In this the second of a series of three articles on effectively attaining and maintaining compliance levels; the focus of attention turns to the major considerations when evaluating and selecting commercial compliance management tools from the market.
The process of becoming compliant covers a broad spectrum of activity — understanding processes, designing applicable policies and procedures, positioning and implementing controls, monitoring those controls, gathering evidence, identifying risks and associated issues, initiating and documenting progress of remediation work, understanding dependencies and mitigating circumstances and determining ‘how done’ you are. Any compliance management solution you chose should be able to address all of these aspects in a single view.
Look for a tool that has the capability to encompass the whole of your business processes, integrate with your environment, facilitate accountability and transparency to your auditors and scale with your company
AUTOMATE WORKFLOW & PROCESS
Almost all organizations of size and substance undertaking significant compliance efforts eventually look to automate their efforts. In particular the processes involved in notifying control owners when it is time to review a control, deliver evidence or take some action in the compliance process is best done automatically, rather than remembered inside someone’s head. That way the compliance manager/officer can monitor the progress of compliance activity in real-time rather than having to continually chase with emails and reminders (and listen to a stream of ‘why it can’t be done’).
In the event that non-execution also escalates to the controls owner’s manager then so much the better. This removes personalities from the equation and gives the compliance manager/officer more kudos and authority. The same principle holds true of the depositing of evidence, reports and status information – the more automated any of the necessary processes are then the easier, quicker and, ultimately, cheaper compliance becomes.
Keeping everyone informed and in-the-loop is critical to running a successful compliance programme. In compliance, as in all other walks of life, if people do not know what you’re doing and the compliance status of your organisation, then they will make up their own answers. If you have gone the distance to select and invest in a great system which will automate much of your work, then take care to ensure that it is a ‘role-based’ system so that you can create users whose sole interest is to see what is going on. This single attribute will save many meetings, status reports, misunderstandings and sleepless nights.
UNDERSTAND WHERE THE FINISH LINE IS
When analysing compliance information nothing is as important as knowing how close to that elusive finishing line you are. A truly useful system will push this information to you the moment you enter the compliance part of system. Graphical displays are best because they are easier to absorb quickly and convey rich information at a glance. Context is important too, so make sure that you can drill down and see ‘how done’ all the parts are. If your company is a multi-national you might want to make sure that you can drill down into – and back up from – countries and regions and that your chosen system can cope with the complexity of your global organization. Getting this right is a huge win – you should be able to see the compliance status of your organization as a whole and drill down to the smallest entity – all from the same place (keeping the context at all times).
KEEP THE AUDITORS INFORMED
Not everyone may agree but it is easier to keep the auditors involved at all times and to be as transparent as possible. The earlier the auditors can see what you are doing the easier it is for them to plan their activities and to keep engagements short (in turn reducing costs). If you can find a system that gives user access to the auditors on demand then so much the better. Not only will they get a good feel for the progress and integrity of your own efforts, they will also accumulate a degree of confidence in your level of control that will result in lower audit fees for you.