Compliance risks are defined as the risks that result from violations of laws, regulations, codes of conduct, or organizational standards of practice. Compliance risk management is a part of compliance management and it helps identify, assess, and monitor and manage risks that might cause because of non-compliance. Compliance requirements differ from sectors to sectors. The government and regulatory agencies specify rules and regulations based on which companies in a particular sector should do business. For example, banks and financial institutions face the most complicated regulatory environment.  

‍

There are three layers to compliance: Compliance with regulations, standards defined by various organizations and industry groups, and internal policies. The most stringent compliance tier is compliance with regulations. The regulatory requirements are rules that the government impose on organizations. Both federal and state governments define rules and regulations that govern the conduct of companies and how they interact with customers and employees. One of the typical examples of a regulation that a company should publish financial statement every quarter. The second layer of compliance risks are the standards that put forth by international organizations and industry groups. For instance, companies need to follow ISO standards and deliver products and services that meet regulatory and customer requirements. To be certified in ISO series of standards, a company should adhere to the requirements outlined by the International Organization for Standardization. The third layer is the internal policies that an organization establishes to perform efficiently and effectively and to keep up with the regulations.

‍

Understand the risk of non-compliance

Compliance officers need to assess and understand the risk of non-compliance. Some of these risks need to be prioritized and addressed aggressively as they might result in huge fine, reputational damage that companies might not be able to recover from. For instance, the US banking regulators fined Citigroup $400 million on Thursday for "longstanding failure" to fix its data and risk management systems recently. So, the first and foremost step is to understand what your organization’s compliance risks are, how have they become risks, rank risks based on the priority and create a compliance risk management plan to address these high priority risks.

‍

Implementing successful compliance risk management programs

Successful compliance risk management programs adopt a risk-based approach to achieve its goals. Compliance officers identify the priority compliance risks and implement controls to address them. It allows the compliance teams to focus on the compliance risks that matter to them the most. They can tailor their compliance programs to make them ready to respond to risks rapidly. VComply is a leading GRC platform that helps meet the demands of compliance professionals by helping them perform risk assessment and implement controls.  

‍

‍

Historically, the banking sector has always been plagued by vulnerabilities and risks. The global financial crisis of 2007 and 2008 is an indicator of this fact. Robust risk and compliance management programs and use of technology have helped banks to make good progress on the risk management front. While these control systems and risk management protocols are constantly evolving, operational risk always remains a concern.  

From the ever-present threat of fraud, both internal and external, to the sophisticated cybersecurity risk, banks today, have numerous weak spots. This may be primarily due to the fact that financial entities are trying to stay on par with the ever-evolving digital landscape and this dynamic environment is relatively unexplored. Operational risk has been an independent risk category for just 2 decades now and the shifting sands of the virtual space does banks no favors.

Inherently, managing operational risks as a bank is a herculean undertaking. Some of the common roadblocks include:

• Complexity, due to the involvement of several, diverse risk types
• Uncertainty between the role of operational-risk functions and oversight groups
• Uncertainty between the role of operational-risk functions and oversight groups

All these are present in today’s environment and the integration of digitization only opens doors to more vulnerabilities. Even though improved access to data and better analytics has and can be leveraged to improve operational risk management, some of these risks might just be here to stay. For greater insight, here are the top operational risks in banking.

Third-party risk

‍

It is quite common for today’s financial institutions to rely on third-party providers for a range of services. These may be employed to better the experience customers enjoy or add to the arsenal of features on offer, but with these advancements comes serious risks. Banking institutes have to vet these providers to ensure that their vulnerabilities don’t spill over to the main enterprise.

Going one step further, total responsibility is usually that of the contractor as they are the ones that face the reputational damage that follows a breach. This means, controlling third-party risks also involves evaluating the risks associated with any vendors used by the third-party provider in question. This highlights the sheer complexity of managing operational risks in the banking sector.

Internal and external fraud

‍

These are a form  of operational risk that stems from a number of vulnerabilities and poses a threat to the entities’ financial condition, both current and projected. Fraud can arise from either:

• Failed or inadequate internal systems or controls
• Human misconduct or error
• External events

Fraud is mostly intentional, and is carried over long periods of time, sometimes even years. The losses incurred due to these crimes is difficult to determine mainly because it doesn’t stop at knowing the direct financial losses. Other factors such as the loss of productivity, investigation expenses, both cost and time, legal and compliance costs, and loss of reputation also get added into the mix for an even greater capital loss. But, thanks to the new technology, primarily machine learning, there is a way to mitigate such losses.

As per data published by McKinsey & Company, a North American bank was able to identify such risks and get ahead of them before it was too late. This bank used advanced-analytics models to monitor behavior and know its risk exposure from its retail salesforce. This method unearthed unwanted anomalies from the 20,000 employees it gathered data from.

Digital transformation risk

‍

With the pressure to go digital and keep up with the convenience and simplicity of service offered in the market, banking entities have their work cut out for them. This also applies to FinTech firms looking to give their customers the easiest and quickest experience. But this transformation to the digital sphere isn’t one without security concerns. This type of undertaking has several risks involved, including:

• Compliance risks
• Product risks
• Strategic risks
•  IT risks
• Business risks
• Cultural risks

 Cyber risk

‍

With digitization now taking its place as a mainstay in most sectors, it is no surprise that it comes with its own set of risks. Even despite the proactive risk management protocols or cybersecurity controls in place, phishing, ransomware and other such risks are still a threat. In fact, these risks have become more effective and occur more frequently. Data suggests that such attacks have tripled in the last 10 years and will continue to do so for as long as there is a reliance on digital finance services.

