity. Added to that, their business systems were too complicated and disparate to make risk awareness an integral part of the decision-making process.
By contrast, some organizations make it a point to incentivize ethical behavior on the first line. Examples include creating balanced scorecards that integrate metrics around customer complaints and the risks of customer attrition into the calculation of sales incentives, creating policy governance mechanisms that align policy exceptions to reward and recognition programs, etc. Initiatives like these help organizations embed ethical and cultural expectations deep into their processes, thus encouraging compliant behaviors across the enterprise.
According to the Thomson Reuters Institute’s 2023 Risk and Compliance Survey Report, two factors outweighed all others in driving an organization’s confidence in its ability to address compliance risks – first, having a team of knowledgeable personnel equipped with the resources they need to accomplish their job, and second, having a strong company culture with equally strong support from the management.
5. Innovative Compliance Technology
Embracing technology-based solutions for automated workflows is critical for organizations to keep up with the new regulations and frequent regulatory updates, rapidly evolving compliance priorities, and more. In a recent survey conducted by KPMG, 43% of CCOs said that new regulatory requirements are the top compliance challenge.
Organizations should look for key capabilities while selecting a compliance solution:
Connected: The solution should support a connected approach to compliance, which enables organizations to gain contextual information by linking foundational compliance elements such as objectives, processes, risks, controls, policies, and regulations. Establishing and understanding these relationships is crucial to analyze the impact. For example, the impact of a regulatory change on organizational policies and controls.
Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store, and monitor regulatory changes while keeping organizations updated through automated notifications and alerts. The result is a holistic view of compliancethat enables stakeholders to proactively identify issues and areas for improvement.
The integrated approach ensures that everybody involved can access the information they need, whenever they need it, in a secure manner with appropriate authorization and access protocols.
Continuous: The solution should support continuous monitoring capabilities of both the regulatory landscape and the internal control environment such as AI-enabled horizon scanning and regulatory alerts, automated workflows to monitor compliance, case and incident management programs, etc.
According to Thomson Reuter’s annual Cost of Compliance report, 62% of respondents said that they spend between 1 and 7 hours tracking and analyzing regulatory developments in an average week. Organizations can help their compliance teams in their tasks and improve efficiency through tools that help to continuously scan the regulatory horizon, automatically capture relevant updates, and notify the right personnel.
The solution should also support continuous monitoring of controls to proactively identify and address any gaps or weaknesses. This is paramount for ensuring a foolproof governance, risk, and compliance strategy.
Cognitive: The solution must be enriched with AI/ML capabilities that can help organizations improve efficiency, optimize recurring costs, create compliance team’s bandwidth for new and more important activities, and proactively address compliance risks that can lead to losses, fines, and reputational damage. From enabling intent-based policy search, providing actional insights on the control environment – number of duplicate, orphan, and redundant controls, optimized control test planning, etc. to intelligent recommendations for issue classification and remediation, and beyond, cognitive capabilities hold the promise to level up an organization’s compliance program.
Cloud: Support for cloud computing is also one of the most sought-after capabilities in software solutions today. According to PwC’s 2023 Cloud Business Survey, 78% of survey respondents said that their organizations had adopted cloud in most or all parts of the business. As compared to on-premises solutions, cloud-based solutions are preferred for their promise to accelerate time to value with faster deployment, support easier and quicker upgrades, integrate with other systems seamlessly, and improve agility, scalability, and performance.
Case Study: Zurich Insurance
Zurich Insurance, a leading, multi-line insurer serving global and local markets, believes in doing the right thing, acting lawfully, and ensuring compliance. Along these lines, the company had a robust compliance team. However, it faced several challenges, including ineffective visibility into compliance due to heavy reliance on spreadsheets, process inefficiencies due to manual, time-consuming workflows and siloed systems, lack of a single, trusted source of data, and growing regulatory supervision, among others.
To address these challenges, Zurich Insurance wanted to modernize and streamline its compliance management processes. Toward that goal, it chose MetricStream’s out-of-the-box solution to manage compliance, policies, and enterprise risk management requirements.
How MetricStream Can Help
MetricStream Compliance Management is a proven end-to-end solution that enables companies to sustain regulatory compliance at significantly lower costs and reduce the risk of non-compliance. It provides timely insights on compliance readiness at each organizational level, enabling organizations to proactively avoid violations and penalties. Automated control assessments enhance compliance efficiency, while also helping to identify and address potential risks in a timely manner.
