Beyond the Checklist - Rethinking Compliance | RISK DIGITAL EU live stream summary

As part of the #RISK Digital EU Focus 2023, this thought-provoking and insightful live stream - Beyond the Checklist: Rethinking Compliance - explored the need to move beyond traditional compliance-driven approaches to proactive and strategic risk and privacy management. 

⚠️ 🧑‍💻 We’ve summarised, adapted, and organised the transcript of the live stream to present a concise written version that captures the key points and insights shared by the panellists.

Meet the speakers

The moderator:
🎙️ Andrew Scheifele — PhD, Co-founder and CEO of SaltyCloud, a growing governance, risk, and compliance SaaS company focused on federated and highly-regulated organisations. 
 
The panelists, in alphabetical order:
🎙️ Alexander Alaraj — Alexander serves as Data Protection Officer for a group of companies within Ingka/ IKEA. Before joining Ingka/ IKEA, Alexander worked as Senior Privacy and Data Protection Specialist with The Boeing Company. Being active in the field since 2014, he has gained broad experience from Privacy and Data Protection, including analysing, implementing and overseeing EU Data Protection Requirements in an international business context.
🎙️ Anastasia Avramenko — Anastasia is the Ethics & Compliance Officer at Just Eat Takeaway.com, part of the global compliance function responsible for 22 countries. While currently building a robust compliance program at the organisation, her areas of expertise include whistleblowing policies, internal investigations and anti-bribery and corruption.
🎙️ Mihai Ghita — Mihai is the Co-founder and Chief Product Officer at Sypher, a technology company that builds privacy management and compliance software. He has over 20 years of experience of working in and with the risk and insurance industry.
🎙️ Aaron Le Noury — Aaron is a Senior Data Protection Officer within the States of Guernsey, the Government for the Island of Guernsey, responsible for providing data protection advice and guidance to the Committee for Home Affairs and the various services comprising their mandated portfolio, including the Police, Prison, Probation Service and Economic & Financial Crime Bureau. 
🎙️ Baiba Zvejniece — Compliance Officer at Societe Generale, Baiba values trust, reliance, ethics, and culture that serves to determine business standards to act by a transparent and safe approach.

Screengrab from  #RISK Digital 2023,  live streaming of Beyond the Checklist: Rethinking Compliance

Questions & answers

Let's dive into the discussion and learn about the benefits of a more proactive approach to compliance, as well as practical steps you can take to improve your own compliance culture and processes.
 

Q1: What is the most important factor for the success of any compliance program?

🎙️ Anastasia: The most important factor for the success of any compliance program is the support and commitment of senior management, especially the board and CEO. Without their backing, even the best-designed program will struggle to make an impact. 

Compliance has evolved beyond mere adherence to rules and regulations. It is now about empowering companies to act with integrity and proactively manage risks.

Moving away from a reactive, checkbox mentality is crucial. Instead, we should focus on detecting and preventing issues from the very beginning, integrating compliance into the design of our operations — favouring a privacy by design approach.

To achieve this, it is essential to train employees on compliance risks and raise awareness of compliance topics throughout the organisation. However, without the support of senior management, these efforts may fall short. The top-level leadership should: 

1. provide resources, 
2. establish ethical values, 
3. and set the right tone within the company.

Senior management, including the board and CEO, should actively communicate the company's values and strategy, fostering a positive environment that encourages compliance.

Middle managers play a vital role in translating the tone at the top into action. When they witness the commitment to compliance from senior management, they are more likely to support and empower the compliance program.

Practical steps to materialise tone at the top include 

1. implementing and publishing company values, 
2. considering ethics and compliance track records for promotions, 
3. and setting ethics and compliance objectives in performance goals.

A speak-up culture is crucial. Creating an environment where employees feel comfortable voicing concerns and opinions not only fosters a safe workplace but also improves retention and attracts clients and investors.

Establishing an effective compliance program extends beyond its intrinsic value. It positively impacts customer and client retention, enhances employee engagement, and builds a strong reputation for the company.

While there are other important factors to consider for a successful compliance program, I believe that gaining support from senior management is the crucial first step. My fellow speakers will delve further into these factors and provide additional insights.

