ONE- ON- ONE INTERVIEW
MANAGING POLICY, COMPLIANCE AND RISK THROUGH EFFECTIVE USE OF TECHNOLOGY AND SOFTWARE
RISK & COMPLIANCE MAGAZINE
JAN-MAR 2017 ISSUE
RC: Given the extent to which the regulatory landscape is becoming more demanding, how is technology and software being used to improve the efficiency of companies’ governance and compliance procedures?
Penman: This question is well-timed as, according to our 2016 Ethics & Compliance Policy Management Benchmark Report, “keeping policies up to date with new and changing regulations” is the top challenge in policy management. To meet this challenge, many companies are choosing automation software to help manage the overwhelming manual administration required by the procedure management processes. Robust, scalable and flexible policy and procedure management software provide central, accessible and secure locations for policies. It can also standardise the document creation process, automate version control and archiving, and automate the attestation process to ensure that policies and procedures are reaching their intended employee audience. Software is effectively reducing risk while maximising the return of a well-run compliance programme and allowing compliance officers to focus more time and energy on interacting with employees and leadership directly.
RC: How do you view the role that an organisation’s chief information officer (CIO) or chief compliance officer (CRO) has to play in managing policy, governance and risk issues? To what extent has appointing a CIO or CRO become vital in today’s business world?
Penman: Compliance programmes must have a designated owner with clear responsibilities to oversee the programme. This role is best filled by a chief compliance officer, but can also be done by a chief risk officer who has sufficient resources to run the programme. CIOs are key partners to compliance and risk management teams. They help ensure key data and security risks are given the proper oversight, just like human resources and EHS leaders provide important subject matter expertise in their top risk areas. Making the programme ‘owner’ part of a company’s c-suite ensures that the critical functions of ethics, compliance and risk management have direct access to an organisation’s governing body and influences top-tier decisions to help define the tone from the top.
RC: How important is it for companies to integrate new technologies into their business practices, accompanied by appropriate process controls? To what extent can staff training programmes disseminate the view that effective use of technology and software is desirable?
Penman: Technology is the bridge between modern business practices and the modern workforce. It is critical to maintaining consistency, clarity and documentation in compliance programmes. It also relieves compliance professionals of having to pore over Excel spreadsheets, allowing them instead to spend more time engaging with employees. Training is essential to technology integration as it is how you disseminate the message that your new technologies are beneficial to employees’ jobs and therefore drives buy-in. When training on tech, content is key but just as key is the format of your training. If you are training on the latest technological advancements of your organisation, make sure to use the latest technological advancements in training techniques. Technology can never take the place of leadership and culture but it can give compliance officers the time needed for leadership and culture.
RC: What advice can you offer to companies that are considering adopting technology and software to address their compliance and risk management requirements? What are some of the common pitfalls that companies fail to pre-empt?
Penman: ‘One size fits all’ is not the name of the game when it comes to most technology and software implementation. Tech is essential to an effective compliance programme and risk management, but how it is implemented must be unique to each company and specific to its size, industry, employees and risk profile. One common pitfall is choosing to build a software solution instead of buying a standardised solution that can be configured to specific needs. In an effort to save money, companies will build from scratch or modify existing software to better organise or automate their efforts. These efforts are labour intensive and put the onus on internal staff to manage the upkeep of their technology, rather than focus on their true compliance efforts. In the end, many times these ‘built’ solutions are abandoned for ‘bought’ options that are regularly updated with continuous improvement by the experts that created them, rather than usurping internal employee hours. Companies should weigh the pros and cons of building or buying software carefully before going too far down a particular path.
RC: What advice would you give to companies in terms of managing and mitigating the risks posed by social media? How should they go about implementing policy and ethics programmes that develop, manage, supervise and adjust both internal and external social media processes to reduce disruption?
Penman: Social media management is more about mitigating the risk of human behaviour than it is about technology. At its core, social media is a communication tool, so I would advise companies to view their social media efforts as a part of their larger efforts to drive professional and smart employee behaviour. From there you can shape the conversation to be about best practices and standards that are beneficial to your company as well as to the individual in both an employee and social media user capacity. When creating your social media policy, be well informed of the privacy standards and employee rights applicable to your programme. In this sense as well, it is best to focus on the benefits of professional and smart social media usage, rather than the restrictions placed on employees. Restrictive policies can often fall into trouble with the law.
RC: In your opinion, how extensive is boardroom awareness of the benefits that technology and software can bring to policy, compliance and risk management? Furthermore, what role should the board play in driving its adoption?
Penman: Boards have varying levels of understanding of compliance technology and its benefits to them and the organisations they serve. However, compliance officers are increasingly reporting to boards of directors on trends, hotline reports, policy and training certifications, among a growing number of other reports that boards need to meet their oversight responsibilities. Technology can be beneficial here by offering effective and efficient reporting to compliance officers. Technology is essential, allowing these reports to be automated and streamlined, and providing pertinent information which allows companies to respond quickly to board inquiries. Boards can also be key players in driving the adoption of new technology by bringing what they know about the benefits of technology to the table. Whether through previous experience or their time on other boards, members can share their insights to various technologies that could help support an organisation.
RC: How do you expect technology and software to develop and evolve in the coming months and years? To what extent will companies rely on this for policy, compliance and risk management processes?
Penman: Automation, automation, automation. Every function of compliance and risk management is proving more efficient and effective with appropriate automation. As software continues to reduce the administrative overhead required by compliance efforts, programmes will become more proactive and less reactive, giving compliance professionals more time to strengthen corporate culture. A healthy corporate culture has tremendous value to a company’s bottom line, which suggests that we are reaching the end of the era of compliance being viewed as solely an effort of protection or as an insurance policy. Instead, we are entering the era of compliance as an effort that provides a true return on ethics and a strong organisational culture.
Chief Compliance Officer and Senior Vice President, Advisory Services
T: +1 (971) 250 4100
Carrie Penman is the chief compliance officer at NAVEX Global and senior vice president of advisory services. Ms Penman has been with NAVEX Global since 2003, after serving four years as deputy director of the Ethics and Compliance Officer Association. She was one of the earliest ethics officers in the US and is a scientist who developed and directed the first corporate-wide global ethics program at Westinghouse Electric Corporation.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Our solutions help organizations manage risk, address complex regulatory requirements and foster an ethical, productive workplace culture.