I am just returning from Compliance Week’s 2014 conference, held in Washington DC this past Monday through Wednesday. I’m leaving with a new tote bag, a t-shirt, 36 pages of notes taken during the sessions and a head bursting with ideas that I want to share with all of you. I participated in CW 2014 strictly as an attendee, to learn from the best in class compliance officers. 8 breakout session panels, 7 key note addresses and a whirlwind of conversations later – I’m happy to report that I accomplished that mission.
While there are some specific topics that we’ll dig into deeper in the coming weeks (after I’ve had a chance to digest those 36 pages of notes), I wanted to provide a couple of highlights in time for our May newsletter!
Cyber Security is a Hot Topic
For many compliance executives, it doesn’t feel like cyber security should belong in the compliance department’s realm. Alan Brill, Senior Managing Director at Kroll, agrees that the domain of cyber security is unclear, but stresses that it is a compliance issue. He suggests that compliance teams and IT security teams partner more closely in this age of “everything cyber” to put compliance tools in the hands of the IT resources who need them.
One very practical suggestion made by Mr. Brill was to partner with IT to issue employee communications about good data security practices, using the compliance mindset to provide guidance and understanding of why the topic should be taken seriously. (The example used was the number of employees who likely have a personal DropBox account, where they store work in progress to be accessible from multiple locations.)
My takeaway: How can we help organizations to push their compliance processes-controls, testing, reporting, employee communication-to the IT security side? In some cases we already work with both financial compliance and IT compliance, but where we don’t, can we help to foster more coordination?
Third Party Risk Management is Critical
It is surprising, to be honest, how many organizations are still underestimating the exposure they face due to third parties. The actions of suppliers, partners, contractors and sometimes even customers can bring risk onto your organization. The need for effective – and efficient – third party risk management and due diligence was a key theme through many Compliance Week 2014 sessions.
How to do third party due diligence and risk management in a reasonable, cost-effective and resource-efficient way was a matter of much discussion – both during panel events and in the hallways over breaks. Panel experts stressed the need to push the due diligence process down to the business units and owners of the third parties, while having compliance oversight – and audits – to make sure the process is working.
My takeaway: policyIQ can help organizations to build a 3rd party due diligence process. Over the next couple of months, we should illustrate more specifically so that our clients can see the process in action in a practical – and cost-effective – way.
Compliance Should Be Embedded in the Business
This theme ran through virtually every session at the conference – and while it is definitely a desire of most attendees, there did seem to be some skepticism about how to accomplish it.
One session specifically focused on “Tone at the Middle”, taking the common idea of “Tone at the Top” to a new level. It is the middle-managers that are closer to the majority of the workforce, and the commitment to compliance and ethical conduct at this level can be even more critical. (Of course, it is clear that “Tone at the Top” is critical to THIS level of commitment.) The idea boils down to the concept that if you have an ethical environment that is committed to compliance, compliance shouldn’t feel like a hurdle that has to be overcome.
The other side to this coin is the concept that in the ideal world, compliance can be seen as a revenue positive activity. Compliance departments can work within the business to identify opportunities for process improvement – in line with compliance initiatives. Risk management and issue management can also be viewed within a revenue-positive light.
Practical advice on this subject was a bit thin, however it is clear that everyone wants compliance to be seen as a positive force, rather than a revenue-restriction.
My takeaway: How can we talk about processes like risk management and issue management in revenue-positive language? Consider ways to identify opportunities rather than issues.
So much more…
I have notes on issue management, creating a positive “speak up” culture, ideal issue escalation processes, risk-focused issue management, suggestions for creating better relationships with regulators, and much more. Stay tuned for more notes and ideas! If you have a specific question or if you are curious about a specific area, don’t hesitate to reach out to us.