🎙️ Baiba: The success of any compliance program hinges on several key factors. Here's a summary of the important points:

Understanding the business — It is crucial to have a deep understanding of how the business operates. Identifying and listing the most exposed areas and potential vulnerabilities allows for a targeted approach to compliance.

Internal expertise — While external advisors can be valuable, they may not have the best understanding of the company's operations. Therefore, relying on internal experts who possess knowledge about the business is recommended when creating a compliance program.

Culture of compliance — Compliance should be the responsibility of everyone within the company, including stakeholders and even customers. Promoting a culture of compliance at all levels and communicating its importance fosters a compliant environment from the outset, reducing the need for later adjustments.

Knowledge and authority — Sharing knowledge and empowering compliance officers and managers with the necessary authority enables them to make informed decisions. Governance, including procedures, policies, and a clearly defined risk appetite, ensures transparency and consistency in decision-making.

Proactive approach — Being proactive, knowing what to expect, and having crisis management plans in place are vital. Understanding the potential risks and being prepared to address them effectively contributes to a robust compliance program.

Root causes of compliance failures — Unhealthy corporate culture, ineffective decision-making, lack of risk awareness, excessive focus on profits, insufficient controls, and a lack of personal accountability are identified as common root causes for compliance failures.

External influences — External factors, such as regulations, legislation, and changing environments, can impact compliance. Staying aware of these external forces and adapting to them is essential.

Focus and planning — To avoid feeling overwhelmed, businesses should adopt a focused approach tailored to their specific risks and objectives. A clear plan of action, regular monitoring, and ensuring the effectiveness of the compliance program are essential components.

In summary, a successful compliance program requires a comprehensive understanding of the business, a culture of compliance, internal expertise, proactive measures, and a focused approach. By addressing root causes and adapting to external influences, businesses can establish a robust compliance framework.

Q2: What is the role of the compliance team, and how do you convey its importance to the various stakeholders?

🎙️ Aaron: The role of the compliance team is to collaborate with the organisation and support them in achieving compliance goals. We are not here to police or regulate the organisation but rather to advise and guide them. It's crucial to communicate this to the various stakeholders to overcome any misconceptions. Here's how we convey the importance of the compliance team to different stakeholders:

Collaboration and support — We emphasise that our role is to work hand-in-hand with the organisation and assist them in becoming more compliant with relevant frameworks. We highlight our willingness to support their goals and address their challenges.

Open communication — We create an environment where stakeholders feel comfortable discussing their concerns, what is working well, and what needs improvement. By being open and approachable, we encourage stakeholders to share information and seek assistance when needed.

Advisory nature — We emphasise that the compliance team serves as advisors, helping the business understand what needs to be done and how to achieve compliance. We make it clear that achieving compliance is a collective responsibility, and individuals within the organisation play a crucial role.

Relationship of trust — By fostering trust, we establish a collaborative approach where stakeholders understand that compliance is not solely the responsibility of the compliance team. They realise that they need to actively contribute and work together with us to achieve compliance objectives.

Beyond the checklist — While checklists and deadlines are important, we focus on proactive communication and ensuring stakeholders understand the purpose and benefits of compliance. When stakeholders grasp how compliance aligns with the organisation's strategy, it becomes easier to work through the checklists effectively.

Continuous monitoring — We stress the importance of ongoing involvement and monitoring of compliance progress. For longer programs with multiple objectives, regular check-ins and support are provided to stakeholders. We remain present throughout the compliance journey to ensure stakeholders have the necessary assistance and resources.

By conveying these points to the various stakeholders, we promote a collaborative and proactive approach to compliance, fostering a shared understanding of the compliance team's role and its importance in achieving organisational goals.

Q3: In light of these insights, how do we know when we're on track? And how do we effectively manage and measure the compliance program in a large organisation?

🎙️ Alexander: First, let's reiterate that compliance refers to the adherence to rules, regulations, standards, or guidelines set by organisation, industry, and governing bodies. So, measuring compliance typically involves evaluating or assessing the extent of conformity with those established requirements. 

Therefore, first of all, it's really important to define what it is that you want to track and the criteria or the desired state for compliance. To determine if we are on track with our compliance program, we can consider the following pathways:

Audits — Conducting internal or external audits is a typical method to assess compliance. Auditors objectively review processes, procedures, and documentation to identify areas of non-compliance and provide valuable feedback.

