Discover how recent advancements in Computer Aided Auditing Technology (CAAT) are transforming the way organisations manage their compliance risks.
For too long compliance has been treated as the poor kid on the block. Especially at budget time when it’s more fashionable cousins finance, quality, security and safety often end up with the lion’s share of funding.
But times change. And now, driven by increasing public and government scrutiny, expanding regulations, and larger non-compliance penalties, compliance is finally receiving the respect it deserves from boards and senior-management; albeit often the hard-way.
Even small organisations that traditionally haven’t considered themselves highly-regulated are starting to appreciate the benefits good compliance management practice.
Yet, despite this new level of respect many organisations still find themselves at the cross-roads when deciding how best to improve their compliance management capabilities.
One solution is to do what they have done in the past. Throw as much resources at the problem as they can afford and hope it’s enough. Unsurprisingly, this scatter-gun approach rarely delivers the best result. Nor it is sustainable; even for larger organisations.
A more effective and efficient solution is to move away from the traditional one-size-fits-all approach to compliance management and create a new risk-based paradigm. A paradigm which focuses an organisation’s limited compliance resources where they are most needed i.e. its areas of highest risk.
Unfortunately, despite its proven benefits the take-up of risk-based compliance management has been slower than expected. A situation often attributed to the difficulties of reliably assessing compliance risks organisation-wide. But recent advancements in Computer Aided Auditing Technology (CAAT) are starting to change people’s perceptions about what is possible.
There are now CAAT solutions that can accurately assess, benchmark and help control an organisation’s compliance risks within acceptable limits; or risk appetite. Paving the way for a major paradigm shift in how organisations currently perceive and manage their compliance performance.
The following template outlines 6 key steps organisations should consider when considering a transition to risk-based compliance management; with and without the assistance of a smart CAAT solution.
Step 1: Risk-based compliance thinking
At the centre of risk-based compliance thinking sits the understanding that some non-compliances pose a greater threat to an organisation’s goals and objective than others, and that some areas of an organisation are likely to produce more non-compliances than others.
Introducing a risk-based compliance management system to your organisation starts by carrying out a risk assessment on each of the systems, processes, groups and third-parties that play a role in its compliance performance.
Use a risk matrix similar to that below to assign each area a risk-rating (High, Medium, Low) based on the worse-case consequence of any generated non-compliances and there frequency. Where possible, to improve accuracy base your risk assessment on historic compliance data.
Example: Compliance Risk Assessment Matrix
Next, use each area’s risk-rating to determine its future auditing rigor (sample-size and frequency) i.e. the higher the risk the higher its auditing rigor; making sure to regularly update and refine each risk-assessment after each audit.
Step 2: Get leadership onboard
Having got your head around how risk-based compliance management works you now need to get leadership onboard. Start by making at least one senior manager responsible for your organisation’s compliance management system, and for reporting compliance risks to the governing body.
Part of this person’s role will also be to champion risk-based thinking organisation-wide. They must also have the authority to enforce compliance rules and hold managers, employees and third-parties accountable for their compliance performance across all levels.
Step 3: Document your compliance strategy
Next, produce a documented compliance strategy which describes i) how the organisation will address relevant regulations and standards from an operational perspective ii) how it will identify and correct existing compliance gaps iii) how overall compliance performance will be measured and iv) how compliance risks will be mitigated.
When drafting your compliance strategy make sure that business managers and third-parties are made responsible for their compliance performance by linking their assessed compliance performance with their remuneration; i.e. incentives and penalties.
Step 4: Provide sufficient funding
Your compliance management strategy won’t implement itself. Accordingly, you need to make sure sufficient ongoing funding is provided for your strategy’s implementation, operation and regular revision.
There should be at least one person responsible for managing your organisation’s day-to-day compliance management operations. This could be the person who reports to the governing body, or someone else.
Also make sure your compliance management system receives adequate funding to invest in suitable compliance management technology; including training managers and employees in its use.
Step 5: Invest in technology
As outlined above, there are now smart CAAT solutions available that can remove most of the hard work and subjectivity normally associated with assessing, reporting and controlling your organisation’s compliance performance within acceptable limits; or risk appetite.
Some of these CAAT solutions are also capable of automatically determining the optimal level of compliance auditing applied to each area of your organisation based on its assessed risk. Also, ensuring your organisation’s response to audit outcomes is always proportionate to the assessed risk. Effectively, transforming your organisation’s compliance auditing processes into a highly reliable risk-based compliance management system.
Investing in a suitable CAAT solution can help minimise the compliance costs for low-risk systems and processes. While high-risk systems and processes may be subject to more scrutiny, with the additional cost offset by improved compliance outcomes.
Step 6: Continuous improvement
When selecting a suitable CAAT solution make sure its capable of producing timely, easy-to-understand compliance reports that support compliance mitigation and improvement decision-making. Also, make sure its capable of recording and tracking decision-making details for future reference purposes.
It also important to ensure that the person or person’s operating your compliance management program have direct access to the company’s governing body at all time, including senior management, and if necessary the board of directors.
Benefits of risk-based compliance management
In summary, transitioning to a risk-based compliance management system can deliver your organisation a range of benefits, including:
Lower compliance risks
A risk-based compliance management system will help lower your organisation’s compliance risks by focusing it’s limited monitoring and improvement resources are always focused on its areas of highest risk exposure. Thereby, increasing its chances of identifying and mitigating unacceptable compliance risks before they can adversely impact on its goals and objectives.
Lower compliance costs
A shift to risk-based compliance management, supported by a suitable smart CAAT solution, can help reduce your organisation’s costs by removing the significant amount of time and effort normally spent analysing, analysing and reporting compliance levels and supporting evidence to internal and external stakeholders, including regulators and accreditation assessors.
Improved customer reputation
The success of many organisations depends on their public image; possibly yours too. With organisations that receive regulatory penalties or face court actions, customers can quickly lose trust followed by a dramatic drop in sales. A risk-based approach to managing your organisation’s compliance performance will help it uphold a positive image and build consumer trust.
History has shown that organisations that can demonstrate consistently high levels of compliance with government regulations, industry standards and customer requirements generally sell more products and services than those that don’t.
Where from here?
Transitioning to a new risk-based compliance management paradigm can deliver significant financial and reputation benefits for your organisation; provided you take some simple steps. Don’t wait until a serious incident occurs before your organisation starts improving its current compliance management capability. Make your brand the trusted brand.
Read more about smart, CAAT risk-based compliance management software here.