To make matters worse for financial institutions, antagonistic governments are known to orchestrate hostile activity around the financial services sector. Crippling these systems causes widespread disruptions and the losses are huge. A report from Accenture and the Ponemon Institute titled, ‘Unlocking the Value of Improved Cybersecurity Protection ’suggests that cyber risks, and the subsequent attacks that follow, are the highest in the banking industry and can amount to a whopping $18.3 million yearly, per company.

Data privacy and management risk

‍

Data privacy and its security is of key importance to the banking sector and it is also a facet that has been closely followed in the news. Part of the reasons for this being the 2020 California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR). However, when it comes to data privacy, the problem lies with data management. Considering that most banking entities have their data siloed, there is a gap created between this data and governance processes. This is a base-level vulnerability as AI-enabled systems face crucial data shortages that undermine its function.

While banking entities have every incentive to minimize operational risks, this is difficult to sustain. If neglected, banks risk more than just the loss of capital. In some cases, customers lose their trust in the entity and this hurts banks by restricting business or future deposits.

Incorporating operational risk management into the overall enterprise risk management framework is a systematic process and is one that must have its own tools and organization. This is where an all-in-one solution like that from VComply offers value. The platform provides a GRC suite that offers effective risk management frameworks and controls, while revolutionizing management of regulatory compliance. This tool enables seamless digital collaboration and gives you real-time risk management solutions.  

An organization needs to analyze risks that might occur and find ways to prevent them or reduce their impact. It helps them to act confidently on essential business decisions. Risk management is the identification, assessment, and prioritization of risks and taking steps to reduce risks to an acceptable level. In first, organizations need to identify and prioritize risks. Once they identify the risks, they need to conduct an in-depth assessment of risks. A risk assessment matrix plays a significant role in risk management. It is an essential tool that helps identify and prioritize risks by evaluating the likelihood of a risk occurring and the severity of each risk if it were to happen. It is a method of improving the visibility of an organization’s risks with an assessment based on multiplying the likelihood that a risk will occur by its impact on the organization.

‍

Risks can also generally be classified into high risks, medium risks, and lows risks. A high level risk has a higher chance of occurrence and can cause significant damage to the organization. A Medium risk has a 50% chance to occur and will cause damage but not too high or low. A low risk has low chances of occurring and will not cause any severe damage. However, in some cases, the chances of the risk appearing might be low, but it could cause severe damage. A risk assessment matrix depicts a visual form of risk assessment with highest level of risks at one end, the lowest level on the other, and medium risks in the middle. It often uses color-coding to represent different levels of risks to identify where to give more attention. 

A risk assessment matrix contains a set of values for a risk’s probability and likelihood. The following image depicts a 3x3 risk matrix that has 3 levels of likelihood and 3 levels of severity.
‍

A GRC platform like VComply can help you perform risk management and design internal controls that keep your organization compliant.  VComply provides an uncomplicated way for you to manage compliance and risk, allowing you to assign controls and track them through an intuitive interface.

‍

‍

Operating as a non-profit organization in an overly competitive and capitalism-first economy means that there is no shortage of obstacles. Non-profits are bound by unending public scrutiny coupled with strict government regulations because of the special financial privileges they enjoy. The tax-exempt status combined with access to public funding is two very good reasons why compliance, on all fronts, can't be ignored. 

Yet, an increasing number of non-profits underestimate their exposure to risks and fail to employ the required risk-assessment and prevention safeguards. 

The data suggests that 3 key factors drive this negligence among non-profits: 

‍

• An unfounded belief that non-profits are protected against compliance risks
• A critical lack of understanding about risk management among the administration
• A belief that regular risk assessment isn't feasible for non-profits

Naturally, none of these validate or even pardon noncompliance, which is why it is extremely important for non-profits to comply with regulations. For greater insight into the matter, here are 5 compliance risks that non-profit organizations face and guidance on remedying them. 

Failing to submit tax documentation 

While it is known that non-profit organizations are exempt from all federal corporate taxes, they still have a responsibility to the IRS. To remain compliant and retain their tax-exempt status, non-profit organizations in the US must file Form 990 with the required tax information on a yearly basis. Additionally, non-profit organizations with staff are required to maintain a W-4 for each employee, and file Form 941 on a quarterly basis unless the IRS requests otherwise. 

Failure in meeting this requirement has serious consequences, for which a steep fine is just the precursor of what's to come. These fines accrue daily, meaning the longer this information goes undisclosed, the more money it costs. To make matters worse, it doesn't stop revoking the 501(c)(3) tax exempt status. Continual negligence in this regard can also lead to the administrative dissolution of the corporation. Naturally, managing this risk requires these organizations to have an internal control or risk management system to help mitigate these issues on time. 

Hosting auctions outside IRS regulations

Non-profit and for-profit organizations share some similarities when comparing the compliance protocols for making money. In both cases, compliance is stringent, even if the purpose of raising money, via an instrument like an auction, is for a good cause. For such undertaking, the non-profit organizations must follow IRS regulations to the tee or face a penalty, in the form of a fine. Some states even require non-profits to apply for a special fundraising license before hosting auctions. 

 With auctions, potential compliance issues could arise in 2 ways: 

‍

1. Against quid pro quo contributions
2. Against non-cash gifts

In the case of quid pro quo contributions, where the donor exchanges money for goods or services, the non-profit organization must provide donors with a letter containing a disclosure. This letter's contents are the good-faith estimate of the market value of the goods or services the donor has received with their contribution. Failing to provide this acknowledgment letter can result in a fine of up to $5,000 per auction. 