Self-assessment — Organisations can proactively assess their own compliance posture against predefined criteria or standards. This allows for the identification of areas of non-compliance and enables corrective actions to be taken early on, rather than waiting for an external audit or regulator inspection.

Documentation review — Regularly reviewing and updating documentation is important for ensuring compliance. Assessors can compare documents against established requirements, verify owner accountability and responsibility, and assess proper documentation and record-keeping practices.

Key Performance Indicators (KPIs) — Defining and tracking specific KPIs related to compliance can provide insights into compliance levels over time. Examples of KPIs include the number of reported incidents, completion rates of compliance training, and trends observed.

Ongoing monitoring — Compliance is not a one-time activity but requires continuous monitoring. Regular checks, assessments, and monitoring ensure that compliance efforts are sustained and address any emerging risks or non-compliance issues.

Compliance ambassadors — Assigning additional responsibility to individuals as compliance ambassadors can strengthen the compliance message. These ambassadors, embedded in different organisations or business units, receive additional training to identify non-compliance issues and act as a liaison between the compliance team and the day-to-day operations. They can escalate complex matters and provide guidance on compliance-related questions.
 

🎙️ Mihai: To measure the effectiveness of a privacy management or compliance program, the following approaches can be taken:

Prioritise — There is no such thing as perfect compliance. You cannot do everything. Understand what matters most for your organisation. Given limited resources and time, it's important to identify areas of vulnerability or high impact. Focus on those activities that have the highest risk or potential impact on the organisation.

Plan — Once priorities are established, create a plan to address them in order. For example, if you're a Data Protection Officer (DPO) focusing on privacy compliance, activities that require Data Protection Impact Assessments (DPIAs) is usually a good starting point. Develop a roadmap for addressing compliance issues systematically.

Avoid redundant work — In larger organisations with multiple compliance teams, overlap and duplication of efforts occur often. To improve effectiveness, establish collaboration and sharing of information among compliance teams — for example, the Information Security team and the Data Privacy team are both documenting company-wide security measures. So, in practice, the best way to go would be to implement a shared repository of information where everyone has access to relevant data and documentation. This reduces the need to repeatedly request the same information from different teams and enhances efficiency.

Involve the organisation — Compliance teams cannot do compliance for the entire organisation on their own. The compliance team is not processing the actual data! It is crucial to involve business stakeholders and create awareness about compliance requirements. Develop ways to engage the rest of the company and ensure they understand the importance of protecting personal data. Minimise the burden on the business by asking for information only once and streamlining communication channels.

Collaboration and progress —  By reducing friction with the organisation and enabling easier collaboration, compliance teams can make more progress. When collaboration is smoother, stakeholders are more likely to provide information and actively participate in compliance efforts. This, in turn, facilitates the achievement of compliance goals.

So, in short, effectiveness in compliance programs is achieved by 

• setting clear priorities,
• planning ahead, 
• avoiding redundant work, 
• and fostering collaboration with the organisation and its stakeholders. 

🎙️ Andrew (moderator): Compliance should not be seen as a separate entity but rather woven into the fabric of the business.

In large organisations, the complexity lies in managing multiple compliance functions and ensuring coordination among them. Siloed information security, risk, compliance, privacy, and audit teams can create confusion and inconsistency when approaching the business with different requests. So, it can be crucial to integrate these roles and establish an integrated program, either through a unified team or a single platform. 

On the other hand, for smaller organisations, the challenge is often balancing compliance requirements with limited resources and high perceived costs. Compliance can be seen as a burden, especially when the organisation is still in its early stages and trying to establish internal policies and meet regulatory obligations. However, it is important to recognize that compliance can also be a value-add for a smaller organisation. 

SO, here is my question:
 

Q4: With organisation size in mind, how do you shift people's perception of compliance from a burden to a value-add?

🎙️ Alexander: Compliance is actually a prerequisite for conducting business. Compliance with industry standards and regulations, including legal obligations, is essential for maintaining credibility and meeting customer requirements. Non-compliance can result in significant financial penalties and reputational damage. For example, non-compliance with the GDPR could cost up to 4% of annual global turnover. Upcoming AI regulations could set the cost of non-compliance up to 7% of annual global turnover.

