Compliance: A Common Management Framework
As the business environment and regulatory landscape continue to grow in complexity, GRC (Governance, Risk, and Compliance) is anticipated to be a significant trend for the next decade.
With an estimated 400% growth expected by 2031, the demand for automation in compliance is on the rise, as highlighted in our 2024 trends analysis.
In response to the escalating number of standards, regulations, and directives, the need for a common compliance framework that is agnostic to specific regulations but concentrates on general principles and common metrics is evident.
When explaining this idea to our clients, we use the diagram from the ‘Holistic Compliance Management’ article. With the seven steps of the diagram, we align the key stakeholders of compliance into the KPI scorecard, which can later be adapted to the requirements of specific regulations. Below, you’ll find a brief explanation of the steps.
1. Adapt strategies proactively
This is something we can do even before a new regulation is released.
We can project existing trends and driving forces (see PESTEL analysis) onto our business and strategic choices we make today.
Essentially, when faced with all driving forces, we have two options:
— We can respond to regulations reactively, as many automobile manufacturers prioritized Electric Vehicles (EVs) only when the regulator established an expiration date for the sale of internal combustion cars, or
— We can do it proactively, considering the driving force, not waiting for regulatory changes, and focusing on the right strategy, as Tesla did with their EVs.
The choice of strategies is, of course, more complex and constrained by budgets and internal inertia.
In the context of the compliance framework, we are interested in scanning the external environment to provide the board of directors with additional insights into which strategies are expected to be better aligned with foreseeable driving forces and, consequently, future regulations.
2. Identify new regulations
The early detection of new regulations is another responsibility of the compliance office.
With more time for preparation, adaptation to the new regulation will be easier to plan and execute.
Track basic time metrics, such as “time to review the regulation” and “time to develop internal policy.”
While these metrics may seem simplistic, they can add value:
— With these time metrics, we can estimate the complexity of the new regulation and, respectively, decide if we need to hire external consultants or handle it in-house.
— They serve as indicators of internal complexities. Consider the need to implement a new regulation as a stress test for the organization. A long time to implement a simple policy is a sign that some internal mechanics need to be tweaked.
3. Training employees
It’s a good time to review the four levels of Kirkpatrick’s model.
The obvious ‘participation rate, %’ and ‘training completion, %’ are good starting points, but eventually, we need to find out if there is an actual shift in the behavior of the employees, and more importantly, if this shift leads the organization towards its goals — specifically, avoiding non-compliance incidents. Refer to section (5) for the response to this question.
4. Compliance of partners
Most new regulations emphasize two ideas:
— The definition of the stakeholders involved, and
— The need to look outside your organization along the value chain
A chain is only as strong as its weakest link…
Essentially, we need to ensure that our partners (tier 1, tier 2, etc.) are compliant with the new regulation.
Metrics to track: ‘% of partners assessed for compliance’ and ‘Overall partner compliance score’.
5. Simulation of non-compliance
It’s time to stress-test the compliance system. The best approach would be to practice a form of wargaming by simulating some non-compliance scenarios. This is where we are supposed to identify the weak points of the compliance training (3).
This can be as simple as attempting to recover from a backup to simulate cybersecurity threats or randomly selecting regulatory requirements and tasking a red team to find the weak points.
6. External audit
Engaging an external auditor is a proven way to test/certify the compliance system. The organization’s interest lies in providing the auditor access to all involved systems (tracked by ‘percentage of audit coverage’), promptly closing the findings of audit in a timely manner (quantified by ‘audit findings response time’), and conducting a root-cause analysis for findings that prove challenging to resolve.
7. Align compliance scorecards
By combining the discussed metrics, we can calculate a total compliance score for a specific regulation. Using weighted indicators is one way to avoid gaming the compliance score (ensuring it stays in the green zone by focusing on the low-value metrics).
Once the metrics are integrated into a KPI scorecard, we can combine it with other functional and strategy scorecards, providing decision-makers with the necessary contextual information.
Impact of Non-Compliance
With some historical data, the compliance office can estimate the impact of potential non-compliance incidents (reputation damage, direct profit loss, regulatory fines). Besides their direct application, these metrics are useful to justify budgets for compliance initiatives.
Non-Compliance Incident
Bad things happen… Our goal is to ensure we learn from mistakes (quantified by ‘incident reoccurrence’ metric) and minimize the impact through fast reaction (incident response time metric).
Compliance Template
The diagram discussed in the article is automated with the compliance template/canvas available in BSC Designer. You can sign up for a free plan to give it a try and adapt it to your needs.
The Strategy Implementation System is an article on Medium where I connect the dots about strategic planning. For example, how to align the governance and compliance scorecards with the overall strategy.
