Risks from non-compliance with legislative requirements can be costly: fines, lawsuits, damaged reputation – even prison. Even worse, doing the wrong thing is just as bad as doing nothing. To avoid these issues, it’s important to understand what it means to be compliant and ensure that the company has the processes in place to verify and maintain that compliance.
There are essentially three lines of defense against non-compliance. First, high-level management needs to set direction and provide guidance. This is done by promoting a strong culture of risk compliance, by setting up strategies for compliance, and by providing clear statements on risk appetite. Secondly, a company needs people who can implement the strategies and tie the risks to the processes. They must also ensure that the risks have controls associated with them. Lastly, a company needs to hold internal audits on the appropriate recurring schedules and have automated workflows in place to raise alerts. At all levels it is important to be able to view reports of the current state of overall risk, as well as any gaps that may exist.
While companies are much more likely to be faced with a regulatory challenge than a full compliance audit (a specific challenge is much cheaper to perform than generalized audits), they can still yield high fines. A challenge typically starts with a request for information from the auditor. Failure to provide the information usually triggers a much larger, punitive audit. By having all of a company’s data in a centralized repository, the company will be unlikely to fail an audit for this reason. To this end, scheduled internal audits are a necessary part of a solid compliance plan. These internal audits will quickly locate any gaps, which can then be filled with the necessary missing data.
Compliance might sound like a lot of work for no real gain other than the avoidance of punitive damages, but this is far from the case. There are many benefits to being compliant: it shows commitment to doing business the right way and in an ethical manner, it tends to improve operational processes and their maturity levels, it helps achieve transparency, and it establishes better information governance (via the storing of data and good record keeping). All of these things contribute to a better bottom line for the business. In the end, it’s always cheaper to just be compliant.