It seems that Governance, Risk and Compliance in business has rarely had a higher profile. As it has become more newsworthy, business leaders have also been left more exposed than ever before.
Unsurprisingly, the cost and complexity of compliance has risen too, as organisations try to keep up with new legislation and plug the gaps in their existing processes.
Those are precisely the pressures that led us to develop a new, integrated approach to compliance. The outcomes of this globally standardised operating model are already becoming clear: greater control and real-time visibility at the centre, and the added benefit of significantly lower service costs.
Compliance may seem like an unusually ‘risky’ function to outsource. But I would argue that the need for guaranteed accountability and global consistency actually make outsourcing the only choice.
For an international company, the compliance challenge is spread across different cultures, legal frameworks and industry subsectors. In addition, the different business functions will often have developed their own siloed approaches to compliance.
This can lead to a situation where Finance, Sales, and the Supply Chain, for example, are all addressing their own requirements in different regions or business units, even though there are obvious overlaps. At best this is inefficient. At worst, serious inconsistencies and patterns can go unnoticed.
In our experience the transition to centralised control involves taking a more holistic approach. Teams in a ‘control centre’ take ownership of key risks that extend across the different functions. The tools we use can cover horizontal and vertical compliance issues. This means we can monitor certain regulatory risks across the whole business, or choose to drill down into just one, for example, the Supply Chain
Once you reach the stage where responsibility is in one place, you can design and implement an integrated control framework that mitigates the risk whilst minimising the cost. This is enabled by one global technology solution to manage the business data and to automate reporting.
However, to get to this stage, and make the right decisions, demands a very special set of skills and change management capabilities.
Perhaps the most significant change in compliance is the shift away from periodic auditing to automated, continuous monitoring. The top performers have already made impressive progress here.
Across their organisations, they are able to track the kind of patterns and anomalies that normally spell danger, for example, a sudden spike in customer sales reversals, or an unusually high rate of early payments. The central team can then investigate these quickly and recommend action following the agreed standard procedures.
Global control scores help monitor and compare key performance indicators for compliance across the whole business so that an underperforming region or division really stands out.
Unsurprisingly, the cost reduction benefits of centralised, continuous monitoring are already proving impressive, and not just because it allows organisations to reduce and consolidate the number of people working on compliance.
It also makes auditing faster and less disruptive, because the evidence is instantly accessible. Furthermore you can actually get far more value and insight from an audit this way.
Action, Not Just Reporting
One of the main challenges is to ensure all this visibility translates into action – as opposed to simply becoming a ‘black hole’ of reporting. After all, some of the worst compliance failures of recent years were flagged at some point internally, only to be ignored.
It is not good enough just to automate against a background of poor processes or culture. We need to feed back to operating countries, asking the probing questions: why are there compliance failures? How do you translate reds and ambers on a dashboard into next steps? Who takes responsibility and ownership for ensuring this happens?
Business process outsourcers now offer a genuine alternative in this role, and we are already seeing this reflected in the work we do.
Risk and compliance will always be vulnerable to corner cutting and the erosion of good practice by people under pressure to hit targets. So transferring ownership away from the business to a team of people who are focused entirely on ensuring good governance (contractually obliged, in fact) makes sense.