So, compliance should be seen as a means to facilitate business growth. Meeting compliance standards can open doors to partnerships and collaborations with larger organisations that have compliance requirements. Compliance efforts can be leveraged to access new opportunities and expand the customer base, especially since their reputation can also be at stake.

🎙️ Aaron: From my experience working in a government body, we always strive to be efficient with our finances. In smaller businesses, the cost associated with compliance can often be daunting, especially when it involves bringing in external specialists. To address this challenge, we have found success in empowering individuals within the organisation to take on compliance responsibilities.

We start by providing training to ensure that everyone understands the key aspects of the compliance frameworks we work with. Then, we encourage these individuals to handle the simpler day-to-day compliance tasks and bring that work to their respective teams. By distributing the compliance workload across different departments, we can leverage the expertise and knowledge within the organisation, reducing the reliance on external specialists.

This approach not only helps minimise costs but also allows our own employees to become managers of their compliance work. By sharing the compliance load and empowering individuals, we can add value to the organisation without significant additional expenses. It's about leveraging our internal resources effectively and ensuring that everyone plays a part in maintaining compliance.

🎙️ Mihai: From my observations, compliance becomes increasingly crucial as a company grows. Initially, smaller companies may prioritise profitability over compliance, considering it a secondary concern. However, when the company begins to expand or seeks partnerships and investors, the importance of compliance becomes evident.

Potential partners and clients often demand assurance that their  data will be protected and that privacy management is in place. If a company fails to meet these expectations, it risks losing valuable opportunities. 

Furthermore, for smaller businesses, a compliance breach can have severe consequences, potentially leading to reputational damage and even closure.

I have also noticed that focusing on compliance prompts companies to reevaluate their overall business operations. To achieve compliance, a deep understanding of the business processes is necessary. Consequently, this examination often leads to process optimization, identifying areas where data storage can be minimised and unnecessary practices can be eliminated. By integrating compliance practices, businesses can streamline their operations and improve efficiency, which becomes particularly advantageous during periods of growth.

In summary, even for small and medium-sized companies, there are multiple reasons to pay attention to compliance. Beyond checking boxes, meeting external expectations, and safeguarding against risks, compliance initiatives can drive business optimization and contribute to the company's bottom line.

Q5: What are the drawbacks of viewing compliance just from the checklist point of view?

🎙️ Baiba: When viewing compliance solely from a checklist point of view, there are two significant drawbacks to consider: 

Firstly, there is a risk of inefficiently allocating resources by attempting to fulfil every requirement on the checklist, even if they are not all applicable to our specific business. This can lead to wastage of resources that could have been better utilised elsewhere.

Secondly, relying solely on a checklist may not adequately cover all the potential risks faced by the organisation. Compliance is not a one-size-fits-all approach, and there may be areas of vulnerability that are not adequately addressed by a standardised checklist. It is crucial to move beyond a mere checkbox mentality and adopt a risk-based approach.

Regulators also emphasise the importance of a risk-based approach to compliance. While specific legislation may vary across different regions, the overarching principle is to focus on the highest risks relevant to our business. Rather than solely considering the cost of compliance, it is crucial to evaluate the cost of non-compliance. This includes the potential fines and penalties that companies may face for non-compliance.

To address these challenges, effective communication and transparency are key. It is essential for all stakeholders to have a clear understanding of compliance activities and for compliance professionals to engage in open communication. Compliance plans can play a crucial role in outlining the most important tasks to be achieved and should be communicated throughout the organisation, regardless of its size.

By prioritising the main exposed risks and fostering effective communication and transparency, companies can benefit from a more focused and effective compliance approach that aligns with their specific needs and reduces potential risks.

Final thoughts

🎙️ Andrew (moderator): It's crucial to have a cohesive executive culture and tone from the top, which reinforces the compliance program's foundation. This involves working with stakeholders, understanding the business, and integrating various metrics, KPIs, and communication channels.

Useful links

• GDPR Readiness Assessment — Free Tool
• How to turn your ROPA into a roadmap for your privacy management program
• Remember to forget: Mastering data retention & deletion
• Privacy training that sticks | Overcoming 10 common excuses
• Privacy management & information security — Two sides of the data protection coin

___
Did you find this article helpful? Stay tuned for more by 📌 connecting with us on LinkedIn or, better yet, 👉 by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance