The 4 Biggest Mistakes in Compliance Management

In a recent article on Auditing Risk Appetite Norman Marks commented: “What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.”

Although speaking about auditing Risk Appetite I believe these issues apply equally to Audit and Inspection in general.  A comprehensive checklist of several hundred items assessed as complying or not is neither effective nor beneficial, and only serves to chew up limited Compliance funds from the corporate budget.  If done well, corporate health reports become an eagerly awaited strategy document for boards.

1.     Not Outcome focused

Merely auditing the existence of corporate goals and objectives doesn’t make auditing Outcome focused.  The Audit Plan has to be based on the corporate objectives understanding the opportunities and threats inherent in those objectives.  Any compliance management framework is a comprehensive inventory of compliance items not a roadmap.   This is where good compliance management software comes in, letting you map your Audit Plan back to the framework to ensure comprehensive coverage, while allowing you to concentrate on Compliance Assurance of the corporate objectives.  When looked at from this perspective improvement and performance become the aim of compliance not the systematic enforcement of controls.

2.     Not Risk base targeting

Once focused on opportunities and threats, a risk based approach (see "Does anyone really understand Emerging Risks?") coupled with targeted activities is inevitable.  Risk based is more that checking for known issues first. Setting surveillance levels and frequencies based on risk not only produces more results by concentrating on the areas that can produce the greatest returns, it allows for more efficient uses of the limited compliance budget resources. 

Audit and Inspection are expensive services and in low risk areas have little benefit and are not the only methods of assuring compliance.  Online self-audits with appropriate evidence or periodic reporting of key indicators is just as effective, and sometimes more timely, in low risk areas. Obviously, this needs to be backed by occasional unscheduled audits/inspections.

3.     Not Value Adding

Identifying & issuing corrective actions, although necessary, is not value adding in the eyes of the operation staff responsible.  If they saw it as a problem they would have fixed it before being assessed (yes a bad word, but if you’re not value adding that is all it is!).  What can be done to value add?  Well you have the unique opportunity to educate operation management in circumstances where they are likely to listen and act – PRIOR TO THE AUDIT.  Use it. 

Compliance is more than just Audit & Inspection

With a properly developed compliance management system, and not just a pool of word/excel documents, you can compile a targeted reviews based on areas of importance.  Developing checklists based on objectives and risks, weightings can be allocated to individual questions as to their effect to objectives (see 2 above), allows assessment of effectiness not just compliance.

Previous history, lessons learnt in related fields, and current industry trends should be the purview of the Compliance department and their duty to disseminate as part of the pre-audit activity.  Finally, in the final report include business cases for improvements in target areas. Relating those back to corporate objectives is a good way to garner support for the audit/inspection process from operational management.  In time they will look forward to, and prepare for, the opportunity to press their own objectives.

4.     Not being timely

Board/Management review of summaries audit findings is both an opportunity and entrenchment of value of Compliance Management to the organisation.  Regurgitating conformance information of problems fixed and administrative observations reinforces the negative regulatory role of the compliance department as a necessary overhead.  Releasing regular health reports on the organisation’s progress to achieving its objectives not only gives interest to compliance reports but the opportunity to push expanding the department’s capability. 

Making Compliance Relevant

The key to this is not just relevance but timeliness.  Knowing the emerging issues at a time they can be acted on is of benefit to the board.  Historically knowing what happened last year is not.  This requires moving away from an annual (or periodic) audit/inspection regime to a continuous monitoring approach, backed up by periodic audit/inspection.  Sending out regular, specifically targeted questionnaires for self-assessment, with automated submission and analysis reduces the overhead and workload to the compliance dept while allowing them to adjust the risk targeting and produce timely health reports for management.

Effective Compliance Management

An effective compliance management methodology must not only deliver the right information and training, it must be delivered at the right time, in a consistent and controlled manner. The information delivered must be accurate and up to date. And, there must be validation that the information has been received and understood, with a complete audit trail.  Automating these processes with best practice Compliance Management software frees up Compliance expertise to perform their true role monitoring and assisting the organisation in achieving its corporate objectives.

Next Week:  How to Implement Risk Based Audits & Inspections

Other Related articles

• Study: Non-Compliance Problems Cost 3X More Than a Strong Compliance Program