Think you’re compliant? Think again
I would like to hear from any sizable business that can say, hand on heart, it complies with all the regulations to which it is subject. If yours is the one, I would like to hear how you do it; if not, you are at risk.
Anyone tasked with making sure an enterprise is compliant with regulations knows how these have been increasing in volume and complexity, alongside increased penalties for non-compliance. Businesses having dealings outside their home country are subject to the other countries’ legislation too.
Now that all organisations rely heavily on IT systems, the only practical way of ensuring regulatory compliance is to interpret needs into electronically-held policies that meet the specific organisations’ needs—and to implement them at every appropriate level in the organisation. Simple? No. There are a mass of hurdles to achieving this.
- A first problem is that there need to be persons who understand all the details of every regulation. That alone is a specialist job and can involve regular training.
- Then comes the need to convert the policies they come up with into a set of electronic policy rules to be actioned automatically across the IT infrastructure as appropriate. That assumes a wide-ranging, detailed understanding of the enterprise infrastructure—and it is a rare breed of specialist who can draw up policies and has this knowledge. (OK, so you put a few people together who have the required mix of skills; they all then have to communicate perfectly with each other what they mean.)
- The policy people have to keep absolutely up-to-date with every change to every regulation—before they happen—to have a fighting chance of figuring out how to effect the changes within existing policies and triggering amendments on the day the changes come into force. This also means a dependency on all legislators informing the company accurately and in good time of planned changes—or they need to be proactively badgered all the time. (It seems legislators in some countries do not even cooperate in this.)
- Some of the policies you implement are partly dependent on your trading partners delivering what is needed when you need it. If they or their systems fall down, this can have a knock-on effect to upset your business’s best-laid policy plans.
- Your systems can also fail in many different ways, undermining anything you planned; in any case, a wrongly-implemented policy could screw up data or systems.
- There is also a built-in assumption in all the above that you have the information you need to implement your policies. Sadly, much information coming into, or being created within, an organisation is not properly identified. Complex content searches may be the only way to track down some pieces of valuable information.
I could go on. Instead, I will repeat: I would like to hear from a business that can say, hand on heart, it complies with all the regulations to which it is subject. (A very small business that still does things manually is, ironically, the only one which might feasibly fully achieve what is needed.)
That said, everyone has got to try, and show they are doing their level best to achieve compliance—or face potentially serious legal penalties. In that regard, every business really needs help. There is some of course, but not enough.
Perhaps best-placed is the generally cash-rich but also risk-averse financial sector. It seems to be well-served by 10-year-old internet-based compliance specialist Complinet, which provides a three-pronged software-based service which takes some beating.
First, Complinet tracks every regulatory change from regulatory authorities (globally) and brings the variable quality of input into one consistent data platform, categorising it within its own global taxonomy. So this provides a valuable information feed to companies in the sector to assist in spotting the changes early and making sense of them.
To achieve this is a more labour-intensive behind-the-scenes function involving regulatory experts and lawyers. They also offer, for instance, an in-house commentary and impact analysis to support the change information. “It’s a very dynamic regulatory market,” said CEO Chris Pilling, who added that the company was focused almost exclusively on the financial services sector.
Next comes Complinet’s Policy Manager software which provides electronic policy manuals that are updated according to the regulatory changes. Firms can let their existing content become part of this and there is, obviously, much tailoring to match in-house functions to the ‘standard’ policy entries and begin sharing the same taxonomies. Backing this up are alerts to let the appropriate persons know when a policy change is coming through.
The third is simply a global risk screening service that gathers data and advises on a potential trading partner’s likely reliability and credit-worthiness. (This is not limited to the sector.)
It will be seen that, even with these aids, the job of becoming and remaining compliant is very hard—but how do businesses manage without?
Pilling said the company now served 73% of the tier 1 firms in the financial services sector and had plenty on its plate—for instance expanding into the Middle East and Asia-Pac—so there are no immediate plans to enter any other vertical sector.
Yet every sector needs these types of functions—and those trading across country boundaries even more so—and a financial services taxonomy cannot cover other sectors as it stands.
So I am very interested to hear of any software and services company that comes close to matching this for the other industry verticals (and I won’t be holding my breath).