Compliance management in proportion to risk

With compliance management – from data privacy to cybersecurity, from quality control to anti-corruption – becoming more and more important for any kind of business, it is essential to talk about designing a compliance program that’s proportional to your company’s risks. The concept makes sense, but still raises the question: what, exactly, does a “proportional” compliance program look like?

You can easily do too little to manage your compliance risks — or do too much. Compliance officers must find the balance that manages risk well and keeps senior executives, business units protected, and regulators happy.

A great example of the challenge can be found in data security control audits that are tailored to assess a wide range of security practices, and they’re derived from five basic “trust principles:” security, availability, processing integrity, confidentiality, and privacy.

Could you commission a report for a data storage provider that addresses all five principles? Sure. But if you never store any personally identifiable information with that vendor, the privacy and processing integrity principles are superfluous; you’re over-compliant, and paying for an audit beyond your needs.

Conversely, if you’re contracting with a payroll processor and omit availability or process integrity, you’re under-compliant. That may come back to haunt you with a system failures or corrupted payroll results.

We can see similar dynamics in anti-corruption compliance. You don’t need to perform due diligence on every third party, since that would include many with no exposure to foreign governments and no ability to curry their favor. You do need to monitor some third parties aggressively, since their ownership or business models might change frequently, or in hard-to-detect ways.

A compliance officer can start simply by asking: does this employee or third party pose a regulatory risk to the company? If so, what risk? And what are the worst consequences of a “non-compliant” event?

From there you can start to reverse-engineer the policies and controls you need to fit those risks. For example, all employees theoretically can pose harassment or fraud risk, so all employees need at least some training on them. They also need to certify that they’ve read and understood anti-harassment and anti-fraud policies in the Code of Conduct.

Do some employees need more than that? You bet. Finance employees pose a much higher fraud risk; so they need segregation of duties, and the finance function needs regular audits. Senior managers pose higher harassment risk, so they might need policies (such as no dating subordinates:)!! in addition to training.

Likewise, with third parties: what risks do they pose, and what is the most cost-effective way to control those risks? Vendors with no history of bribery and no politically exposed persons or staff, working in low-corruption countries, might suffice with annual certifications that they have read and will follow your anti-corruption policy. On-site visits and business practice audits, in contrast, might be over-compliance that isn’t necessary for them — but might be vital for others.

Some of these challenges can be automated: due diligence checks, for example; or using risk libraries so you understand what your compliance risks are, and when they change due to new regulation.Above all, however, finding the right level of compliance for your company’s risk is a balancing act. It will take time and practice, and possibly some trial and error, until you get to the right place.

If assistance is needed, email me at [email protected]