Ed Sattar, CEO, 360factors Inc.

Creating a governance structure involves clarifying roles and responsibilities, resources, capabilities, and escalation procedure, as well as the information reporting system that governs business processes. It also entails the use of tools and system to enable analysis for efficient monitoring and reporting.

Dwayne Jorgensen – CIA, CFE Governance / Risk / Controls / Audit Expert

In a nutshell, from my perspective, this is the most important aspect prior to talking about any automation. When you deal with the risk function in most organization even today, it tends to be adhoc at best and a lot of that makes it more difficult at your organization to have any kind regulatory compliance framework that is not clearly defined who is accountable for any kind of regulatory framework, what are the lines of reporting, who monitors what, and who is assigned what when the follow up occurs.

Joe LeBas – Principal and Founder, Carswell, LLC –Risk and Compliance Industry Executive

One of the biggest barriers to creating a regulatory compliance framework is the reliance on email. A lot of regulatory alerts are coming to us by email. Email doesn’t keep up the dynamic nature of the business and actually lessens accountability instead of raising visibility.

Ed Sattar, CEO, 360factors, Inc.

Commitment from the top and people’s resistance to change.

Ed Sattar, CEO, 360factors, Inc.

It can vary from industry to industry and even from company to company. However, some industries are more mature such as Financial Services. They have clear roles as to who owns Risk, Audit, Security, Compliance etc, other industries such as Utilities, Energy, and Oil & Gas are emerging industries with respect to the influx and complexity of regulations.

Ed Sattar, CEO, 360factors, Inc.

It is necessary to be adequately prepared by creating a Regulatory Compliance Model which includes, but not limited to, identifying components of regulatory knowledge base and develop a regulatory taxonomy mapped to your organization’s risk framework. Some of the Components of Regulatory Knowledge Base are :

Ed Sattar, CEO, 360factors, Inc.

If you read most of my blogs, you will notice that I am a big advocate of automation. If you look at the historical data on this, you will see automation does help in scaling and in some cases it is very cost effective. So, the short answer is that automation is highly cost effective. Recently, KPMG did a research that shows most of the regulatory compliance is done in silos. You have various functional departments managing compliance through multiple tools. I have seen as high as six or seven tools by one division, Imagine six or seven departments using different tools. If all of them are using different tools, you can really do the math. If regulatory compliance is automated through one platform, it is not only cost effective, but it also increases the performance of the company with more efficient and timely division of risk. This may also lead to having a competitive advantage. Vertical integration of your regulatory departments through one platform should lead to better recording of the hierarchy.

Joe LeBas – Principal and Founder, Carswell, LLC –
Risk and Compliance Industry Executive

I like to reference a KPMG study two years back that estimated the cost of compliance to be near 4% percent of the companies top line revenue. That is a very large number, especially for companies operating at 10-20% net margins. Reducing and automating the cost of compliance is thus necessary as it is a sizable percentage of any company’s net income.

Ed Sattar, CEO, 360factors, Inc.

Gathering of the regulations is still going to be a manual process, translations of the regulations and standards is still going to be a manual process.

Chris Duden – COO, 360factors, Inc.

Some of the obvious ones that cannot be automated are staff translations and subject matter expertise.

Dwayne Jorgensen – CIA, CFE Governance / Risk / Controls / Audit Expert

As far as the COSO framework goes, we look at what used to be at the bottom-most layers of the COSO framework. With the new ERM COSO framework, they flipped it so now it is sort of at the top. It is basically at that base level where you are understanding what risk is that is relevant to that organization, defining your risk, and, most importantly, making those adjustments as to whether or not you are accepting the risk as is or choosing to mitigate it that for quite a while remained in the realm of a manual process. The significant importance of subject matter experts comes into play once you get out of that definition of what is the risk of any organization, which in this case, pertains to the regulatory compliance framework with all these recent advancements in technologies Not everything from there can be automated.

Dwayne Jorgensen – CIA, CFE Governance / Risk / Controls / Audit Expert

It’s a key component in a process, which specifically defined the internal control as the fact that it should be specifically meeting a key control objective put in place in order to effectively mitigate a key risk. You cannot think of internal control without incorporating the entire risk process. Identify the risk. Determine whether it is a key risk. Accept or mitigate the risk. Define the key control objective. Determine what steps need to be taken to satisfy the objective. Those are internal controls.

Ed Sattar, CEO, 360factors, Inc.

There are various internal control models that may include various processes, policies, procedures, risk assessments, communication processes, etc. In order for the organization to manage its risk and regulatory compliance, it should define its internal controls, business impact, and risk analysis.

Dwayne Jorgensen – CIA, CFE Governance / Risk / Controls / Audit Expert

The key thing to understand is, at the end of the day, management’s responsibility for Internal Controls is 100%. At the end of the day, the management team owns the control framework of any organization, which then is given that it also owns regulatory compliance framework. For that reason, they have to be actively involved. They have to have clearly defined roles and responsibilities and, ideally, have gone through the process of describing: which is in this area of regulations, identifying key risk universe is or regulations impacting industry or organizations, the definition of which ones are key, how do you mitigate it, and then, assigning within the management roster who has the responsibility for monitoring and reporting, how the internal controls are put in place, to mitigate those risks, and how effectively do you mitigate them.

Ed Sattar, CEO, 360factors, Inc.

The business processes are at the core of the organization and the holistic model. These processes should have strong controls and reporting capabilities. Surrounding the business processes is the GRC operational model, the layer at which the governance, risk management, and compliance management is put into practice to drive enterprise assurance.

Joe LeBas – Principal and Founder, Carswell, LLC –
Risk and Compliance Industry Executive

It’s critical role that needs to happen at the right time. Once the risk assessment is completed and the business is aware of the risk and controls that are put into place, the audit plan can start. And it usually go smoother as it builds on the levels of defense – 1) stratifying the line of business, 2) risk and compliance functions, and 3) the audit organization.

Joe LeBas – Principal and Founder, Carswell, LLC –
Risk and Compliance Industry Executive

What the board is looking for is actionable and concise information. To be a proper governance function the Board needs to see trend lines and potential hotspots. Once Boards have access to actionable types of reporting where visualization of hotspots or trend lines go the wrong way, they can drill into the business process, rather than just data for data’s sake, and detect poorly performing or well-performing business processes and process owners. I really believe in – for board members to fulfil their true governance obligations – is to be able to identify and take action on data that signifies that, in most cases a poorly performing business process.

Ed Sattar, CEO, 360factors, Inc.

Once predominantly seen as an expense, technology is now viewed by more business leaders as a worthwhile investment and a source of strategic advantage. Additionally, the advent of cloud-based technology offers more affordable alternatives for mid-market companies as they work to drive growth in their organizations. Further, it is not simply a technology tool; it is a way to rationalize risk management and controls, giving management the information they need to improve business performance and achieve compliance.

Ed Sattar, CEO, 360factors, Inc.

People – not technology – present the greatest barrier to successful convergence. Integration is likely to involve a major transformation program. So perhaps, unsurprisingly, resistance to change is considered the single biggest obstacle (44 percent), followed by complex convergence processes (39 percent), and a lack of available experts (36 percent). Less than one in ten mentioned inadequate technology as a hurdle to overcome.