Since time immemorial, regulation has always been playing catch-up to innovation. With digital technology pushing innovation to unprecedented speeds, regulations and the need for compliance have also accelerated.
In an increasingly uncertain world, businesses must shift from a reactive to proactive mindset, according to Melissa Cohoe (pictured above), global director of security, risk, and resilience at NewRocket. Otherwise, they risk penalties for malpractice, increased business costs, and employee burnout.
Cohoe shared with Corporate Risk and Insurance several tips on how businesses can be more proactive in meeting compliance standards.
According to Cohoe, the key to success in an uncertain world is to become proactive, seek out areas of needed change and avoid the unnecessary costs and stress of reacting. Organizations can achieve this agency by establishing foundational programs. This includes setting up a regulatory and compliance program to meet and discuss compliance trends and projected change areas.
After that, organizations should establish a risk management program to focus team efforts.
“Defining your most critical and exposed assets allows you to narrow in on your crown jewels,” Cohoe said. “These assets are typically your most sensitive customer data, including health and financial information. Once you’ve identified your valuable and exposed assets, inform your employees of your critical data, what to do to protect it, and see how to upgrade your existing processes and systems with technologies and services.”
According to Cohoe, organizations are stronger if their people have a diverse range of experiences and opinions, with individuals who are interested in and empowered to improve their companies. To stay ahead of new regulations and standards, the leadership must have clear expectations and sufficient autonomy to affect change. On the other hand, an improvement-seeking workforce offers insight to the C-suite on necessary changes, which spurs bold actions to get ahead of the curve.
“Your workforce is an essential tool in creating a proactive culture of compliance – and also your biggest risk,” Cohoe said. “People are fallible. During the 2008 market crash, no oversight led to one of the most significant economic downturns of the past century. The lack of ethical leadership from positions of power failed to safeguard against what eventually happened. Failures can have massive, far-reaching impacts but are avoidable, depending on the tone you set within your business.”
Cohoe said that technology is an excellent asset that can make achieving compliance much easier. Which technology will be most helpful depends on the current maturity of an organization’s compliance programs. This can prove a challenge for many companies, especially in older industries that already have many traditional processes in place.
“Organizations starting out should use tools that build your compliance framework,” Cohoe said. “Then, track it against your internal frameworks and external regulatory requirements. Organizations still needing an internal controls library may consider using regulatory requirements or an existing industry standard as a starting point. The first stage is seeing compliance overall within your organization.”
She added that more mature organizations should adopt a “test once, comply many” system, which has a single control test demonstrating compliance against multiple regulatory standards and requirements.
“My most common example is putting the control ‘user must reset password within 90 days’ in multiple IT compliance frameworks and regulatory standards,” Cohoe said. “If it’s tested once against an asset, showing compliance (or noncompliance) against multiple regulations and industry standards gives organizations helpful foresight into their true compliance footprint.”
At this point, organizations may be using self-assessment and qualification to determine compliance. According to Cohoe, this stage is where an individual asks, “to the best of my knowledge, is this control implemented and operating effectively?” They then define the level of effectiveness – fully effective, partially effective, not effective – by manual provision and review of evidence.
Organizations that are ready to increase their maturity will look for more automated and predictable methods of compliance assessment, including compliance monitoring tools and scanners and evidence analysis. At this level, organizations are beginning to gather sufficient data to harness the benefits of artificial intelligence, which includes natural language processing (NLP).
NLP can be used to identify regulation updates and recommend corresponding changes of internal controls. It also helps review the evidence to confirm it meets content and quality standards. Predictive analysis identifies compliance trends and organizational challenges, such as stalled projects when compliance requires a technology update.
“Looking forward, using predictive analysis to proactively identify regulatory change based upon media reports and government interest will allow organizations to respond to legislation before it’s been put forward for approval,” Cohoe said.
Cohoe said that businesses should create a culture of “compliance by design” by prioritizing teaching all business levels what compliance means, the benefits of compliance programs, and their benefit and purpose within the organization. Leadership should communicate the positivity of compliant practices and their necessity in achieving good work and thriving in the market, with a goal to have everyone buy in and lead to organization-wide commitment becoming baked into all business functions.
“Within your ‘compliant by design’ organization, look to establish playbooks your employees can fall back on,” Cohoe said. “These playbooks should allow for well-thought-out approaches, with clearly defined tasks and ownership. Having a playbook in place improves processes, creates efficiencies, and removes doubt and uncertainty around compliance-related decisions.”
However, Cohoe warned that these changes cannot happen overnight. Instead, it is an ongoing process.
“Focusing on compliance can’t be an annual, biannual, or quarterly endeavor,” she said. “It is a day-to-day journey requiring constant attention and persistent effort.”