By Jacques van Wyk, JGL Forensic Services, Member IAFEI Technical Committee
Transparency and compliance are critical to how your business does business.
There’s no doubt that good compliance policy’s help you meet demanding global compliance and privacy requirements – and avoid fines!
But regulations are constantly changing, the amount of data to track is increasing at exponential levels, and many of the policies companies follow are actually way out of date.
A lot of them, in fact, written over 10 years ago. Some, significantly longer than that. At that time, we were living in an era of mostly paper content. Storage was simple – it was either held in us or sent to a vendor. Periodically, it was reviewed and then destroyed. In the decades since then, however, almost everything has changed – except those antediluvian compliance policies.
Most of our work is now done electronically. Content storage has moved on from on premises only to either hybrid or fully cloud models. The sheer volume of data that companies produce every single day makes any decisions based on manual reviews or a document by document assessment impossible.
Combine this with the rapid evolution of privacy legislation and a host of other, ever changing data governance regulations, and even policies created only a few years ago or probably already well overdue for an update and review period
This continually shifting landscape is a headache for even the most experienced and levelheaded see photos.
Not surprising then, that they frequently feel frustrated by the pressure of having to meet compliance requirements that are different today than they were yesterday – but likely not the same as they will be tomorrow.
It’s also not surprising that CFO’s tend to look at compliance as a drain on both company finances and human resources.
Surely there’s a way for CFO’s to update their company’s compliance strategies, bring their policies into the digital age and still ensure policies are both consistent and simple?
The best way to do so is to adopt A proactive, instead of reactive, approach to governance. Being proactive makes everyone less reliant on the end user when it comes to making governance decisions. It also avoids inconsistency, missed steps and wrong decisions.
Whenever you have built in compliance, there’s no longer a burden on users to understand the policies relating to it. They can simply continue to do their jobs, secure in the knowledge that those policies are working away tirelessly in the background . Baking compliance policies into every strategy gives you consistent application across the organization.
The weaponization of compliance
There’s no getting away from the fact that right now compliance seems like a necessary evil period something we do to make sure all the right boxes are checked so we avoid any punishments. But what if we were to shift our perspective a little, and view compliance as a lever? When that makes operating your business a whole lot easier because it gives you greater visibility into your operational and enterprise risk.
Having a comprehensive risk and compliance framework in place gives your organization a strategic advantage. A well designed compliance strategy can, when properly planned and precisely executed, become a secret weapon giving you a distinct edge over your less compliant competitors .
Effective compliance risk management in these modern times requires increasingly responsive and predictive process is an monitoring. In order to manage costs while still expanding risk coverage, this needs to be supported by a regular policy updates, ongoing training and communication, and high levels of efficiency.
There’s no doubt that a strong, technological underpinning will help compliance functions operate effectively in real time period this helps companies become more agile and effective in their compliance and ethics risk management efforts, and ultimately more productive and competitive as a business.
The threat of fraud
Automating compliance efforts increases enterprise visibility. The more holistic your view of your business, the easier it is for your executives to make decisions that have a decreased likelihood of putting your enterprise at any kind of risk -including fraud.
So many incidents are fraud are either never discovered at all, or only after the fact. And even then, it’s not always possible to recoup any fraudulently disbursed funds from the bank.
Experts estimate companies lose, on average, around 5% of their annual revenue through fraud alone.
Imagine the difference a comprehensive compliance program would make!
But while fraud is a very real – and potentially very expensive – problem, mitigating what we in the industry called catastrophic risk is the function of the most advanced levels of organizational compliance.
Savvy CFO’s are often the first to recognize the very real dangers of catastrophic threats, and this is usually more than enough motivation to take responsibility for the implementation of enhanced compliance procedures.
Typically, this includes a companywide compliance framework, including all the technology, processes and people needed to ensure the efficacy of the programme.
Security and compliance
It’s critically important for CFO’s to include security in any compliance procedures to safeguard content so only the right people have access to it. However, while this helps to prevent potential leaks of sensitive information, if the controls are too tight, they can actually serve to reduce governance and compliance
If the system is so slowed by security protocols that it interferes with productivity, for example, users will simply find other ways to work – including using unauthorized systems.
Their intentions are undoubtedly good -if a customer needs something, employees may bypass security measures to make sure the customer gets what they need quickly. And yet the simple, well meaning act can be devastating.
Nearly 90% of all cyber attacks on the result of human error or behavior. Your compliance policies should address these needs in a secure, easy manner while including the appropriate guardrails.
Is all this expensive? Undoubtedly.
But not nearly as costly as the failure to detect and prevent a breach of your financial system, violation of anticorruption mandates or hacking of your sensitive financial information.
Most CFO’s who have implemented these kinds of systems are quick to extol their virtues. They will invariably tell you then not only do they soon pay for themselves in terms of losses prevented, but they also help improve operations, reduce waste and increased controls.