On the other hand, when someone donates goods to an auction, the non-profit organization must submit tax-related information about the exchange. This includes: 

• Name of the organization
• A statement that details the services or goods exchanged by the organization
• Description of the item that was donated

Managing this data is important as the regulatory bodies require it and doing it manually is asking for trouble. A neat solution would be a cloud-based software that gives non-profits seamless access to data caches, so that this type of crucial information is always up to date.  

Lobbying 

Given the good that non-profits set out to achieve, it is no surprise that any political candidate would want the endorsement or backing of one. However, under the Internal Revenue Code, it is clearly stated that all section 501(c)(3) organizations are prohibited from participating in any form of political campaigning or lobbying. This includes any direct or indirect intervention of any sort.

Violating this tax code results in revoking the tax-exempt status applicable to the non-profit organization and may even lead to the imposition of additional excise taxes. Having a clear understanding of this compliance risk and ensuring that all organization members are aware of it is a good way forward. 

Earning substantial profits

Non-profit organizations are known to suffer from a lack of finances, but there is an excess of profits in some instances, and this is a problem. As per regulation, non-profits aren't allowed to earn sizable amounts of profit and doing so goes against compliance norms. Even though the money is meant to serve a good purpose, it is illegal as per the compliance regulations for the collection of tax on sale. 

However, there may be instances where a non-profit underestimates the profits earned and in such cases, experts suggest that any excess must remain within the organization. This surplus may be used to pay off debt or finance the non-profit's mission in the future. 

The Board, employees and volunteers of non-profits need to be aware of this fact to comply with regulations. 

Botched record-keeping 

Complete transparency is a mainstay of any non-profit organization, which is why maintaining records is crucial. Unfortunately, this is an area that many have been lacking, which brings about a plethora of compliance issues. Without proper records, the annual Form 990 will be incomplete and have discrepancies, leading to problems. Moreover, the IRS and other governing bodies quite frequently request information from non-profits, and botched record-keeping will stand in the way of this. 

Experts believe that a failure to maintain records efficiently is a good way to break laws and is among the easiest ways to risk non-compliance. Thankfully, digitized solutions help solve this problem with cloud-computing and customizable control systems, thus ensuring records are maintained and secure.  

Considering the role that non-profits play in the economy, it is incredibly vital that they do not abuse their economic privilege. For this reason, non-profits need to implement internal controls and there's no better way to safeguard the organization than to do it pre-emptively. This is where VComply can be of great assistance to non-profits by providing fully integrated GRC Management Software. It gives organizations the option to establish controls and reminders to ensure that compliance obligations are the first priority. VComply helps non-profits with real-time data tracking, risk management, and compliance management without complications.

‍

Regulatory watchdogs around the world served stiff penalties in 2020, with major financial institutions being asked to own up for their deficiencies and malpractices. Citigroup faced a $400 million fine for risk management shortfalls, JP Morgan was charged $920 million for illicit market activity, Westpac agreed to a record fine of AUD 1.3 billion for anti-money laundering breaches, Goldman Sachs was fined $2.9 billion in connection with the 1MDB scandal, and Wells Fargo saw a huge $3 billion penalty for he fraudulent account fiasco.

‍

The list could go on, but as the fines grow weightier, all eyes are on what compliance can do to protect organizations from not just economic damage, but the long-lasting reputational damage that accompanies financial abuses. Here are some compliance learnings one can glean from the Goldman Sachs and Wells Fargo cases.

‍

Goldman Sachs

In the 1MDB scandal, Goldman Sachs came under intense scrutiny for its role in money being siphoned from Malaysia’s sovereign wealth fund, 1Malaysia Development Berhad. The ongoing investigation probes the bank’s role in underwriting 1MDB bond issues. About $6.5bn was raised in 2012 and 2013 and the bank is said to have earned over $600m in fees for the work. The complex global fraud saw Malaysian common folk deprived, private pockets filled, and Goldman Sachs staring at fines to the tune of $5 billion.

Recently, the bank’s chairman and CEO, David Solomon, called the scandal an “institutional failure”, noting that “certain former employees broke the law, lied to our colleagues and circumvented firm controls...we did not adequately address red flags...”

In the aftermath of the 1MDB scandal, experts from around the world have opinionated on what might have led to the massive corruption scheme.

Here are some insights compliance officers can gather from the 1MDB event.

‍

1) Make compliance part of business strategy

Goldman Sachs intended to expand aggressively and dominate the South-East Asian market. The problem lay in the fact that the SEA market was also known to carry a high risk of money laundering. Turns out that Goldman’s compliance and risk management systems weren’t primed in keeping with the high-risk business model that the bank was adopting for the region. The US Department of Justice later noted that, “[ Goldman’s] business culture…particularly in south-east Asia, was highly focused on consummating deals, at times prioritizing this goal ahead of the proper operation of its compliance functions.” A key learning from this is that compliance is a crucial element of business strategy.

‍

2) Ensure the ‘tone from the top’ safeguards     compliance

Central to the1MDB scandal was former chairman of Goldman Sachs in South-East Asia Timothy Leissner and he later pleaded guilty to conspiring to launder money.  Bloomberg reports Leissner as revealing that the “culture of secrecy” at Goldman led him to conceal wrongdoing from compliance staff.

“It must be presumed,” lecturer from the University of Alexander Dill says, “that he would not have attained partnership status, without executive management’s approval of his conduct and character. Who makes partner at Goldman is a true reflection of the company’s tone at the top.”

