Clifford May, Integralis: Compliance - Overhead or Business Benefit?
February 2008 by Clifford May, Integralis
The very word "Compliance" strikes dread in many senior management forums. Viewed most often as a pain, necessary evil, or at best a burden on the business, Compliance has become a word most often associated with a sigh of despair. But should this really be the case?
The very reason many senior managers have to be dragged kicking and screaming into the Compliance arena is often the complexity of the subject and fear of the unknown. At the end of the day most senior managers are focused on making money for the business, controlling costs and generating value for the shareholders so they view compliance issues as a distraction. Now that is interesting in itself, particularly the latter two points. Surely controlling costs and generating value for the shareholders should be really good drivers to understand what Compliance can mean to the business?
Part of the problem, and the perception, is the plethora of different compliance issues that appear when the surface of the topic is scratched, e.g. Human Rights, Privacy, Data Protection, Freedom of Information, Taxation, Corporate Governance, Intellectual Property/Copyright, Health & Safety, Fraud & Corruption, Competitive Practice, Anti-trust, Money Laundering, Standards (e.g. ISO/IEC27001, COBIT, SAS70) and much more. Is it any wonder why senior management would rather avoid getting embroiled in this as much as possible? The problem is - it is their responsibility, and they are accountable for Compliance so, in time, many will become to realise that they have no choice and even that Compliance can provide real benefits to the business.
How can this ever happen? Surely the whole Compliance effort costs a fortune and bogs the business down in unnecessary procedure? All many managers see is increasing red-tape, extra costs for controls, new or increasing compliance teams, personal liability and spiraling overheads. But, is this a fair view? Sure there are additional costs to be carried for the compliance efforts, but it could be argued that these are more than balanced by factors such as:
Increased Customer/Shareholder/Partner confidence and trust (avoidance of embarrassing incidents!)
Improved analysis, documentation and efficiency of business processes _ Better business resilience
Greater buy-in from management and staff
The de-duplication of control efforts
Faster audits with less hold points
Reduced audit costs
Reduced crisis/incident management and remedial action costs
Avoidance of legal or regulatory sanctions or fines
and more ...
It is surprising how the very attempt to ensure Compliance can often become a catalyst for change. As a business grows often the development and documentation of sound business processes falls by the wayside and greater reliance is placed upon staff knowledge and expertise. This can work for a while but we live in an ever changing world where the pace of life is increasing daily and a lack of sound business practice will mean trouble in the future. It only takes a key member of staff to leave, or say a disgruntled member of staff to ’throw a spanner in the works’ and serious repercussions can ripple throughout the business. Yes - we all know we should write procedures so that someone can take over if the worst should happen; but the ’instant’ nature of the working environment today (e.g. the Internet, email, instant messaging, mobile connectivity) makes that very unlikely - we just do what we do!
This is where Compliance brings back some sanity to the workplace. An auditor is not satisfied by ’hearsay’ evidence that a key business process is operating in line with legal or regulatory requirements - they want cold, hard documentary evidence! The Compliance drive has a tendency therefore to underline the need for key controls, procedures and evidence, and to ensure that adequate funding is committed to their maintenance.
What is often missed is the opportunity to develop one management system to control all aspects of compliance, regardless of law, regulation or standard. Many organisation still approach Compliance from a piecemeal angle - HR do their bit, IT do their bit, Legal do their bit, etc. It is also common to see organisations creating separate teams, tasked with compliance to a particular piece of legislation. This is, at best, unwieldy, inefficient and expensive; a practice to be avoided. This can be due to the ’siloed’ nature of many organisations, internal politics, expertise issues, or just plain stubbornness to get involved. The problem is Compliance issues usually cut right across the business and a very strong lead is needed for any team that is going to co-ordinate all issues company wide. A competent Compliance team can build one management system that will provide co-ordination of the compliance effort, one repository and source of information for audit trails and associated evidence. This avoids the ’empire building’ that often happens when say a new piece of legislation comes along, containing and potentially reducing costs.
So ’Overhead or Business Benefit’? Much depends on your viewpoint and the type of organisation you work for. Finance, Banking and Insurance are heavily regulated, and accept Compliance as just part of daily business, whereas for, say a manufacturing business, this is all just a cost they would prefer not to have. Hopefully this will change in time, legislation may become simpler and easier to understand (eh .. possibly..), business practices and management systems will improve, and many will see how the Compliance effort can bring real dividends.