After years of dealing with constant regulatory changes and new risks, compliance is entering a new era marked by opportunity and growth. Organizations today leverage their compliance programs to not only build trust and confidence with regulators and avoid compliance fines, but also understand the organizational risks and potential exposures, protect the company’s reputation, and foster a culture of ethics and compliance.
Compliance experts and leaders are increasingly calling for greater collaboration with risk, assurance, and other business functions as stakeholders increasingly lean on compliance to guide them through the regulatory complexities and risks ahead. Strong compliance programs, clearly defined processes, and targeted technological investments will be key to meeting these demands.
As organizations strive to keep up with the demands of a fast-changing regulatory landscape, compliance priorities are also rapidly evolving. New generations of compliance functions will be expected to efficiently manage a wide range of new risks, while enabling the first line of defense to assume greater responsibility for compliance – all this, with limited resources and budgets.
Establishing an effective compliance program is no longer just an option for organizations; it is a necessity. It is incumbent upon Chief Compliance Officers (CCOs) to rethink their compliance strategy to improve agility and efficiency and enforce it with robust training and awareness plans. These efforts will help ensure that the company, its employees, processes, and technology are all aligned and focused on the same goals.
This eBook is intended to guide CCOs in their efforts to re-imagine their compliance programs to make them more future-ready and resilient. It discusses five transformative strategies for building a modern compliance program, the key capabilities that organizations should look for in a compliance solution, and much more.
- A Risk-Based Approach to Compliance
- Pervasive Compliance
- Empowerment of the First Line
- Integrity and Culture
- Innovative Compliance Technology
To ensure that optimal resources and investments are directed toward the risks and regulations that matter most, organizations need to adopt a risk-based approach to compliance. While all the three lines of defense must work together to identify and mitigate risks, the onus is on compliance to identify and manage compliance risks proactively, while also helping their organization avoid potential regulatory or policy violations.
In Thomson Reuters’ Cost of Compliance 2023 Report, respondents identified implementing a demonstrably compliant culture, setting risk appetite, and evaluating the effectiveness of corporate governance arrangements as the top three areas where they expect more compliance involvement over the next 12 months.
Some organizations still have distributed and fragmented programs where each department—be it HR, IT, or quality—develops a different set of compliance processes, taxonomies, and systems. Not only is this approach inefficient, but it also limits visibility into compliance risks due to the lack of consistency and normalization in the reported data.
More mature organizations, by comparison, tend to follow a pervasive approach to compliance – one that standardizes processes, taxonomies, and frameworks for compliance across the enterprise, while at the same time supporting the unique compliance needs of each department. In a pervasive approach, compliance is centrally coordinated but managed in a more autonomous manner at the business unit or department level. Various departments work together, collaborating and sharing compliance information and technology.
When there is no collaboration or integration between different compliance departments—be it policy governance, compliance risk management, regulatory change management, compliance case management, or regulatory reporting—the result is a lot of duplication of effort and data. For example, if the purchasing department assesses a third party for payroll without knowing that the HR function has already performed the same assessment, they could end up wasting valuable time and effort while contributing to data duplication and erroneous insights.
For different teams to collaborate more effectively, it helps to have a common compliance data architecture. That way, instead of struggling with disparate silos of compliance data, teams can leverage a unified data model and taxonomy to consolidate and map all the elements of their compliance universe. They can also share an integrated library of risks, regulations, controls, and objectives where various data elements are mapped to each other in a many-to-many manner.
Today, the success of a compliance program depends largely on the first line taking more responsibility for compliance and risks in their lines of business. But for the first line to become more risk-aware and to be able to take action, they need the right information and tools. Some banks have embedded contextualized compliance and risk data within trading systems or loan processes to help the first line make better risk-aware business decisions. Other organizations are setting up compliance advisory teams to guide and support the first line in understanding the risk implications of potential transactions.
There are many compliance management tools that can help meet the needs of the first line. For example, a centralized online policy portal can simplify access to the policies that the first line needs to ensure that a potential trade or business decision meets compliance requirements. Through the portal, employees can quickly view all the latest published policies, including new announcements, as well as attestation tasks. They can also request policy exceptions. Meanwhile, a centralized compliance management system can help consolidate all required compliance and control data in one place, so that the first line can better understand their risks, and also be better prepared for audits.
Organizations with a strong culture of compliance, ethics, and integrity built into every aspect of their business are likely to face far fewer compliance risks than those that do not prioritize integrity. A strong culture is a core indicator of success, but it is also one of the most difficult objectives to achieve, as it has multiple dimensions and drivers that need to be managed. However, positive compliance must be built into the DNA of an organization through effective training, communication, and awareness programs.
