Digital transformation can greatly benefit an organization through new products, sales channels and operating efficiencies, but benefits cannot be achieved without taking on risk. Digital transformation exacerbates compliance challenges because as organizations transform their businesses digitally, they may become subject to new laws and regulations, they introduce new and updated policies and procedures to ensure strategic objectives are achieved, and the scope and composition of customer and third-party contract risk transfer changes. In addition, the very nature of digital business increases the velocity and magnitude of problems that could arise should the organization fail to address obligations.
Regardless of where compliance obligations originate they share the following common characteristics:
- New compliance obligations are introduced all the time;
- Compliance obligations are subject to change over time;
- It is difficult for organizations to understand all the compliance obligations they are subject to; when and how existing obligations are changing; and how new and changing obligations affect their organization;
- Testing and validation of compliance with obligations can be technically difficult and result in overlapping and redundant compliance activities;
- Compliance with obligations can be expensive and time consuming;
- Non-Compliance with some obligations may be more impactful than others (some obligations are more important than others);
- Competent compliance workforce resources are scarce and expensive;
- There is an on-going desire to do more with less head count and cost; and
- It can be very difficult to demonstrate to stakeholders (management, the board, and regulators) that the organization is adequately fulfilling its compliance obligations.
Today, organizations tend to view compliance as a burdensome, costly, checkbox exercise conducted on a periodic basis by compliance teams and auditors. On-going compliance can be hard to achieve and, despite best efforts, organizations do not have a holistic view of their compliance profile, routinely experiencing surprises from non-compliance.
Organizations cannot afford to continue to apply checkbox approaches to compliance. To efficiently and effectively address compliance challenges, compliance managers need to modernize their approach to compliance, employing digital transformation in the management of the organization's compliance obligations. A modern compliance program is characterized by the following attributes:
- Tools and techniques are employed to ensure all three lines of defense (front-line managers, risk and compliance teams, and independent audit) have clear roles and responsibilities in ensuring the organization's compliance and a governance structure exists promoting adequate oversight and communication between the board of directors, management, and employees to ensure the compliance program operates within the organization's design parameters;
- Compliance is risk-based so the organization understands its obligations, the impact of non-compliance, allowing for scarce resources to be deployed to the obligations of greatest significance to the organization
- Continuous compliance monitoring techniques are employed. As velocity, likelihood, or impact of threats to non-compliance increase, risk treatments should migrate from detective to preventive; and corrective risk treatments should become more robust. Each of these treatment methods should be deployed through automation, particularly across digital activities where velocity and impact of non-compliance are most significant;
- Compliance obligations established through policy, procedure, and contract should be harmonized with standards and regulatory obligations (where applicable) to capture efficiency via the "test once, satisfy many" concept and to make it easier to demonstrate compliance program design and effectiveness to key stakeholders
- Formal processes should be established and programmatically enforced to understand and manage changes that may affect the organization's compliance. Internal stakeholders should be engaged to understand how new and changing activities may impact the organization's obligations and factor into discretionary go, no-go decisions. Internal stakeholders that should be engaged include: information security, third party management, business resiliency, human resources, risk management, and legal and compliance teams.
The programmatic capture and evaluation of new and changing activities should include:
- New and changing laws, regulations, and industry standards
- New and changing products, services, business processes, and infrastructure
- New and expanding strategies and markets
- New and changing third party relationships
- Significant new or changing customer relationships
Maintaining compliance with laws, regulations, internal policies and procedures, and contract obligations with customers and third parties is important to avoid fines, sanctions, and litigation and to ensure strategies and objectives are achieved. Digital transformation changes the scope, speed, and often the significance of compliance. Organizations cannot afford to apply the same old checkbox approach to compliance as it is too slow, inefficient, and expensive. Organizations must embrace risk-based compliance utilizing digital techniques to efficiently and effectively manage compliance.
# # #
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity