Compliance professionals have long recognized the value-add that the compliance function can bring to a company, but they never quite had a strategic roadmap for advancing across the maturity curve until now.
At its foundational level, compliance prevents, detects, responds, and remediates risk. Traditionally, that has entailed meeting basic compliance requirements; having a compliance role in place; conducting risk assessments and training; and utilizing basic data technology capabilities to support compliance reporting.
The question many compliance officers are wrestling with today, however, is how to reach that next stage of maturity—a modernized state that builds upon traditional compliance tasks and begins to add value to the business. “It’s really about taking the compliance function, in general, and making it more proactive and predictive,” says Tom Nicolosi, a principal in Deloitte’s advisory practice.
Deloitte uses the term “compliance modernization” to broadly define the functional transformation that takes place when the compliance program is elevated; becomes aligned with business goals; efficiencies are driven by advanced technologies; compliance-related data is leveraged; and human error is reduced.
Compared to foundational compliance, modernized compliance shares the following characteristics:
Enhanced synergies between the first and second lines of defense to improve efficiencies and rationalize oversight and execution processes;
Defined end-to-end technology architecture for sourcing, aggregation, and analytics of data to enable less reactive and more proactive compliance management;
Compliance role is elevated and pronounced in strategic and business line planning;
A framework is in place to monitor compliance resource allocation; and
A clear compliance vision and strategy is embedded across the company.
Rather than looking in the rearview mirror, Nicolosi explains, focusing on transactional data in search of what went wrong after an incident, a modernized compliance function keeps its sights on the road ahead, driving insight and teaming with the business to enable growth, while mitigating risks.
A modernized compliance program, as defined by Deloitte, takes foundational compliance activities and enhances them in the following ways:
It builds culture, ethics, and appropriate incentives into compliance, and vice versa;
It seeks a more insights-focused, process-oriented talent base and cultivates people across the organization who fit the new normal, rather than merely identifying roles;
Oversight and execution processes are rationalized to drive better coverage and reliance across the three lines of defense and other risk disciplines; and
It adds data analytics into the mix, in addition to people, process, and technology.
In its most advanced stage, the compliance function reaches a state in which it’s contributing value to the company. In this state, the compliance team becomes a strategic advisor that offers predictive insights and greater efficiency by using predictive analytics and process automation.
“It’s really about taking the compliance function, in general, and making it more proactive and predictive.”
Tom Nicolosi, Principal, Deloitte’s Advisory Practice
Many compliance programs still have a long way to go on the maturity curve, however. In a poll conducted by Deloitte of more than 580 business professionals, more than half (55.5 percent) described their current compliance and regulatory efforts as foundational, whereas 18 percent described their current compliance and regulatory efforts as modernized, where compliance uses advanced analytics and has a role in strategic decision-making. Only 11 percent of respondents said they are at the value-creating stage.
Toward compliance modernization. Each company must ultimately decide where on the compliance maturity spectrum it wants to be. At its core, a significant part of evolving from a foundational compliance program toward a modernized compliance program requires the use of advanced analytics to improve risk-detection techniques and build capacity.
Savvy companies are looking at how they can make smarter use of their existing data and reduce administrative practices in favor of a more strategic, rationalized approach. It means doing more with less. “It’s about getting people focused on the things that really matter and less focused on the blocking and tackling stuff,” says Nicole Sandford, a partner in Deloitte’s advisory practice.
Modernized compliance provides an opportunity “to truly get that enterprise-wide view of compliance risks,” Nicolosi says. “It presents an opportunity for you to build more sustainable and reengineered processes, things that get away from manual efforts.”
Many companies, for example, increasingly are considering the use of robotics process automation (RPA), which effectively is the automation of routine tasks and business processes, like sifting through data across various systems. The Institute for Robotic Process Automation (IRPA) defines RPA as “the application of technology that allows employees in a company to configure computer software or a “robot” to capture and interpret existing applications for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.”
Using RPA to perform tedious tasks that typically would take countless human hours allows compliance teams to focus on more strategic, value-creating efforts—such as escalating and remediating issues, performing investigations, and conducting root-cause analysis, Nicolosi says.
COMPLIANCE FUNCTION MATURITY CONTINUUM
Below is a look at the compliance function maturity continuum as defined by Deloitte.
Core compliance requirements and expectations are met;
Basic compliance operating model in place with identified roles and responsibilities;
Methodologies in place to evaluate, remediate, and stabilize the basic compliance structure; traditional requirement inventories, risk assessment and training programs;
Basic data technology capabilities in place to support compliance reporting.
Enhanced synergies between first and second lines of defense (LoD) to improve efficiencies and rationalize oversight and execution processes;
Defined end-to-end technology architecture for sourcing, aggregation, and analytics of compliance data to enable less reactive and more proactive compliance management;
Compliance role is elevated and pronounced in strategic and business line planning framework in place to monitor compliance resource allocation;
Clear compliance vision and strategy embedded across the organization.
Optimized oversight and execution processes, and defined LoD reliance models;
Fully populated, linked, and implemented governance, risk, and compliance technology platform;
Broad usage of predictive analytics and process automation (i.e., robotics) for gained efficiencies
Proactive talent management/capacity planning and scalable resource deployment;
Alignment of compliance and overall business strategy; value articulated through measurable KRI results (ROI).
Done right, a modernized compliance function can deliver numerous benefits to the company, including:
Meaningful, often predictive, insights, in addition to backward-looking analysis and reports;
Improved efficiency of the compliance function and reduced costs related to it;
Cultivation of a consistent, enterprise-wide ethical culture built into the business;
Better integration of regulatory and compliance concepts into both business strategy and existing processes; and
Reduction in fines, penalties, corrective actions or legal costs due to earlier detection of possible compliance violations.
“The important thing is a willingness to start, to engage in this conversation,” Nicolosi says. To move toward a modernized state of compliance, begin with the “low-hanging fruit,” he says.
A white paper on compliance modernization published by Deloitte lays out some key steps companies can take to evolve their compliance function toward a higher level of maturity and ROI:
Determine the desired modernized state for the compliance program. How should the compliance function align and support the business strategy? What level of rigor is required to execute on the organizational mission, regulatory, and board mandates?
Perform an assessment of the existing compliance program. What execution or oversight activities should be stopped, started, or continued? Review compliance capabilities and the talent model that supports them.
Prioritize areas that need to be addressed. What is centralized versus what is not centralized, and is there an opportunity to optimize what is being done?
Develop and update the overall vision for compliance to align with the desired modernized state. Define more strategically the allocation of resources and time spent on higher value activities.
“Then you can identify where you’d like to focus and where you’d want to start,” Nicolosi says. From there, you can begin to think about how to modernize those areas, such as outsourcing certain activities or implement advanced analytics, for example.
“A really good way to get started is just to dedicate some time and get all the right people around the table to just start talking about ‘the art of possible,’” Sandford says. “Get some quick wins. Build some momentum. But the main point is to just get started.”