When the tone at the top upholds ethics and integrity, compliance has a firm footing. If ethical norms are brushed aside by an organization’s leadership, it can only be a matter of time before cracks emerge.

‍

3) Avoid a siloed approach as it cripples compliance efforts

International fugitive Jho Low, is accused of having masterminded the 1MDB plot and Leissner tried to have him as a Goldman Sachs customer. The move was prevented by the bank’s Compliance Group and Intelligence Group on concerns they had over the source  of Low’s wealth. Yet Leissner continued to work with Low and financial regulation news analyst Regulation Asia points out that, “a siloed approach to KYC allowed its sales team to circumvent controls and onboard Low as an indirect customer via the 1MDB bonds.”

If your organization’s sales teams, compliance departments, senior management, and board work in silos, information can slip through the cracks and controls in place to detect financial crime can give way. In case of money laundering, the first step of “placement” that is the act through which the fraudster seeks to insert tainted money into the legal system, is crucial. For KYC controls to work efficiently, it is best that all departments work together.

‍

Wells Fargo

The account fraud scandal at Wells Fargo came to light towards the end of 2016.Over million fraudulent bank and credit card accounts were reportedly created on behalf of clients of the bank without their knowledge or consent. Wells Fargo betted hard on a cross-selling strategy and by 2012 had an average of .9 products per customer. However, by 2013, rumors had surfaced that employees were gaming the system to meet their cross-selling targets.

Cutting to the chase, a Shearman & Sterling report later pointed out that, “Many employees felt that failing to meet sales goals could (and sometimes did) result in termination” and that “certain managers explicitly encouraged their subordinates to sell unnecessary products to their customers in an effort to meet sales goals.”

It’s clear from this that the Wells Fargo fiasco boils down to aspects like a problematic business strategy, bad company culture, and poor tone at the top. Back in September 2016 the bank was fined $18 million and as recently as February 2020 Wells Fargo faced charges amounting to $3 billion.

What can compliance officers learn from Wells Fargo fiasco?

1) Have many parts working together to achieve compliance

Reports reveal that in mid-2014 Well Fargo attempted to curb the malpractice of creating fraudulent accounts with an ethics workshop. Yet, reports also indicate that bank managers allowed illegal conduct to persist until 2016. The point here is that compliance cannot really thrive or survive if there is discord between your Code of Conduct and company culture. You need to weed out rouge employees and correct a bad company culture if you are to be successful.

Stanford researcher Brian Tayan keenly points out that branch-level employees received incentives to cross-sell, but the senior-executive bonus system did not have the increase in products per household as a metric. Are there business-critical matters that are passing the oversight of senior members at your organization? Compliance is everyone’s responsibility and requires the entire team, right from the employees to the senior management and board, to protect the organization from known risks.

2) Use software to  manage compliance and risks

Assuming that you set realistic targets for your employees and have appropriate controls in place to mitigate risk, how do you maintain a controlled and cohesive environment, prevent stuff from slipping through the cracks, and avoid risks from growing unnoticed? A notable way of doing this is to use cloud-based GRC software that works on an organization-level.

VComply, for instance, gives you the tools you need to assign responsibilities, escalate matters, conduct gap analysis, monitor your risks, evaluate existing controls, distribute, and test policies, and a lot more. You may or may not have thousands of employees like Wells Fargo; nonetheless, overseeing the lifecycle of your compliance, risk, and policy efforts can be painstaking and even impossible if you do not have the tools to do so.

3) Remember compliance pays dividends in customer trust

Wells Fargo has been, and still is, among the biggest banks in the US. Imagine the shock and betrayal customers would have experienced on hearing that Wells Fargo created fraudulent credit cards or bank accounts in their name. The reputational damage of non-compliance is immense.  "Simply put, Wells Fargo traded its hard-earned reputation for short-term profits, and harmed untold numbers of customers along the way," US attorney Nick Hanna is quoted as saying.

The moral is that no one is above the rules of regulations. Regulatory compliance is not something you want to gamble with as it can wipe out your customer base and share holder value.

Whether t's anti-money laundering or nurturing an ethical business culture, Goldman Sachs and Wells Fargo teach us that compliance is more than a checklist. It evolves with your organization and having the tools to stay compliant best serves your growth.

Internal audit plays a crucial role in guiding an organization with key insights on corporate governance and suggest improvements on improving compliance, reducing risks, boosting efficiency, and enhancing regular operations. It probes into soft spots and critical business areas and reports to senior management within the organization.

‍

Standards like ISO demand some amount of internal auditing. But the management can decide how much more internal auditing is require depending on how much is at stake for the organization. It is possible for you to engage an external, third party auditor to step in if you do not have a competent team of internal auditors. However, having an internal team that can serve as a trusted consultant is always an upside. When internal audit performs an objective analysis of departments, the end result is fewer threats and more savings in compliance costs.

‍

Below is a step-by-step guide that can be followed for an audit.

‍

Step 1: Plan for and create an audit program

‍

Identify what needs auditing and how often:

Depending on the risks you face, the control systems in place, and the requirements on governance, you can have more or fewer audits. If the threats are many or costly, you typically want to audit those risks more often. If you are a finance company, you could audit cash handling and credit card usage fairly frequently, while also auditing cybersecurity, cost saving opportunities, and customer service routinely.

‍

Schedule the audit and notify teams:

It is very helpful to create an audit calendar as this ensures fruitful auditing. Your teams will have more documentation and records to bring to the table, if they know well in advance that they are expected to keep their material ready for a review. Surprise auditing might be helpful, but they may also sow distrust. It is customary to alert teams of scheduled audits with a notification.

