Compliance Is Not Just a Department
Integrated Risk Management, is transforming the way businesses address compliance, shifting the responsibility from a “compliance department” to a company-wide job and responsibility.
Government regulation is part of almost every area of business life. Businesses need to conceive a way to stay on top of all these regulations coming from all directions. In the past, businesses would hire a few people to oversee compliance of these government rules and regulations. As regulations increased, these few people became a department. This department model served businesses well for quite some time, but after the fraud scandals of Enron and WorldCom, where internal accounting practices kept hidden key facts from the board of directors, the Sarbanes-Oxley Act became law. This act, commonly known as SOX Act, requires public companies to be audited by independent companies.
Of course, this is just one example of the ever-increasing onslaught of regulations, and these regulations are not limited to publicly traded companies. All companies must deal with federal, state and local laws in areas of business ethics, sexual harassment, data privacy and security, risk management, diversity and inclusiveness, to name just a few of the litany of areas where regulators behind dozens of agencies with acronyms are involved.
The new regulation and compliance paradigm call for a more comprehensive model to address compliance. The compliance industry has moved away from the generally accepted term of “GRC” (Governance, Risk, and Compliance) into a new term called Integrated Risk Management (IRM). This change, which has now been widely adopted, is not just a new label or a semantics exercise, but rather a philosophical shift in addressing compliance. Just like Edwards Deming, the famous management consultant, helped transform Japanese manufacturing into a global leader by making quality everyone’s business, Integrated Risk Management, is transforming the way businesses address compliance, shifting the responsibility from a “compliance department” to a company-wide job and responsibility.
Gartner defines Integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” The key takeaway from that definition is the term “risk-aware culture,” which places the importance of compliance almost at the level of the mission statement of the organization.
The Fishbowl Effect
Gone are the days where companies could keep scandals or even compliance issues private. The Internet, and specifically, social media have made this an impossible task. Any transgression is published and communicated faster than can be addressed by the public relations department of the organization. The most effective and efficient public relations approach is not to put out fires, but rather to prevent them from happening. Therefore, a risk-aware culture and a properly trained organization in compliance is vital.
The Future of Compliance
Every election cycle, the topic of regulation is invariably discussed and debated, one side discusses the need for more regulation, while the other side may promise a reduction in regulation. One thing is certain, there is more regulation now than any time in history. The trend on future regulation is inexorably increasing and the importance of compliance for a business is equally increasing. A separate, distinct “compliance department” is akin to a “performance department”. Companies that thrive will have both a performance culture and a compliance culture, and these areas cannot be relegated to just one department.