Ian Smith, finance director and GM at Invu, believes it is time to end ‘checklist’ style compliance and establish compliance as a collective responsibility and a key part of company culture and mindset.
Compliance may have become well established on board agendas in recent years, but the delivery of compliance policy and its execution are often delegated through the executive chain into siloes, rather than forming part of a collective responsibility and mindset.
Why focus on compliance when there is so much more kudos attached to winning new business or forging new partnerships?
This attitude needs to be questioned. Is compliance a response only to regulation, simply a box ticking exercise, or a chance to embed strong governance within the organisation and add value to the business?
While many senior decision makers would probably argue that they have a compliance mindset, when a new regulation is introduced many of these decision makers subcontract the responsibility to another department. Sure, compliance is certainly on the business’s main agenda, but the overwhelming response is to delegate and forget.
the threat of €20m fines if GDPR is not adhered to has jolted many businesses into action”
However, this approach usually results in devastating consequences. Decision makers and directors watch the latest governance fallouts with intent: another firm on the news, under siege for data protection and governance failures. They take a moment to absorb the information and reflect, but then quickly return to other, more ‘appealing’ parts of the business.
With decision makers and board directors diverting their attention elsewhere, compliance activity goes on without a comprehensive strategy in place. Unsurprisingly, it quickly becomes a routine checklist exercise, where the department responsible attempts to ‘tick off’ every compliance requirement without assessing risk beyond current activity.
This approach results in a complete lack of understanding regarding the true state of the organisation. There is a mass of compliance-related data but no real information or insight into compliance as part of a good governance model.
Of course, GDPR (General Data Protection Regulation) coming into effect in May 2018 has helped to focus attention on current compliance frameworks – the threat of fines of €20 million or 4% of a business’ turnover if GDPR is not adhered to has jolted many businesses into action. However, developing a good compliance model needs to be done now, not later. The risks associated with poor compliance exist today and do not start next May.
organisations need to spend time understanding compliance regulations and developing responses to specific business models"
Therefore, in order to move beyond a ‘catch-all’ and ‘checklist’ attitude when it comes to the compliance regime, organisations need to spend time understanding compliance regulations and developing intricate responses to specific business models. This way, rather than reactive, businesses can build a strong data governance framework that is prepared for any eventuality.
But a structured compliance framework needs to be directed by those from above; the top people with the intelligence, experience and vision to adapt business operations in line with regulatory demands, as well as determine risk and prioritise business operations accordingly.
It’s important that organisations recognise that compliance is an incredibly valuable activity that not only helps them to remain compliant with regulations, but also helps them to provide value to customers and clients. When it comes to compliance, businesses need to develop a detailed plan today, as this will put them in an excellent position for the future.