‍

Gather information and define the scope:

Part of this step involves gaining sufficient subject matter expertise. If you handle a lot of personal data, for example, you want your auditors to be thorough with the likes of SOX, PCI DSS, HIPAA,FISMA, FedRAMP, as well as business best practices that have a bearing on risk management and control systems. External auditors can be of help, depending on the level of expertise required.

‍

Another part of this step is risk assessment. The inputs and concerns of the leadership are essential here and depending on your business, you want to know your inherent risks and the impact recent regulatory changes have on your operations.

‍

Outlining the objectives and scope of the audit in an entrance meeting is also important. In general, the main objectives of internal audit pertain to the evaluation of risk management systems and internal controls. But specific objectives, such as a 6-month review of financial activity, a vendor assessment for conflict of interest, and a review of company data security, can help clarify the scope and purpose of the audit.

‍

Draft an audit program:

With risk assessment done and the objectives laid out, you can proceed to planning for a fruitful yet cost-effective audit. The program should list out practical elements, such as:

‍

●      Audit methodology

●      Deliverables like audit report

●      Controls to be tested

●      Deadlines and timetable

●       Modes of communication

‍

Step 2: Focus on fieldwork

On-site fieldwork comprises the evaluation stage of the audit. Internal audit will seek to gather audit evidence through different modes. These include:

1. Interviewing staff: Formal and informal questions are asked to key employees and department personnel
2. Observing processes and controls: Auditors examine based on what can be touched, seen, and heard to gain reliable evidence
3. Reviewing documents: Scanning through records and practices gives auditors an idea of how the internal processes line up with policy requirements
4. Performing testing: System tests on physical equipment or management systems help auditors unearth threats and errors

‍

Depending on the scope of the audit, the on-site fieldwork could stretch for days to months. Nevertheless, care must be taken to ensure that disruptions to regular activity is minimized. Further, internal audits may bring up issues as they surface and provide preliminary evaluations. This is beneficial, as informal communication can help the organization adopt recommendations on the go. Proper communication is a vital component of an internal audit. In fact, many rue the fact that poor communication lessens the value of critical information.

‍

It can be helpful to have internal audits categorized risks into high, moderate, low, for instance, and provide audit status updates, in case the audit is long. Once internal audit has satisfactorily gathered audit evidence and all necessary information, it should proceed to documenting results. Systematic recording of findings makes for a better audit report.

‍

Step 3: Issue an audit report

The most important deliverable of the audit is the audit report. The format of the reporting may differ from one organization to another, but the goal of the report is to present the audit findings in a formal manner.

‍

The reporting phase may include these 3 elements:

1. Draft report: A promptly prepared draft report provides an opportunity for a collaborative review of the findings with the management or leadership
2. Exit meeting: A discussion of the audit issues and recommendations is helpful as it helps incorporate the management response in the final report and also makes the endeavor more actionable
3. Final report: A factual, concise, well-organized report with an action plan serves as the vehicle for recommendations being well-received

The reporting step is of great importance and efforts should be taken to ensure that it receives adequate budgeting. The audit report stands as evidence of the audit being conducted and must be signed by senior management.

‍

Step 4: Follow-up after the audit

Many organizations today have a structured process to verify whether the action plan is being implemented or not. If the corrective measures require time, monitoring and follow-ups become necessary. The ISO PCDA (Plan, Do, Check, Act) model supports an ongoing cycle for the improvement of processes and systems. Internal audit can adopt this method to improve upon areas where gaps have been identified.

‍

Organizations also use GRC tools such as VComply to foster a healthy environment of compliance and adequate risk management. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more.

‍

Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business processes!

The year 2021 ushers in a new decade of business change, especially considering the roller-coaster that 2020 was. As organizations move forward, there are various compliance challenges both new and old that compliance officers must come to terms with. Compliance refers to playing according to the rule book, so amid geo-political changes, data privacy concerns, questions on operational resilience, and cybercrime threats, there is new interest in policy and regulatory mandates.

‍

To shed some light, here are 5 pressing compliance challenges businesses will face 2021.

‍

The workplace after COVID-19

As workplace restrictions ease and eventually give way to business as normal, organizations will have to rethink their work models, ensure workplace safety, and assess their exposure to legal risk. With the onset of the new administration in the US, the Occupational Safety and Health Act (OSH Act) is expected to pursue COVID-related enforcements more aggressively.

‍

OSHA had earlier issued guidance on preparing workplaces for COVID-19 and it expects employers to take steps such as:

●      Developing an infectious disease preparedness and response plan

●      Having policies and procedures for prompt identification of potentially infectious individuals

●      Issuing flexible leave policies, in line with public health guidance

‍

If employers fail to comply with standards, for instance, by not adopting virtual meetings as a control when the situation calls for them, there could be hefty fines to be paid on lawsuits.

‍

Apart from OSHA, employers would have to pay attention to the Americans with Disabilities Act(ADA) and the Family and Medical Leave Act (FMLA) too. As an employer, you may also want to institute a pandemic response team and undertake workplace risk assessment to know who may be at risk based upon their regular workday interactions.

‍

Remote work as a permanent fixture

While opening the workplace in a safe manner, employers may find it difficult to dislodge work from home from its perch. Many find that it boosts productivity (while saving commute time and costs!) and, going forward, many companies may move to a partially-remote work model.

