3 Steps to a Compliance Risk Management Approach
Steven Minsky | April 2, 2013
Federal and state regulatory compliance requirements have grown exponentially and touch all operational areas. Compliance has become very complex and expensive with extensive new regulations, multiple overlapping information sources, and operational impacts that are difficult to identify and track. Financial Institutions typically manage compliance workflows manually, which is difficult in multiple branch or interstate operations, and across multiple lines of business. As a result, compliance and operational costs are high, compliance requirements and timelines are missed, exam and audit exceptions occur and liability risk increases.
A risk-based approach to compliance involves identifying the areas of high risk within your organization’s compliance universe and building and prioritizing your compliance monitoring program around these risks. Compliance risk management will focus your organization, and your compliance resources, on the areas which are most likely to cause concern. This risk based approach also re-positions compliance from a function executed in a vacuum to one that provides real value, reaches into each part of the business supported by relevant analysis, understanding, and documentation. A risk-based compliance management software program will assist you in identifying, managing, monitoring, and reducing the compliance risks key to your business and make board and regulatory reporting easier to conduct and maintain with less work.
Below are the 3 steps you can take to implement compliance risk management at your organization:
- Prioritize activities: Identify the areas of high risk, consolidate compliance required risk assessments Compliance required risk assessments, using common evaluation criteria, provide a score to quantify the vulnerability and business impact of non-compliance so that business activities can be prioritized. Knowing what is important makes it easier to know what to monitor and at what frequency to keep the board and regulators informed about risks that can lead to non-compliance in the enterprise. You can streamline the work involved in these risk assessments because regulations have overlapping and redundant risks that they are attempting to mitigate (i.e. fraud, consumer protection) with a consolidated assessment framework. To do this, create a common risk registry and map risks from this common registry to the applicable compliance requirements and policies, or use risk analysis software or regulatory compliance software that has already done this mapping exercise. With a consolidated risk assessment framework, all the separate, silo’d and often redundant risk assessments required by compliance mandates, can be covered in a single risk assessment. You can reorganize and report the same assessment information by any regulation.
- Make regulatory alerts and updates actionable Rather than have large volumes of highly technical and obtuse regulatory documents, work towards a clear executive summary that interprets the key action items, identifies what needs to be done, the deadlines for action, impacted business areas, and those accountable in your organization, such as whether board approval is needed for changes in policies. This makes it easier to link compliance to your organization’s internal structure, roles & responsibilities and promote understanding of obligations among the key stakeholders. Because risks related to regulations are assessed, when changes occur, organizations can easily prioritize activities that need resources the most. Moreover, instead of having this critical information, like key dates, forms, impacts, accountability, and procedures, buried within word documents or emails, make them fields in ERM software so that they are searchable and connected to task activities with automated workflows, alerts, and updates that are tracked and reported on. This makes communication and interaction, along with monitoring and response, a streamlined exercise to reduce the burden of compliance on business areas.
- Business Impact: Connect regulations with policies, impacted business processes and related resources Internal control procedures are related to internal policies, and by integrating regulatory changes with the internal policies they impact, it is immediately clear what areas of the business are impacted and what action needs to be taken. Workflow tasks can automatically be triggered to the right people in the right business areas and risk assessments, which are also linked to internal policies, will provide prioritization of which changes are most important and what operational controls need to be updated to remain in compliance.Organizations can no longer maintain a set of internal policies for each regulation, but rather, they need to maintain a consolidated set of internal policies that can be linked to the multiple regulations that they satisfy. Organizations that are not able to quickly determine which business areas are impacted by regulatory compliance changes, and connect those responsible for activities within a business process for implementing change, will continue to be burdened with compliance costs and will suffer higher risk of non-compliance as a result.
Success in compliance risk management begins with designing workflows that connect the relationships between compliance policies and the business processes, resources and regulatory standards. These relationships then need to be used to generate and track tasks when regulatory changes take place.