Future Fitting Operational Compliance

Future Fitting Operational Compliance - illustration of servers
Author: Kevin M. Alvero, CISA, CDPSE, CFE
Date Published: 1 September 2023
Related: Achieving Data Security and Compliance | Digital | English

At its most basic level, the role of the operational compliance function is to ensure that laws, regulations, policies and industry best practices are followed, thereby safeguarding an enterprise from the adverse consequences of noncompliance (e.g., legal, financial and reputational injury). However, the true role of operational compliance encompasses much more. Compliance permits an enterprise to carry out its mission by ensuring that it is running smoothly, as intended and on a firm foundation. By embracing technology, fostering a positive, forward-looking compliance culture and building a diverse, multiskilled team, leaders in operational compliance can ensure that they are well positioned to handle emerging regulations, work collaboratively with operations teams, and maintain their standing in the enterprise as critical contributors to its success.

Embrace Technology

Technology will continue to be a key enabler of success in operational compliance. Enterprises are faced with both expanding regulations and a growing dependence on digital technology.1 Compliance functions simply cannot keep pace unless they use technology to their advantage. This means developing advanced capabilities in risk analytics and predictive risk intelligence.2

For instance, "embedded predictive analytics enable[s] organizations to predict system health and trigger alerts or to recommend corrective actions, which can help ensure systems are performing as intended."3 It can also help enterprises identify anomalies further upstream and assess their potential impact before they result in a material issue. Working with an in-house IT team, employing a third-party provider, and utilizing prepackaged no-code software tools are all options for compliance functions, depending on the employee skill sets, budgets and access to organizational IT resources. However, it is not simply the power of the tools themselves that results in enhanced value. "Highly paid compliance experts are working on repetitive, manual tasks, lowering the overall team efficiency and morale," notes a 2022 report.4 Offloading such tasks to automated systems enables skilled compliance personnel to focus on more strategic work.

Compliance’s relationship with predictive analytics will not be isolated to its own assurance-related projects. "As more producers recognize the benefits of predictive analytics, this method of improving production processes will no longer be cutting edge," a 3M executive wrote.5 Instead, it will be a basic requirement to keep up with the competition. This suggests a future in which compliance becomes an increasingly collaborative two-way effort, placing more need on compliance personnel to increase their skills and level of comfort with advanced technologies. Meanwhile, it is also important to understand that machine learning (M1) and artificial intelligence (AI) applications are only as effective as the data supporting them. Therefore, it would be wise for compliance leaders to take a critical look at organizational controls related to data quality, security and integrity. These controls are crucial to compliance leaders’ own efforts as well as those of the larger enterprise.

Do Not Wait to Regulate

In December 2022, Sam Bankman-Fried, founder of the multibillion-dollar cryptocurrency exchange FTX, was arrested as he was preparing to testify before the US House of Representatives Committee on Financial Services about why FTX had collapsed and filed for bankruptcy in November 2022. The charges "pulled back the veil on the cryptocurrency exchange’s complete lack of internal controls and toothless risk management procedures."6

The FTX cryptocurrency scandal is a cautionary tale for enterprises operating in emerging fields that lack well-established regulations, even if there is no evidence of deliberate fraud or misconduct. A nascent regulatory environment may indeed represent opportunity, but the operational compliance function must approach this situation with caution because history shows that the regulatory picture will eventually become clearer. The compliance function should help the enterprise understand how well it can (or cannot) tolerate scrutiny under emerging regulations, rather than taking a wait-and-see approach and having to play catch-up later.

As the cofounder and president of MetricStream wrote in 2022:

Beware of the dangers of taking big risks in markets where regulation is still in the early stages. It will be years before regulators can catch up to the disruption happening in rapidly evolving digital spaces like cryptos, gaming and the metaverse. In the meantime, the task of governance falls on the individual, as well as on provider communities that have to come together to grow responsibly.7

For compliance personnel in loosely regulated areas, this means looking beyond existing regulations. In general, regulation increases over time as industries and governments seek new ways to reduce the risk of harm to consumers and the public. Compliance teams must operate under the assumption that new regulations are on the way, work proactively to learn what they might look like and collaborate with operations teams to plot a path toward compliance.

Champion Compliance Culture

Understandably, many operational compliance functions devote a large portion of their time and resources to assessing the enterprise’s current state of compliance with regulations related to its various business processes and utilizing detective controls to identify instances of noncompliance. However, this often overlooks the value of preventive control in the form of compliance culture. Operational compliance teams should be champions of compliance culture, ensuring that compliance is embedded in everyday workflows and supported with regular communication and education.8 In doing so, they must find strategies to deal with the reality that compliance is not an inherently exciting topic. In short, this means making sure that communications related to compliance are positive, forward-looking and focused on the business.

Compliance functions can greatly improve stakeholders’ engagement by focusing communications on future risk rather than on what went right or wrong in the past.

Enterprises often underestimate the need to explain the "whys" behind regulatory compliance, other than warning of the negative outcomes associated with breaking a rule or violating a policy. This can contribute to the perception of compliance personnel as watchdogs who get in the way of production and innovation. Compliance personnel must counteract this attitude by communicating regularly and effectively about the positive benefits of being a compliance-minded enterprise. These benefits include:

  • Enhanced reputation in the marketplace and community (pride)
  • Greater likelihood of fulfilling the organizational mission and achieving goals
  • Ethical, transparent conduct that enhances the workplace for everyone
  • Competitive advantage (Some forms of compliance, such as certification or accreditation, can be differentiators in the marketplace.)

Evaluating historical data and past outcomes will always be part of operational risk management, but compliance functions can greatly improve stakeholders’ engagement by focusing communications on future risk rather than on what went right or wrong in the past. "Globally, a greater number of organizations are trying to make their oprisk management programs more forward-looking."9

Finally, in their reports to and conversations with coworkers on the operations side, compliance personnel should never assume that their colleagues will draw the connection between an identified issue or variance and the potential business impact. Compliance personnel should always relate compliance risk to business risk and should never imply that achieving compliance is an end unto itself. By the same token, the frequency of communication and interaction between operations and compliance personnel is a key indicator of the health of that relationship. When operations personnel perceive that compliance personnel are always trying to understand the business, anticipate problems and collaborate on solutions, they are much more likely to regard the compliance function as an ally as opposed to a necessary evil.

Diversify the Team

The right mix of personnel is essential to an effective operational compliance team. Ideally, this means having people with backgrounds in auditing, accounting, law and compliance frameworks, and those who are experts in the operations side of the enterprise. In addition, employing someone who has worked at a relevant regulatory agency can give the compliance function an insider’s perspective on what regulatory agencies are looking for and how their processes work. One of the key factors regulators take into consideration is whether there is a strong, functional compliance department.10 The compliance function stands a much better chance of interacting effectively with both operations and regulators if it has people who can speak knowledgeably from varying perspectives. Compliance leaders should invest in training and development to continually grow the skill set and raise the profile of compliance personnel, reinforcing their vital position in the enterprise.

Compliance personnel should always relate compliance risk to business risk and should never imply that achieving compliance is an end unto itself.

Conclusion

One article noted, "Organizations, regulatory bodies, industry watchdogs and consumers have to ensure that they work collaboratively to balance growth and responsibility."11 Indeed, operational compliance teams cannot possibly meet the demands imposed by rapid changes-in their own enterprises and in the regulatory environment-without diverse teams that can work in an integrated and cooperative way. Utilizing technology to increase efficiency can help ensure that critical conversations take place and that compliance teams look beyond the issues of the moment and consider future risk. In doing so, they will solidify their standing as partners in and invaluable contributors to the enterprise’s success.

Endnotes

1 Bryter, How Compliance Can Prevent Risk and Rapidly Respond to Change, USA, 2022, http://d6jxgaftxvagq.cloudfront.net/Uploads/g/p/y/howcompliancecanpreventriskrapidlyrespondtochangebryter_499035.pdf
2 Idnani, N.; "The Future of Operational Risk Management," Deloitte, May 2019, http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/future-of-operational-risk-management.pdf
3 Ibid.
4 Op cit Bryter
5 Harper, T.; "Predictive Analytics in Manufacturing," MachineDesign, 9 January 2022, http://www.machinedesign.com/sponsored/article/21212399/3m-company-predictive-analytics-in-manufacturing
6 Nicodemus, A.; "Bankman-Fried Fraud Charges Detail FTX’s Lack of Internal Controls, Risk Management Protocols," Compliance Week, 13 December 2022, http://www.complianceweek.com/regulatory-enforcement/bankman-fried-fraud-charges-detail-ftxs-lack-of-internal-controls-risk-management-protocols/32462.article
7 Kapoor, G.; "Three Predictions for the Future of Compliance in a Super-Digital World," Forbes, 21 April 2022, http://www.forbes.com/sites/forbestechcouncil/2022/04/21/three-predictions-for-the-future-of-compliance-in-a-super-digital-world/
8 Thomson Reuters, "A Culture of Compliance," 2016, http://legal.thomsonreuters.com/en/insights/infographics/a-culture-of-compliance
9 Op cit Idnani
10 Thomson Reuters, "Building a Compliance Department," 26 July 2021, http://legal.thomsonreuters.com/en/insights/articles/building-a-compliance-department
11 Op cit Kapoor

KEVIN M. ALVERO | CISA, CDPSE, CFE

Is chief compliance officer at Integral Ad Science. He leads the enterprise’s global compliance program, including regulatory and industry standards compliance.