Companies are increasingly turning to technology to keep up with the speedy pace of changes to regulatory requirements.
Not only are companies updating systems to track such changes and new rules, they are also using them to coordinate policy and training and track which employees have undergone training programs or have read and agreed to new policies.
According to the 2013 State of Compliance Survey by and PwC, for example, companies in the U.S. are using technology to aid in training (74 percent), handle document management (57 percent), and conduct employee surveys (52 percent).
That doesn't mean, however, that companies are rushing out to purchase shiny new systems and software. What is surprising, say compliance advisers, is the extent to which compliance departments are able to leverage the tools already in place within their organizations. Compliance is adapting the systems already installed within legal, human resources, finance, and other departments to suit their own needs, says Michelle Nichols, program consultant at The Network, a provider of integrated governance, risk, and compliance solutions.
Successfully using existing technology requires evaluating them from two angles. One is assessing how well the tools can be used by employees, Nichols says. “How easy is it to access and how easy to report, and what is the user workflow going to look like?” As Nichols points out, if the user interface is cumbersome, hard to understand—say, if it's not in the local language—or incompatible with most users' browsers, the system is unlikely to gain traction.
At the same time, the technology needs to provide the compliance department with the information it requires to ensure, for example, that policies are reaching their intended audience and employees are accessing the training materials they need. “It's how easily you can get information back from the system,” Nichols says. That's critical both to manage the programs and to build an audit trail.
One organization that has been able to adapt existing technology for compliance purposes is Realogy Holdings, owner of the Century 21 and Coldwell Banker real estate franchises.
Realogy takes a “federated approach” to compliance, says Dan Berrios, counsel, corporate ethics and compliance. The overarching policies are set at the corporate level and disseminated to the business units, where they're enforced through compliance teams located within the local business units.
Beginning in about 2008, Berrios and his team began reviewing all compliance policies, with an eye toward “increasing the visibility and understanding of the policies and procedures.” While Realogy had a robust compliance structure, it was time to “take it apart brick by brick,” Barrios says, and determine if each policy remained appropriate for the current business model.
“Simply starting to move in a direction on purpose is a huge step forward. Policy, risk, and compliance processes are just that: processes.”
—Mason Karrar,
GRC Strategist, Policy & Compliance,
RSA
Also at this time, the compliance organization looked at ways to tap into the technology systems in place across the company and adapt them to the needs of the compliance department. Compliance worked with IT and communications, and leveraged the learning management and legal document management systems to gain the capabilities it needed to manage compliance programs.
In starting on this process, compliance had three primary goals, Berrios says. One was effectively distributing and communicating policies and procedures. As he notes, it's easy to say that a particular policy exists, but if employees don't know where to find it, the organization has started down the path of having a “paper program,” or one that exists in writing, but isn't truly followed.
In addition, the compliance area wanted to use technology to disseminate training and to distribute any policy updates or changes on a timely basis.
A third goal, Berrios says, was using technology as a means of policy version control and certification. “For some policies, it's not enough to communicate and train; we also want to make sure that a certain population gets a more targeted message,” he says. That is the case, for instance, with the vendor code of ethics. The code needs to be delivered to Realogy's suppliers, who then need to certify that they've read and agreed to the code.
To make all this happen, Berrios' team works with a number of systems from across the company. For instance, the company's human resources system integrates within each employee's HR record the compliance records that originate within Realogy's learning management system, such as training completion and certifications to the code of ethics. This streamlines recordkeeping and can be an aid if a disciplinary issue arises.
In addition, all the firm's compliance policies are accessible to employees via the Realogy corporate intranet.
The compliance department also uses Realogy's legal document management system for the “versioning system of record,” Berrios says. That is, the system records which version of a policy was in place at each point in time. If the compliance department needs to investigate a claim that happened, say, 18 months earlier, it can use the system to determine which version of the relevant policy was in place at that time.
Minimizing Investment
By leveraging many of the tools already in place at Realogy, the compliance department has been able to minimize the investment and risk that would come with implementing a completely new system. More importantly, Berrios and his team have been able to deliver and communicate the company's compliance policies across Realogy's roughly 10,000 employees.
USING TECHNOLOGY
The Compliance Week/PwC 2013 State of Compliance Survey asked respondents: What activities do you most rely on technology to assist with. Answers are below.
*Blue represents overall; green represents U.S.; yellow represents U.K.
Sources: Compliance Week/PwC.
To be sure, they've encountered a few growing pains along the way. One involved the integration of employees' self-disclosures of any conflicts of interest into Realogy's whistleblower reporting system. The integration required the compliance group to take a system designed to collect allegations of misconduct and enable it to collect self-disclosures that required approval by either the compliance or human resources department. During the first phase of the implementation, both the user experience and the reporting process fell short of expectations. After careful analysis, however, the compliance department decided to change hotline platforms so that it could create the reporting portal and user interface it needed. Now that it's done that, the disclosure volume has steadily grown over the past three years, Berrios says.
New Technology
Of course, at times a compliance area does need to invest in new technology in order to carry out its responsibilities. Here too, the approach is similar to that used when leveraging existing technology. A starting point is identifying the long-term vision. “Where do you want the organization to get to for managing risk and compliance?” asks Steve Schlarman, GRC strategist, IT and security at RSA, a provider of GRC capabilities and other services.
Reaching this goal usually requires a series of steps, including obtaining executive sponsorship, achieving a small win, showing the value of the system, and then tackling the next issue, gradually building an overall program. “It's a war of many battles,” Schlarman says. The companies that struggle often are those that have tried to implement an all-encompassing project right from the start. The undertaking becomes enormous, and it is difficult to gain momentum.
Conversely, some organizations let a focus on perfection stall their efforts. “Simply starting to move in a direction on purpose is a huge step forward,” adds Mason Karrar, GRC strategist, policy and compliance, also with RSA. “Policy, risk, and compliance processes are just that—processes.”
No comments yet