Compliance is a growing challenge. 48 percent of companies saw their regulatory teams grow in 2017 and 75 percent foresee the need to focus more on managing regulatory risk, according to a Thomson Reuters poll.
Financial institutions are spending upwards of US$270 billion a year on compliance-related costs. Most senior staff expect compliance costs to double over the next five years.
“GRC [governance, risk and compliance] has become a bigger burden for companies,” said Riaan Bekker from thryve, a provider of risk management platform solutions. “Some regulations change as our world creates new demands. The upcoming sugar tax is an example of that. Others are responses to disasters… the regulations following the 2008 financial meltdown. There is also a lot more focus on value chain standards and compliance, which helps improve overall business performance. Then there is the world of data. That’s driving a whole new level of future regulations.”
Yet many companies still don’t see the link between compliance and risk management, as well as governance and assurance. All four tie to control: governance helps direct an organisation and control the environment through managing processes.
Risk tackles any uncertainties around an organisation’s objectives. Compliance asserts control over internal and external requirements, driven by standards and legislation. Assurance is where the organisation learns through independent assessment if it has effective control.
But these relationships are often overlooked, said Johan Botha, MD of Analytix, a GRC consultancy and training firm: “Risk and compliance are often seen as two separate silos. Controls are often implemented by managers without linking the control with a specific risk.”
Reducing the compliance burden
Compliance activities can and should leverage risk information. It starts with creating a GRC-related programme with a framework that allocates roles and responsibilities, coupled with training and awareness elements.
Step two is deploying the right technology, creating value on several layers: it can gather and display risk-related data, feeding into strategic conversations. GRC application platforms simplify GRC support and management by keeping key records of processes, policies, control objectives and risks. It also benefits operations through monitoring, transaction analysis and segregation of duties, to name a few. The right risk management platform helps companies build single versions of the truth, using risk to create a solid view of operations and obligations.
Step three is proactive leadership, which reinforces the will and culture required to make all of the above stick. It also helps the leadership engage both short-term and long-term views, said Botha:
“By adopting a holistic and integrated approach to risk management, organisations can stay on top of short- and long-term strategy. Short-term strategy benefits from managing risk in day-to-day decision-making, while the long-term view is addressed by integrating execution risk to strategy and business objectives.”
Compliance sits close to risk, so it stands to reason that by improving a company’s risk view, it becomes better equipped to deal with compliance demands. Since the risk feeds into strategic conversations, compliance also becomes a useful method of improving strategy. A lot of compliance is built on standards and best practice, so it has strategic intent in its DNA. What it needs is the right representation at the business table. Modern integrated risk practices helps bring compliance into that strategic sphere.
“Everything in a business is interconnected,” said Bekker. “Those who understand the relationship between GRC, compliance and strategy are the businesses that do well in this environment. The rules haven’t changed. These relationships have always been important. But today it’s possible to bring them together in ways that benefit a business. By using risk, compliance can develop strategic values, which is a language the business understands and appreciates.”