‍

However, while work from home uncomplicated the path forward at the onset of the pandemic, it may have complicated compliance by a whole lot. For instance, how do you manage payrolls for employees who work out-of-state for half the month and in-state for the rest? Do your employees get stuck paying income tax in two states?

‍

Alongside a web of complicated tax issues, you also have the world wide web and the issue of data privacy and security to heed to. With weaker Wi-Fi networks, more personal devices, and the absence of company IT security systems, the prospects of cyber risk increases. A single data breach can cripple your business and cause financial, legal, and reputational loss. Some other elements that employers will have to consider are:

‍

●      Work from home infrastructure

●      Occupational safety and health

●      Disability accommodation

●      Insurance coverage in a WFH setting

‍

Brexit and subsequent EU-UK deals

Brexit has a direct impact on businesses in the UK and a direct impact on the US. Major finance companies in the US route their EU operations through London, and hence the implications of the Brexit deal are important. Banking services, for instance, no longer enjoy automatic right of access to markets in the EU. Likewise, professional qualifications won’t be recognized automatically. In essence, you would have to comply with different sets of regulations, for the UK and EU, wherever applicable, moving forward.

‍

Freedom of movement between the UK and EU is also something that Brexit severed. New immigration rules have entered into force, but several visa restrictions have been removed. Importantly, data transfers from EU to UK and UK to EU will be treated differently. The UK does not yet enjoy an ‘adequate’ status when it comes to data protection, just like it does not enjoy ‘equivalent’  status for financial services. Finally, for a multi-country data breach you could be dealing with both, the UK's Information Commissioner’s office and an EU regulator.

‍

Big data and balancing rewards and risks

With business ecosystems going digital the potential for big data to revolutionize how a company provides its services is unprecedented. However, given the legal, financial, and reputational ramifications of mishandling personally identifiable information (PII), such as passwords, payment information and passport number, it is possible for data to pose serious compliance challenges. You must be prepared to account for the flow of data through your organization, through all points, be it collection, processing, or storage.

‍

Here are 10 compliance hurdles linked with big data:

●      Inability to properly identify and classify data

●      Lack of mapping data with the regulations that apply to them

●      Lack of clarity on the ownership of the data

●      Possession of large volumes of data that could be subject to a major breach

●      Insufficient tools to manage and control the data through its lifecycle

●      Possession of vulnerable infrastructure that houses data

●      Inability to distinguish between public and private data

●      Lack of controls with respect to third party big data service providers

●      Insufficient knowledge of global regulations that apply to data being handled

●     Presence of unprotected data on the cloud

‍

As technology continues to disrupt the way businesses operate, maintaining a compliant environment will be a challenge but will prove to be a necessary safety net.

‍

Environmental protection as a priority

As consciousness of the fragility of the world we live in continues to grow, more attention will be given to the way businesses conduct their operations. What is the effect of non-compliance with environmental regulations? Penalties, fines, project delays, increased scrutiny, and above all, a tarnished public image are a few. Apart from these, there are physical risks such as floods and fires that can arise if environmental issues aren’t given due respect.

‍

Depending on where you are located, you may have different levels of regulations to adhere to, for instance, county-level, state-level, and federal-level. Hence, it is good to do a full audit of your operations and note the regulations that apply to you. Some of them may pertain to hazardous waste, air permits, storm water, toxic substances, clean water, resource conservation, and so on. Being compliant is not a choice, really. But your organization can transcend the limits drawn by regulations and strive for what is socially desirable too.

‍

Adopting low-carbon policies, using energy efficiently, saving resources through the supply chain, for instance, are approaches that build customer confidence and draw investor attention. The hard work put into maintaining legal compliance and setting green development targets can yield to economic advantages in the long-term.

‍

One thing about these 5 compliance challenges is that juggling between multiple compliance regimes, such as PCI DSS and GDPR or HIPAA and CIJS, is hard. It becomes even more difficult if you do not have a way to oversee compliance on an organization-level. Poor communication, training, monitoring, and data management can hinder compliance. Being stuck in silos with spreadsheets and binders fails to provide the big picture and that is the gap VComply, an integrated GRC solution fills.

‍

With it you can analyze your organization’s performance with graphs, delegate responsibilities to increase accountability, get real time alerts, obtain automated reports and much more. So, as you tackle the compliance challenges2021 has in store, commit to a smarter way of running your organization!

Cyber threats have grown from being plausible to probable. With organizations becoming more dependent on the internet, social media, and digitization, exposure to cyber risk has also increased manifold. Today, cyber security is among the top priorities of organizations world-wide simply because a cyber-attack can leave your organization in a dilapidated state – untethered from information systems and unable to provide services, owning a handful of compromised data, and staring at massive reputation loss.

‍

To discover the big picture, consider some recent statistics. IBM reports that the global average cost of a data breach in 2020 was $3.86M. For the healthcare industry, the average cost is almost double, $7.13M. Concurrently, HIPAA Journal reported that 9.7M health records were compromised in September 2020 alone. But it’s not just big businesses that are facing the brunt of cyber breaches, 43% of cyber-attacks target small and medium businesses, notes Fundera.

‍

With cybercrime growing at a compounding rate – 300-600% in recent months – cyber risk positions itself as the biggest challenge to organizations around the globe. Here’s a primer on cyber risk and your organization.

‍

What is cyber risk?

Cyber risk refers to the risk associated with “financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems,” as per PWC. However, it includes the “the potential of loss or harm related to technical infrastructure or the use of technology within an organization,” according to RSA.

