Enterprises must change the narrative around compliance and business resilience, says Adrian Jolly, Managing
Director at A Jolly Consulting
The events of the last year have shown us all the value of business resilience. Yet, as we emerge from a difficult time, the conversations I am having with clients from London to New York, Singapore and Sydney, are often centred around the ongoing challenges that regulations and compliance are placing on their organisations. The term “burden” is sometimes used but it’s not just the scale and scope of the regulatory frameworks that they face – but often the seemingly overlapping nature of many of these requirements.
Perhaps the biggest issue is that some organisations may well lose sight of the value of compliance as a means of building business resilience. Considering only the immediate value of risk reduction rather than as part of a pivot towards creating an agile organisation that can cope with the next systemic shock to our society.
The rise of regulation
Although financial services are often the focus with globally recognised standards such as ISO27001 and PCI-DSS frameworks taking the spotlight, there are hundreds of additional compliance requirements that may impact a multinational enterprise. The list can include areas such as cyber security, anti-money laundering and terrorist financing, electronic signature, data privacy and protection – that sit alongside vertical market specific requirements in areas like construction, critical national infrastructure and manufacturing – to meet agreed best practice, supplier or partner requirements.
A survey of large enterprises by Deloitte in 2020 found that even though 72% reported an increase in budget for compliance functions over the last five years – just 43% thought that recent regulatory change has been beneficial to their respective industry. What is clear is that after the 2007/08 disruption in the financial markets, the tightening of regulatory controls has brought trust and stability back to the market. However, as the survey points out, many organisations are still struggling with 4 in 10 respondents saying that resource capacity or capability is still one of the biggest challenges facing their compliance function over the next 24 months.
The journey to shift the narrative of compliance being a burden, to offering a business benefit, is still a difficult path to travel. One of the key issues that is often overlooked is how much of the growing regulatory oversight that spans many areas, including cyber security, can potentially contain a lot of functional overlap.
As an example, consider the UK leaving the European Union, which has led to significant duplication of regulations regarding how financial firms operate cross-border. This is just one example, and there are others, especially for multinational organisations where a national mandate might be structurally similar to an EU regulation – and an elegant simplification can be achieved by modifying the reporting stage to encompass both requirements.
Yet, according to a 2018 survey of 34 banks by the Risk Management Association, 50% of respondents said they spent between 6% and 10% of their revenue on compliance costs, while another 20% spent less than 5% on compliance. This disparity between the cost of compliance is striking and suggests that businesses find it difficult to determine the true cost and value of real compliance as opposed to box ticking.
After working with large enterprises for over two decades, several trends emerge as to why we have reached this juncture. The impact of globalisation has clearly led to more participation in multiple regulatory requirements that have disproportionately affected multinationals. This is coupled by the siloed nature of many organisations, by geography or function, that inhibit centralised compliance tasks. This is an area where software tools can help overcome the inherent skills shortage to better manage an organisations risk profile by reducing exposure to cyber security and user identity vulnerabilities.
Strategy for change
There is no silver bullet that will fix everything overnight, but there are some practical steps that offer a better strategic direction. The first is to conduct an overlap audit to find out where compliance requirements can be simplified by removing wasteful repetition and inefficient processes. These types of processes require skilled, multi-disciplined teams with a wider understanding of multiple compliance regimes but when done well can highlight ways to significantly reduce complexity, streamline processes and ultimately reduce costs.
Consider using dynamic consultancies that can link compliance challenges closer to transformative benefits – rather than just a box ticking exercise. These external, independent consultants can provide valuable perspective on current compliance processes and, more importantly, will sit outside of any corporate politicking, avoiding any finger pointing that can derail strategic projects. For external expertise to “get the job done” it also needs to have a broader set of skills and vendor relationships that span areas such as cyber security, access management, risk, and resiliency.
But perhaps the most radical change is to start framing all compliance around the potential business resiliency benefit it can achieve and not the burden it imposes. This shift must start in the C-suite and trickle down through the entire organisation.
The last year has shown us why business resilience is now so high on the corporate agenda and as we start to return to normal, let us not forget that life is unpredictable, and change is the only certainty. Moving forward, organisations must start to become more joined up and multi-disciplined when it comes to compliance – and ready to adapt to the next shift in society and technology.