Defining And Operating Within The Boundaries Of Compliance Through Technology
In most organizations, the compliance team has the responsibility of ensuring conformity to industrial standards, specifications, published policies and rules of law. Organizations undertake these responsibilities to protect their brands, defend their employees, comply with expectations from their customers, and fulfill their legal obligations. Stated differently, Compliance is, in fact, an effort on the part of an organization to operate within stated boundaries set voluntarily, by law, or by contract. Recent developments in technology are helping to transform the compliance space by helping us to solve challenging questions in compliance.
We embrace technology and its ability to provide us with informative data for decision making.
As many people would agree, boundaries are rarely static, and compliance boundaries are, without a scintilla of doubt, unfixed—they shrink, and they expand. Whether an organization’s compliance boundary shrinks in some areas or expands in others, two questions consistently arise, and technology is helping to address both: 1) what are my compliance boundaries (voluntary and mandatory)? And, 2) am I operating as expected within the compliance boundaries?
The answers to these two questions are never set in stone and quite frankly, can never be set in stone because of the inherent problem of conforming to boundary expectations. Compliance boundaries are never static. The boundary questions are even more difficult to answer for larger and multinational organizations. Multinational organizations have to manage their compliance boundaries from local, country, regional and global perspectives, and be able to capture changes and keep the organization and its employees from operating outside of the applicable boundaries.
With the advent of new technologies such as the ability of computer systems to learn from data, identify patterns and make decisions, we are able to put extensible wall around our compliance boundaries, mark the limits of our boundaries at any given point, and measure how we are conforming to the expectations within the defined boundaries.
IDENTIFYING COMPLIANCE BOUNDARIES
From experience, we know it is very difficult to rely on human resources alone to determine what an organization’s compliance boundaries are. The applicable compliance boundaries, whether by operation of law, voluntarily or by contract, must be properly marked and communicated to the organization and its employees so they can conform their actions to the stated boundaries.
Architecture Framework: In fact, advancements in technology has offered us the ability to develop an architecture framework that takes interpretations from legal, compliance and business leaders to build a clear boundary wall. These boundary walls are built through the development and communication of policies, controls, and educational awareness. Without the advancement in recent technologies, it would have been laborious to define and produce a sustainable model that effectively communicates the changing boundaries of compliance. Many of the newer technologies are extensible and help us to build a wall around our known boundary lines, and make adjustments to the wall when the boundaries shrink or expand.
Scaling Up or Down: These extensible technologies can scale up or down, and they serve as walls that help us to mark and communicate our boundaries. The extensible nature of these technologies helps us to manage cost as well as expectations. We can now scan multiple platforms, add new systems to the scope or remove out of scope systems using intelligent technologies, determine gaps, and promptly flag changes.
Automation: We are constantly relying on smart technologies to automate our compliance activities such as control validations, logging, and monitoring of actions to ascertain whether they conformed to the existing boundary walls at the time the actions were performed. With automation, we are now able to monitor compliance and produce informative metrics for decision making.
Integration and Mapping: Technology helps us to integrate policies and standards into business functions, and map compliance requirements to controls for assessments and improvements. We can reduce complex legal and policy requirements into functional workflows, which in turn help us to minimize uncertainties in the compliance space and increase awareness. Employees know the boundary limits in the markets we operate in and can operate within and not outside the boundary walls.
Perhaps, more impactful in the compliance space is our reliance on technology to help address the question of whether the organization is operating as expected within a stated boundary.
OPERATIONAL ACTIVITIES WITHIN THE COMPLIANCE BOUNDARY
Technological advancement is helping leaders to address the second compliance question—am I operating as expected within the boundaries? We are able to effectively manage compliance activities within our identified but changing boundaries through advanced technologies.
Discovery, Monitoring, and Reporting: Advancements in risk management tools are helping business leaders and decision makers to discover, monitor and report risk from within and outside the organization. Some of the technologies rely on signatures and correlation rules to help the compliance team to make decisions. Other more sophisticated technologies utilize natural language processing to learn and take action on some identified threats before they become a risk to the organization. We can do data mapping, control mapping and gap analysis across a wide spectrum of business functional areas and applications through the use of these advanced technologies.
Measure the Effectiveness of Controls: With the help of technology, we can see what our compliance boundaries are and measure the efficacies of the controls. We see areas where our controls are effective and areas where improvements are needed. For instance, we are able to timely and effectively expand our anti-bribery and fraud controls when we enter into new markets, partner with new vendors or acquire a company. Similarly, we can timely push for a control change when our legal basis for processing personal data changes, such as from legitimate business interest to the use of consent.
Empower: L astly, o ne o f t he a reas w e h ave s een s ignificant transformation through technology is our ability to empower employees to speak up when something is out of our compliance boundary. Employees now have user-friendly avenues to report issues for management to address anonymously. We utilize advanced training platforms to help employees to identify red flags, and we incorporate data-centric risk identification tools to measure the effectiveness of our compliance awareness program. In fact, without the advancements in technologies, we would not be seeing the transformations that are happening in the compliance space.
Technology is having a transformational impact in the compliance space. We are now able to define what our compliance boundaries are, build an extensible wall that helps us to see whether our compliance boundaries are shrinking or expanding. We are able to have deep visibility into our compliance activities, document changes, provide measurable visibility, and help decision makers to timely and effectively address the risk to the business and the employees.