‍

Cyber risk can materialize in varied forms. Here are some examples of cyber risk:

‍

• Unintentional breaches of security
• Cybercrime such as the theft and sale of corporate data
• Cyberterrorism, for instance, virus installation or a denial-of-service attack
• Third-party vulnerabilities that leave customer data compromised

‍

Cyber risks can be classified according to intent and source:

‍

• Internal malicious
• Internal unintentional
• External malicious
• External unintentional

‍

What is the impact of cyber risk?

It is worth noting that the classification of cyber risks according to intent and source may not determine the negative impact they have on your organization. For instance, reports have it that 52% of data security breaches boil down to human error and system failure. Another report indicates that 95% of cybersecurity breaches have their source in human error.

‍

The impact of cyber risk can be divided into a few categories:

‍

• Financial loss: The average cost of a data breach in the USA is $8.64M according to IBM and economic loss can arise from various quarters. You may be unable to provide services or carry out transactions; proprietary information or even money may be stolen; you may have to spend large sums of money repairing your information systems. You may even have to rejig your business operations and find new ways to conduct business.

‍

• Reputation loss: It can be hard to put a finger on the economic impact of reputation loss but suffice it to say that loss of customer trust can cripple a business altogether. Customers may share confidential information with your business and if this gets compromised you could lose your customer base and see reduced sales. Invariably, you’d have to give up your market position and mend third-party and investor relationships.

‍

• Legal loss: There are data security laws in place to protect customer data and these require you to adopt certain controls and deploy security measures in case a data breach occurs. In case you are caught off guard, you may have to pay regulatory authorities and other parties in millions of dollars. There are legal costs to bear too, and because of the seriousness of the issue, some organizations buy cyber risk insurance to cover their losses.

‍

The cost of protection is also something that can be added to this list. Building safer information and networking systems takes money and requires the use of vetted software and hardware. The ongoing management of these systems and their maintenance also add to the costs.

‍

How should you approach cyber risk?

In today’s digital age, you cannot avoid exposing yourself to some amount of cyber risk. You cannot avoid digitalization or digital transformation just because you want to avoid cyber risks. It can affect your business growth, revenue expansion, and market consolidation.

‍

Hence, the goal is to navigate cyber risk well.

‍

Firstly, you need to know what your assets are. And what you are trying to protect from intentional/ unintentional cyber risks:

‍

• Do you store customer data either directly or with a third party?
• Do you have intellectual property that needs to be protected?
• Do you possess financial data or contract terms that cyber-thieves would want?

‍

Then, you need to understand what cyber threats you may face, and which assets may come under fire. Cyber threats are not the same as cyber risks. A threat is an event that can exploit a point of vulnerability to damage an asset. When you have linked cyber threats to your assets, you know what cyber risks you have on hand.

‍

With this information ready, you can then proceed to drafting a cyber risk appetite statement. Defining your cyber risk appetite gives you clarity on many fronts:

‍

• You get clarity on how much risk you are ready to tolerate
• You know how much you are prepared to spend to mitigate the risk
• You gain insights into the prioritization of risks that affect your business

‍

How do you manage cyber risks within your organization?

Cyber risk management is an ongoing process that can be broken down into a few key steps:

‍

Identify the risks: Note your assets, threats, and vulnerabilities. For instance, you may have a weak technological infrastructure with employees working from home on personal devices, and this could lead to company data being more vulnerable. Here are some possible avenues of cyber risk: 

‍

• Opening suspicious emails
• Using personal devices at the workplace (BYOD)
• Failing to log out of accounts
• Using outdated software
• Not scrutinizing third-party vendors
• Setting insecure passwords
• Having weak home Wi-Fi security
• Possessing weak links due to an IoT ecosystem

‍

Assess the risks: At this stage, you need to analyze the risks in terms of their likelihood and severity. Based on that you can forecast what the impact of the risk may be.

‍

Evaluate and prioritize the risks: This becomes easy if you have a well-defined risk appetite statement. You can begin to answer questions such as:

‍

• Which risks can the organization do without?
• Which assets demand the greatest amount of security?
• For how long can the organization delay taking on this risk?
• Do the risks align with the organization’s business strategy?
• What is the organization’s net level of cyber risk?

‍

Respond to the risks: You can modify the impact of a risk by adopting a corrective control. For instance, you can enforce multi-factor authentication for more secure logins, deploy company apps to isolate sensitive data, and adopt a policy for patch/ update management. Exploring the 20 CIS controls can prove to be vital.

Here are some practical ways to reduce cyber risks:

‍

• Educate your staff
• Keep software systems updated
• Draft a cyber security policy and a breach response plan
• Cut down on data transfers
• Avoid downloads as far as possible
• Schedule regular backups
• Limit access to data by assigning privileges
• Encrypt your data
• Invest in a robust cybersecurity system

‍

After treating your risks with controls, you decide to tolerate some cyber risks, terminate others, and transfer the rest to a third party.

‍

Your cyber risk management efforts work best when they tie in with your organization’s risk management framework. Moreover, you should strive for a three-pronged approach of ‘cyber risk assessment’, ‘cyber risk management’ and ‘cyber risk monitoring’. Whether it is enforcement, accountability or the aspect of bringing senior leadership into the game, you can best integrate cyber risk management with your GRC strategy when you have a risk management platform like VComply.

‍

With VComply, you can set in motion cyber risk management lifecycle, invite collaborators to evaluate risks, establish tolerance levels, monitor your risks, assign implement controls to address risks, delegate ownership, and escalate failures, setup alerts and more. This gives you the means to safeguard your organization against internal and external cyber threats in real-time.

