Compliance must be an active and living part of the organization and culture to prevent and detect issues that negatively affect corporate integrity. It is a continuous and ongoing process that must be monitored, maintained, and nurtured, and requires implementation of a compliance technology architecture.
Until recently, corporate compliance departments had very little use of budget for technology. Compliance processes were manual and document-centric — which led to laborious and costly processes to gather information and report on compliance. Further, compliance departments overly relied on word processing documents and spreadsheets for assessments; all lacked an audit trail. This is a legal land mine for compliance. The organization is without a defensible position to show that a specific event took place at a specific date and time, and there is no record to show that data may or may not have been compromised or changed to paint a rosier picture and get the organization or individual out of trouble. It is a requirement that 21st century compliance utilize available business technology to track compliance activity, record changes, and provide a complete audit trail.
Compliance technology architecture to support compliance risk management in the 21st century includes the capability to perform:
■ Compliance risk management: Technology to manage compliance risk surveys, assessments, and related risk information, and to report, analyze and model risk related to compliance and ethical issues.
■ Regulatory change management: Technology to document and manage regulatory changes and their impact on the business.
■ Learning and training management: Technology to communicate and document training programs (e.g., e-learning courses) related to compliance. This includes delivery of training, testing, attendee participation and understanding assurance, and maintenance of training records.
■ Policy and procedure management: Technology that maintains policy lifecycle management across development, maintenance, communication and attestation, and has a robust audit trail and content management capability to make sure policies are kept current and communicated.
■ Investigations management: Technology enables the organization to manage and monitor issues and incidents, to collaborate and document investigation processes. This includes the ability to record the range of issues reported by hotline or other mechanisms, actions taken, and the results of the investigation.
■ Issue reporting and hotlines: Technology that provides a system for individuals to report issues and noncompliance so it can be investigated, and a system to document reports made directly to all levels of management.
■ Survey and assessment: Technology that delivers a consistent experience across the organization for conducting surveys and assessments for compliance.
■ Benchmarking, metrics and dashboarding: Technology that produces reports to management, executives, and the board that compliance is designed properly and operating properly. This assures executives and the board that their fiduciary obligations for compliance are being met.
■ Due diligence management: Technology that facilitates due diligence efforts to validate that the organization is hiring the right people and partnering with ethical business partners that share the same commitment to compliance with legal and corporate values.
■ Forms automation and processing: Technology that processes and automates forms that manage interactions such as gifts, entertainment, and facilitated payments through online forms and workflow for approval or disapproval.
■ Compliance program/project management: Technology that brings compliance risk management together in a cohesive system to manage compliance activities, metrics, and reports. All compliance management personnel and employees should be able to access the system and see the contextually relevant tasks and items that pertain to their job.