Partnering IT and Compliance Teams for Success
We have all heard the often used quote: “The only thing that is constant is change”, so it’s true that we continue to see changes and new developments in the business sector centered on regulatory compliance. These compliance requirements can be quite daunting for most companies in both cost and resource allocation. With these challenges, companies need to find ways of partnering both Compliance and IT groups together in alignment of tasks, responsibilities and commitments to find success. The process of getting alignment between these groups can be difficult, as these groups often have competing budgets, goals and strategies. We found this to be true in our environment; however, the alignment process can be successful by embracing proactive leadership, a clear mandate, valid monitoring and aligned incentives.
Looking at the alignment process in stages, a leader first must be identified and they must clearly communicate goals and strategies that will be necessary to obtain the desired outcomes. This position should also be vested with a clear level of seniority and authority. A clear message of building a culture of compliance should be stated and getting buy-in and commitments from both groups will be essential for success. We found that we had barriers that had to be broken down and turf battles that needed to be settled before we could move on. We worked to make this new alignment about being a “win-win” proposition and encouraged everyone’s input into the process with a better definition of responsibilities and ownership. We wanted to be sure there were incentives as well for all those working together, so we were sure to have that factored into each individual’s potential yearly bonus calculation.
Before starting any work, you must identify and record the business owners of each compliance requirement and task. Some of these tasks can have split ownership between personnel or between groups. After ownership identification, focus on leveraging IT resources to successfully implement compliance work while the compliance group focuses on preventing, controlling, and tracking compliance issues. Be sure that all of the compliance requirements have been communicated and that the owner has signed off on identified deliverables. Adopt and implement written policies and procedures that are reasonably designed to prevent the risk of violations and/or fines.
When doing compliance work, IT must be defined as the implementer and business owner whose job it is to carefully follow documented internal policies and procedures when implementing compliance work. The compliance group must be careful to only interpret, communicate and verify what’s needed rather than doing any of the actual work. Be careful to be exact and clear on the distinctions. This can be tricky from time to time, especially if workers have performed tasks of the other group in the past. We found that communication was going to be critical and we needed to communicate in very clear language. This meant that we had to resist using IT or compliance acronyms and language that the other group didn’t understand. During this stage of our process we found that some of our compliance people couldn’t resist doing some of the technical work, since they had previous worked in the IT group. This made boundaries unclear, so we were more specific about job functions. Setting up workgroups that are made up of both compliance and IT personnel is wise and can be used to better coordinate the work.
Tools that automate work and processes are of great value here and should be considered when budgeting. Next, with the great amount of information that is being generated and processed, compliance personnel need to have proper controls in place around areas of risk to help identify and allow mitigation to any compliance gaps. A good amount of time should be focused on properly defining workgroups and making sure there is teamwork and most importantly, accountability. IT staff should be regularly communicating as to how and why certain work needs to be performed, which will be useful in tracking resource allocation and budgets. Due diligence will be required on all participating parties, as we like to say: “Compliance is everyone’s business”.
Here are the major lessons learned while aligning IT and Compliance groups:
• A clear leader must be identified with a clear vision and the authority to execute a program.
• Identify business owners and accountability of all compliance requirements.
• Focus on communicating a culture of compliance with clearly stated objects.
• Align work by forming workgroups made up of both IT and Compliance personnel.
• Separate and distinguish tasks as ‘implementer” role of IT or “tracker” role of compliance.
• Identify points of risk and use controls to mitigate, automate if possible.
There may be a great deal of obstacles in partnering both your IT and Compliance groups, and it’s never easy. However, taking to heart our lessons learned should save you a great deal of heart ache and conflict. This process is not easy, nor is it quick, but in the end, your end result should be both a great working relationship between IT and Compliance and a compliance program that you can be proud of.