Proper policies are integral to the good governance of any organization. Clear and actionable policies, for instance, a cybersecurity policy or an employee safety policy define the boundaries of employee conduct and set the stage for a compliant workplace.

‍

That being said, it isn’t sufficient to write a policy and leave it as a permanent institution. Policies must undergo renewal if they are to remain relevant. Likewise, it is important to assess which policies you really need. If you have too many policies, compliance itself would cripple business progress. Conversely, if you have too few policies you run the risk of undue exposure to threats and legal complications. Hence, it is incumbent that your organization follows a policy management process. It is a strategic tool decision-makers can use to guide the organization.

‍

Below are some points that outline what an effective policy management process looks like and secondly, offer guidance as to whether you need policy management software.

‍

What is policy management?

Policy management refers to how an organization develops, communicates, manages and maintains its policies. It is a comprehensive process that is aimed toward ensuring that the various parts of the organization work together for the good of the whole. Thus, good policy management would verify that various departmental policies do not undermine the functioning of the organization as a whole.

‍

A policy management lifecycle is generally defined by these phases:

• Creation
• Communication
• Management
• Maintenance

‍

What does an effective policy management process look like?

An effective policy management consists of the following phases and sub phases:

‍

    Creation

• ‍Need: It isn’t possible to create policies for every contingency. However, you need to create policies to manage your areas of risk, for meeting regulatory requirements, and covering all legal bases. Do your employees need a dress code policy? Do you need to comply with medical leave requirements? What are the legal burdens of not having an anti-harassment policy? Such questions help assess the need for policies.

‍

• Ownership: Once the need is identified, and prior to the development of the policy, you should define who, or what business role owns the policy. At which corporate level will the policy be owned and distributed? For instance, the policy manager, owner, approvers, and recipients could all be on different levels of ownership.

‍

• Drafting: You should use careful language while drafting a policy and make it consistent in format with other administrative policies, it can be helpful to use a template. Your policy should be clear so that the policy is understood easily by the target audience and will not be misinterpreted. Policy writing is ideally a collaborative effort.

‍

• Approval: Once written, the policy undergoes reviewing and is subject to approval. This step is iterative and even post the review, senior management, the board of directors, or the concerned department may reject the policy. Once approved, the policy may be published.

‍

    Communication

• Publication: Your policy should be distributed to all employees and stakeholders. Having multiple modes of publication can prove to be counterintuitive as they may leave you without an authoritative source. Rather, having a single repository for your policies works better. You can maintain a policy portal so that the policy updates can be easily accessed as well.

‍

• Training: For proper adoption of the policy, individuals need to be made aware of what it entails. You can create videos and quizzes to disseminate information and check how well it has been received. Explaining the rationale behind the policy is also a good way to concretize it. Case studies are also a powerful medium of imparting training. In case of updates, reeducation efforts should be made.

‍

• Attestation: By signing a policy receipt acknowledgement or a policy attestation form, employees confirm that they have read, reviewed, and will abide by the policy. Multiple policies may be listed on a single attestation form or conversely, the form may refer to a specific policy. The attestation form should be dated and contain the policy version.

‍

    Management

• Enforcement: This is the process of ensuring that the laws are being complied with. Just having a policy on paper, or even controls in place, is not enough. If laxity creeps in, and employees perceive that policy enforcement is not a priority, then the organization’s exposure to risk increases even though a policy is there on paper. Hence, the CCO, for instance, should call out instances of non-compliance and controls must be monitored.

‍

• Exception management: Some instances of temporary non-compliance with the policy are justifiable. This involves going beyond the letter of the law to the spirit it was written in, accounting for the greater good of the organization. Such flexibility adds to the policy’s worth and compliance managers should review, document, and assess the risk of each policy exception request.

‍

    Maintenance

• Review: Policies must be monitored and revised for them to be continually effective. Such reviews may happen annually or more frequently. At such review meetings, aspects such as instances of non-compliance and exceptions are considered alongside regulatory and business requirements. Accordingly, the policy is updated, approved, and re-communicated, or it is retired. If it can stand as is, it is left without amendment.

‍

• Archival: The archives store each policy, and every version of it, for future reference. This can be helpful for investigation purposes and both, the organization as well as regulators benefit from a well-kept policy archive, containing all levels of detail.

‍

When do you need a policy management solution?

Not every organization requires a policy management solution immediately. As the level of accountability grows, the need for a solution arises. The complexity involved with managing your policies also determines the need of a software solution.

‍

Here are some indicators that you need a policy management solution:

‍

• You need to track the attestation and training status of a large number of employees
• You have a large number of authors, collaborators, and approvers
• You have no central repository of all policies
• Your policies exist only on paper till date
• Your policies require frequent updating
• You struggle to map policies to regulations and standards
• You need to coordinate policy management between departments
• You want an efficient way to monitor policy controls
• Your policies are in different formats, as per each department
• Your policy management is being hindered by documents, emails, and spreadsheets

‍

Cloud-based solutions like VComply’s Policy Management Software give you a powerful way to create, modify, distribute, and test policies. For instance, with VComply, you can create questionnaires to gauge the effectiveness of a policy, assign privileges to give proper access, have a convenient audit trail, get real-time alerts, and more. Policy is a crucial component of GRC and VComply offers a range of tools for governance, risk, and compliance management.

‍

Having considered what a policy management process looks like and some reasons to invest in a policy management solution, deliberate on how to better govern your organization. Remember, the cost of bad policy management may far exceed that of investing in a policy management solution. So, when the time is right, do not think twice about using a smart software to empower your efforts!