Compliance committees take flight as GRC expands across departments

In recent years, GRC's influence has grown and regulations have multiplied. In response, many organizations are launching compliance committees and corporate compliance policies.

Last summer, George L. Reed II accepted the position of chief information officer at Seven Corners Inc., an international travel health- and trip-insurance supplier. Immediately, he saw a void in its compliance strategy.

"We needed to look at compliance at the corporate -- rather than the department -- level," he said.

Thanks to his keen observation, Reed was charged with chairing the company's first compliance committee, a task that has been taking up close to 25% of his time at work.

A growing number of businesses are following in the footsteps of Seven Corners. Compliance is a hot-button issue for top management, which now understands the potential risks (lawsuits, bad publicity, sanctions) of noncompliance. Traditionally, businesses charged one person or a small department with overseeing corporate compliance policies. However, the number of compliance-related regulations and departments has swelled, overwhelming these employees. In response, enterprises are forming compliance committees -- groups of individuals who are responsible for ensuring compliance throughout the organization.

Like toddlers taking their first steps, these committees often wobble a bit in the beginning. This area is new, and the guidelines for developing compliance committees are still evolving. In addition, getting all of the committee members on the same page can be tedious and time consuming. Finding the funding to support the group can be vexing. 

Despite the challenges, these committees are expected to become more common in businesses large and small in the coming years.

Corporate governance, risk and compliance (GRC) encompasses the people, processes and technologies in which organizations invest to comply with government and industry requirements. In the past, corporate compliance policies have been emphasized in vertical industries such as energy, financial services and health care.

However, since the turn of the millennium, the number of formal and informal regulations has been increasing. For example, privacy once meant that the IT department encrypted information and stored it behind a firewall. Now, privacy concerns the human resources and marketing departments.

"With the volume of regulations expanding and the guidelines increasing in complexity, it has become difficult for individuals or small groups to monitor corporate compliance," noted Steve Crutchley, chief executive officer at Consult2Comply LLC, a GRC consulting and services supplier. As a result, companies are starting to move this responsibility from low-profile, isolated silos in the company to high-profile corporate compliance committees.

How the compliance committees are structured, to whom they report, and how often they convene varies -- often quite dramatically. Seven Corners' compliance committee has been meeting a couple of times a week for several months. "We want to be thorough and examine compliance throughout the organization," explained Reed.

The process often starts with developing a common lexicon. Otherwise, different departments develop their own jargon, which can inhibit communication.

"A good way to get everyone on the same footing is to have each department present information about its roles and responsibilities to the group," explained Crutchley,

Next, the committee has to devise a charter that outlines its responsibilities. The focus often begins with putting procedures in place to detect noncompliance. Calling in a consultancy may help here because an outside party "may notice issues that you are blind to," Reed said.

With the volume of regulations expanding and the guidelines increasing in complexity, it has become difficult for individuals or small groups to monitor corporate compliance.

Steve Crutchley, CEO, Consult2Comply LLC

Once noncompliance issues have been identified, the business has to put procedures in place to rectify its shortcomings. This step involves developing new internal controls, holding training programs or adding new internal audits -- duties that fall under the committee's purview. The group also becomes responsible for periodically reviewing and updating the company's corporate compliance policies in response to new rules, laws and regulations that constantly emerge.

The various steps are time consuming and costly, so how does a business justify the investment?  Traditionally, scare tactics have been used: Executives would focus on the huge penalties levied against those who did not comply. Another option is to concentrate on efficiencies gained: In many cases, compliant business processes are more transparent and more streamlined than existing procedures. Since compliance has been garnering a high profile recently, top management is paying more attention to it and is more inclined to fund such projects.

As compliance committees get up and running, the need to have frequent meetings decreases. On the low end, meetings occur every quarter. In some cases, once a month becomes the norm.

Underscoring the group's importance, the committee chairperson is often the company president or chief operating officer. In fact, Seven Corners' Reed plans to hand that responsibility over to the company president during the summer.

"My job was to get the committee up and running," Reed said. "Once that is done, it makes sense that the head of the company oversees the committee."

Paul Korzeniowski is a freelance writer who has been covering technology issues for two decades. He is based in Sudbury, Mass., and can be reached at paulkorzen@aol.com.

Dig deeper on Managing governance and compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close