It's an occurrence that happens all too often for many organizations. Due to ineffective compliance management and processes, ranging from lack of understanding of new regulations to improper oversight on the part of executive management and the board of directors--which in hindsight becomes clear--a company finds itself the focus of heavy public and media scrutiny resulting from a compliance failure. This could be a data security breach, corruption in a foreign subsidiary, an environmental disaster, financial reporting errors or worse.
Compliance management consists of the organization's policies and processes for adhering to applicable laws and regulations. It requires metrics, measures and monitoring that provide assurance to management and the board that established policies and procedures for fostering compliance and responsible business behavior are performing as intended.
Without effective management of the compliance risks that really matter, the organization is reactive at best and noncompliant, at worst.
The Present State of Compliance
For many companies, complex account-abilities for compliance have evolved over time in an ad hoc manner. Often, internal and external pressures result in changes being implemented at such a pace that new policies, procedures and controls are added onto the existing management structure with little or no rationalization of how they interact within the existing compliance framework and business processes.
As these new policies, laws and regulations have evolved, several elements of compliance management common to many companies have emerged. These elements include fragmented control environments, unnecessary and often redundant infrastructures, lack of automation, duplicative requests of process and risk owners, reduced organizational transparency, inefficient communications and high audit costs.
There has, in fact, been an ongoing spiral of change resulting in a number of critical challenges for many companies:
* Absence of a seat at the decisionmaking table, resulting in failure to give adequate recognition of compliance considerations in making business decisions, reduced emphasis on compliance in favor of achieving short-term business objectives and an unclear focus with respect to articulating important control matters;
* Proliferation of operating silos, which drive myriad risk and control activities feeding a high-cost internal control structure and overlapping resource demands in large organizations;
* Gaps and overlaps in ownership of control responsibilities, which drive missing and duplicative internal controls and assurance activities;
* Fragmented, diffused reporting of risk and control data, which leads to a lack of transparency and uninformed decisionmaking about the control structure; and
* Mismatches with stakeholder...