For most modern, global corporations, regulatory compliance management is a major challenge simply because of its...
scope: Each of the business' divisions likely has a set of compliance mandates to which it must adhere -- made more complicated by the fact that different states, countries and territories have their own rules and regulations that may contradict one another.
Information is good -- managing it and knowing what to do with it intelligently is key.
"There is nothing simple about what we do, and there's nothing that's going to simplify what we do," said Lamond Kearse, chief compliance officer at New York City's Metropolitan Transportation Authority. "But what technology can do is help you manage what you have to do."
Speakers at the Compliance Week session on "Using Technology to Simplify the CCO's Job" explained that organizations are implementing new technology to help prioritize risk and enable more strategic processes around managing compliance operations.
For example, Kearse said that a few years ago his organization decided to automate several governance, risk and compliance (GRC) processes. The transportation authority began with identifying core business processes, which it then linked to organizational "maps" that tied to areas such as finance and compliance.
"If there's a change in state compliance law, there is a link in the compliance map that I can click on that shows all the business processes that relate to that particular regulation wherever it exists in our organization," Kearse said.
The authority's system also provides customized GRC reports, such as results from risk assessments, and ensures these reports are in the right hands.
"When we make a change to a corporate policy, we don't have to remember, 'Whom do we email it to? Whom do we send it to?" Kearse said. "The moment we release it in our system, it is automatically pushed to every business process owner that is affected by it, and it's automatically published to our intranet."
One downside? Too much information. It's important to determine where the key pain points are – basically by asking yourself, "What risk keeps you up at night?" -- and using the technology accordingly, Kearse said.
"We very quickly realized we did not need to know everything going on everywhere," Kearse said. "Information is good -- managing it and knowing what to do with it intelligently is key."
Tech creates consistency vital to compliance
One organization that knows a little about the compliance headaches involved with running a global corporation is New York City-based insurer The Travelers Companies Inc. Travelers has operations across the U.S. and all over the world, so just updating its system with any new insurance-related laws and regulations presents obstacles.
"Our challenge that we dealt with from the insurance world is that insurance regulation is state-based," said David Baker, Travelers' senior vice president and chief compliance officer. "While there has been a lot of discussion about kind of a federal charter or a federal oversight that's going to lay out a nice, clean set of laws, that clearly doesn't exist in our world."
In the past, Travelers relied on employees to update the laws and regulations, as well as make corresponding changes to the organization's own policies and procedures. But with several different corporate and user groups within the larger organization, this presented a challenge as well.
"It helps to know who is responsible for what, to determine exactly where the breakdown occurred," Baker said.
Baker said Travelers wanted to design a process by which all of the groups would record GRC processes the same way. In the end, Travelers elected to use software that provides a feed of updated regulations that flow in a consistent manner to the entire organization.
A big challenge was developing a protocol for consistent use of the system so that people were not using it according to their own interpretation, Baker said. Travelers' corporate audit also reviews the company's corporate compliance activity under the system.
"Everybody knew that this was where our new laws, regulations, bulletins, etc. were coming from," Baker said. "That didn't mean that you had to stop using the things you were using, especially if you felt that those were a good source. But we did know that we had one particular area where we were going to have all of these as a repository so there would not be any confusion."
More on GRC technology
This type of consistency is also what Hartford, Conn.-based United Technologies Corp. is seeking as it updates its compliance software system. Paul Robert, the company's associate general counsel and director of contracts and compliance, said the organization is in the process of finalizing the implementation of a substantial risk management GRC solution it expects to go live this summer.
The system will provide information and reports on third-party inquiries, customer complaints and investigations. It will allow officers, senior managers and auditors to access information on a particular department in the company, in a particular place, in a particular region, Robert said.
The system provides an opportunity to oversee risk mitigation efforts that come out of risk management processes -- and quickly, Robert said.
"It also gives us some input on if our training is effective," Robert said. "If you see the same questions coming up … regarding a particular subject matter, what's wrong with our training?"
Speakers warned, however, that no matter how much business and regulatory compliance management processes are improved by new technology, expect some pushback. Employees are likely set in their ways and may not to give up the paper reports and spreadsheets to which they've become accustomed.
"I'm not going to tell you implementing technology is easy, because it's not," Kearse said. "But in your role, it does provide a lot of benefits."