Top 5 Compliance Week conference takeaways
A few of us attended the 10th annual Compliance Week conference in Washington, D.C. last month, and it was apparent that the excitement and momentum of governance, risk, and compliance (GRC) have reached new levels.
There’s no doubt about it. The compliance industry has been on a wild ride the past 10 years. And the heightened mood and enthusiasm of over 500 attendees at the conference proved compliance, both as an industry and as a profession, has come a long way.
For us, the three-day event yielded 43 pages of notes. We’ve condensed them into these top five highlights.
- Create a culture of compliance.
Culture is key to building an environment where compliance risk is valued by all. Get numbers on your side, and use them to put a dollar value on specific compliance risks. This helps your company’s leadership understand its importance in a language they will understand. Providing a real dollar value builds credibility and gets your risks on a ranking system.
Culture and risk management reflect the way you are organized as a team, with integrity feathered throughout. Leadership participates in operating reviews that culminates at business units and country units. It’s a part of the fabric and rhythm of our lives. Since everyone is engaged, it diffuses the complexity.
To continue building a risk ownership culture, integrate risk management into the strategic planning process, and embed risk-based discussion into everyday decision-making.
- People and process are everything.
Sarbanes-Oxley (SOX), GRC, enterprise risk management—it’s never the same thing twice. Every year there will be changes to the perspectives and approaches due to organizational restructuring, the number of stakeholders, changing audit guidance, and updates to technology. But never forget that the drivers behind technology in your organization will be people. Without a sound process and team, organizations will struggle.
- The CCO needs a seat at the table.
The first time the CCO meets the CEO should not be because of an incident. It’s important that the tone at the top is set and solid to enforce a culture of compliance by example first. Without buy-in from all senior leaders, it will be a fight to integrate compliance throughout an organization.
- Create an effective compliance program.
Risk is increasing and constantly changing—leaving companies vulnerable, internally and externally. While every program should be tailored to the individual businesses and their risks, all programs must be dynamic and evolve with the organization.
Here are the keys to an effective program:
- Use the three lines of defense model
- Keep it simple, and utilize a clear reporting tool
- Measure the effectiveness of your program
According to In Focus: 2015 Compliance Trends Survey, 30 percent of organizations are not measuring the effectiveness of their compliance programs. Without measurement, organizations cannot take corrective action when needed.
- Integrate compliance and GRC.
“Why now?” you may ask. Well, enhanced regulatory scrutiny, especially in the SOX space by the PCAOB and the SEC, is placing increased process and control complexity on organizations. And with a maturing GRC technology market, there’s never been a better time to fully integrate.
Plus, corporate desire to do the right thing for customers and investors has never been stronger. The need to understand risk profiles and for everyone to be on a single enterprise platform in order to drive value to the organization is more important than it’s been in the past decade.
There is hope—it’s possible, through the right GRC strategy and system, to allow organizations to collaborate seamlessly and align processes to management’s strategic initiatives.
If anything, these five highlights have proved that the wild ride will continue as organizations take further steps to integrate GRC and ERM strategies with their SOX and compliance programs. We can’t wait.