Recently, one of the largest banks in the world admitted that the lack of a compliant culture was one of the core reasons for repeated breaches and fraud incidents. Their incentive structures were aligned more to growth than to ethics or integrity. Added to that, their business systems were too complicated and disparate to make risk awareness an integral part of the decision-making process.
By contrast, some organizations make it a point to incentivize ethical behavior on the first line. Examples include creating balanced scorecards that integrate metrics around customer complaints and the risks of customer attrition into the calculation of sales incentives, creating policy governance mechanisms that align policy exceptions to reward and recognition programs, etc. Initiatives like these help organizations embed ethical and cultural expectations deep into their processes, thus encouraging compliant behaviors across the enterprise.
According to the Thomson Reuters Institute’s 2023 Risk and Compliance Survey Report, two factors outweighed all others in driving an organization’s confidence in its ability to address compliance risks – first, having a team of knowledgeable personnel equipped with the resources they need to accomplish their job, and second, having a strong company culture with equally strong support from the management.
Embracing technology-based solutions for automated workflows is critical for organizations to keep up with the new regulations and frequent regulatory updates, rapidly evolving compliance priorities, and more. In a recent survey conducted by KPMG, 43% of CCOs said that new regulatory requirements are the top compliance challenge.
Organizations should look for key capabilities while selecting a compliance solution:
Connected: The solution should support a connected approach to compliance, which enables organizations to gain contextual information by linking foundational compliance elements such as objectives, processes, risks, controls, policies, and regulations. Establishing and understanding these relationships is crucial to analyze the impact. For example, the impact of a regulatory change on organizational policies and controls.
Some solutions can integrate with reliable and authoritative regulatory content sources to capture, store, and monitor regulatory changes while keeping organizations updated through automated notifications and alerts. The result is a holistic view of compliancethat enables stakeholders to proactively identify issues and areas for improvement.
The integrated approach ensures that everybody involved can access the information they need, whenever they need it, in a secure manner with appropriate authorization and access protocols.
Continuous: The solution should support continuous monitoring capabilities of both the regulatory landscape and the internal control environment such as AI-enabled horizon scanning and regulatory alerts, automated workflows to monitor compliance, case and incident management programs, etc.
According to Thomson Reuter’s annual Cost of Compliance report, 62% of respondents said that they spend between 1 and 7 hours tracking and analyzing regulatory developments in an average week. Organizations can help their compliance teams in their tasks and improve efficiency through tools that help to continuously scan the regulatory horizon, automatically capture relevant updates, and notify the right personnel.
The solution should also support continuous monitoring of controls to proactively identify and address any gaps or weaknesses. This is paramount for ensuring a foolproof governance, risk, and compliance strategy.
Cognitive: The solution must be enriched with AI/ML capabilities that can help organizations improve efficiency, optimize recurring costs, create compliance team’s bandwidth for new and more important activities, and proactively address compliance risks that can lead to losses, fines, and reputational damage. From enabling intent-based policy search, providing actional insights on the control environment – number of duplicate, orphan, and redundant controls, optimized control test planning, etc. to intelligent recommendations for issue classification and remediation, and beyond, cognitive capabilities hold the promise to level up an organization’s compliance program.
Cloud: Support for cloud computing is also one of the most sought-after capabilities in software solutions today. According to PwC’s 2023 Cloud Business Survey, 78% of survey respondents said that their organizations had adopted cloud in most or all parts of the business. As compared to on-premises solutions, cloud-based solutions are preferred for their promise to accelerate time to value with faster deployment, support easier and quicker upgrades, integrate with other systems seamlessly, and improve agility, scalability, and performance.
Zurich Insurance, a leading, multi-line insurer serving global and local markets, believes in doing the right thing, acting lawfully, and ensuring compliance. Along these lines, the company had a robust compliance team. However, it faced several challenges, including ineffective visibility into compliance due to heavy reliance on spreadsheets, process inefficiencies due to manual, time-consuming workflows and siloed systems, lack of a single, trusted source of data, and growing regulatory supervision, among others.
To address these challenges, Zurich Insurance wanted to modernize and streamline its compliance management processes. Toward that goal, it chose MetricStream’s out-of-the-box solution to manage compliance, policies, and enterprise risk management requirements.
MetricStream Compliance Management is a proven end-to-end solution that enables companies to sustain regulatory compliance at significantly lower costs and reduce the risk of non-compliance. It provides timely insights on compliance readiness at each organizational level, enabling organizations to proactively avoid violations and penalties. Automated control assessments enhance compliance efficiency, while also helping to identify and address potential risks in a timely manner.