What is enterprise compliance and why is it important?
Enterprise compliance is an integrated approach to compliance that spans multiple business units and geographies within an organization. Built from the top down, it is enabled by and maintains their people, processes, and technology.
An effective compliance management program focuses on the risks faced by an organization. It may be based on multiple frameworks and aims to ensure organization-wide ethics are being followed and compliance risk is kept in check.
Effective compliance has far-reaching advantages. Beyond lowering regulatory and reputational risk, it can ensure your company stays competitive, provide an integrated culture for all employees, lead to better decision-making, and ensure long-term sustainability.
According to the recent EY 15th Global Fraud Survey,
- 97% of 2,550 respondents interviewed recognized it was important that their organization operates with integrity.
- 43% of respondents believed changing a regulatory environment poses the greatest risk to their business.
- 36% of respondents believed fraud and corruption pose the greatest risk to their business.
Internal and external enterprise compliance
External compliance comprises the laws and regulations that a government dictates for how an organization should conduct its operations. An example of this would be if a company lost the personal information of customers from the EU – they would need to disclose that breach within 72 hours, according to the General Data Protection Regulation (GDPR).
Internal compliance is how a corporation complies with these laws. Those responsible for compliance – usually a compliance officer, or multiple if the corporation is larger – will design the compliance programs. Employees then follow these internal policies.
The number of compliance officers in an organization depends on its size and needs. An enterprise compliance officer is an employee whose duty it is to ensure the company is in compliance with both external regulatory and legal requirements and internal policies and procedures. Generally, the compliance department is led by the chief compliance officer.
Compliance officers work with management and employees to determine risk and ensure that the organization has sufficient internal controls to manage any risks it faces. In the event of a breach, the compliance officer should have disciplinary measures in place to avoid any possible recurrences.
Duties may include revising and setting standards for external communications (for instance, emails may require disclaimers or facilities may need inspection to fulfill safety requirements). They may lead internal audits, design internal policies to mitigate the risk of the corporation breaking regulations, and design contingency plans in the case of a regulatory breach.
To effectively perform these duties, compliance officers must have a detailed knowledge of the company and its operations, and be aware of where regulatory breaches may occur. Key ethical principles must be communicated effectively and regulatory changes and updates must be conveyed regularly throughout the organization – especially as these policy and regulatory changes are continual.
Beyond the enterprise compliance officer?
Beyond compliance officers, top executives, board members, and management are all responsible – as, to a lesser extent, are all employees. Understanding the complete overall picture of how compliance works in a company can help avoid confusion.
The board plays a large role, as their personal reputations and those of other companies they oversee may also be affected by poor compliance.
Leadership should clearly communicate all expectations and company values with regard to compliance.
Transparency and training come into play here – from training to holding town halls, it is crucial for performance standards, goals and evaluation criteria to be evident to all employees. Based on these, consequences and rewards can be built into the framework.
Beyond internal stakeholders, compliance must also be clear to external forces such as regulators, shareholders, the media, and business partners. Transparency can lead to these groups building trust in the organization –particularly in terms of the ethical foundation of the company. Understanding how these ethics are being instilled and acted on can lead to many external groups becoming advocates of your company.
Different cultures, countries, and even states may have differing ideas on compliance. In the U.S, states have different regulations and guidelines, and even cities and counties may add their own requirements to this.
What are some of the regulations impacting enterprise compliance?
With varying requirements there are various types of compliance audits, but here are some of the more common regulations.
The California Consumer Privacy Act went into effect on January 1, 2020. It aims to protect consumer rights and drive stronger transparency and privacy protection when it comes to their personal information. Under this act, Californians have the right to know what personal data is collected, if it’s being shared, whom it’s being shared with, and can opt out of any sale of their data.
The EU’s General Data Protection Regulation went into effect in May 2018 and protects the data privacy of EU citizens. However, this compliance regulation applies to any company that processes the data of European citizens, even if they are located elsewhere.
Sarbanes-Oxley Act (SOX)
The US government passed this federal law in 2002 to establish auditing and financial regulations for public companies. The legislation aims to protect shareholders, employees, and the public from inaccurate financial reporting and accounting errors. While it mostly regulates publicly traded companies, some provisions apply to private and not-for-profit organizations too.
A compliance audit defined by the American Institute of Certified Public Accountants, this applies to any company that holds or processes customer data in the cloud. (Such as SaaS companies) There are two types: SOC 2 type I is conducted at a single point in time, while SOC 2 type II generally occurs over a period of time, covering 6 months the first time and a year thereafter.
Part of the ISO or IEC 27K Series, this is an information security compliance standard that helps companies manage the security of data assets. This can include employee or third-party data, financial information, and intellectual property.
There are several compliance regulations that are industry-specific, and include:
Also known as the Health Insurance Portability and Accountability Act, HIPAA was passed in 1996 by the US Department of Health and Human Services for the healthcare industry. It protects patient health information.
Also known as the Financial Industry Regulatory Authority, FINRA is an independent, non-governmental organization that writes and enforces regulations for the financial industry. They aim to protect investors from fraud, and apply to government registered brokers and broker-dealer firms in the US.
Best practices in enterprise compliance risk management
What are the right steps to take to ensure enterprise compliance, and some of the technology solutions available?
Enterprise content management
By centralizing data and documents in a secure repository where access can be managed and mandated data expiry ensured, the vast amount of information collected by a modern organization can be effectively managed in compliance with mushrooming data privacy laws.
Digital policy management
Drafting, distributing, and capturing attestation to key policies and procedure updates is far too complex to be done using traditional manual processes. With increasingly remote workforces and the need to pivot quickly to address market forces or disruptions, organizations are turning to automated policy management solutions to streamline these processes while reducing costs.
Using process automation tools, compliance can be literally embedded in workflows and operational processes throughout the organization. These solutions also provide top-down oversight of all processes, helping to optimize performance and proactively mitigate risk.
Shadow IT discovery
Organizations increasingly rely on End User Computing (EUC) assets like spreadsheets, but these are outside of direct IT control and can pose a variety of risks. With more and more remote workers, it’s an escalating problem, so enterprises must identify, assess, and monitor these “Shadow IT” assets.
Vendor risk management
To safeguard your organization, you no longer have to simply manage internal risk. Under many regulations, you’re liable for violations on the part of your vendors and suppliers, too. So it’s essential to monitor and mitigate any risks being created by your vendor network before they impact your reputation and bottom line.