RiskTech Forum

NASDAQ BWise: How Can Technology Enable the Principles of Compliance

Posted: 1 August 2017  |  Author: Ladd Muzzy

More than ever, compliance is a priority for organizations, despite the uncertainty created by global Economic and Political changes. For example, how will Brexit operationalize; what effect will the GDPR for data privacy in Europe have on companies or the threat of dismantling Dodd-Frank in the US. In all likelihood, they are creating additional regulations to address ongoing threats like cyberattacks.

Regardless of the potential uncertainties, being compliant is really about good business practice. It is also a subject that affects the entire organization, from front to back office, to assure that the organization is controlling and managing compliance risk across the value chain and in the day-to-day activities of the business. Given this diversity of management and control, it is crucial that organizations invest in Governance, Risk and Compliance software solutions (GRC solution) to pull the disparate practices together to inform the overall risk profile.


How does the GRC solution help? There are lots of ways that the technology can enable the principles of compliance. First, governance: the establishment and maintenance of policies, procedures, and standards that evidence the specific intentions of compliance. The GRC solution should provide an efficient and simple portal to communicate the relevant regulations, processes, procedures and policies to the employee and the solution should be able to support the attestations of various policies which are of critical essence in the first line of defense.

Data Feeds

Second, a leading class GRC solution can take data feeds to assure that information about the compliance environment, whether it is information from external sources about changes to the regulatory environment or real-time data from internal systems reflecting the performance of underlying operational practices, is reliable Non-conformance activities can be quickly mitigated and managed.

Compliance Risk Assessment

Third, is the assessment of compliance risk. Depending on the organization’s compliance archetype, the assessment of compliance activities needs to be thorough and supported by structured risk data. The GRC software offers the mechanisms to define the taxonomy and library for compliance risk. It is also the tool for collecting, analyzing, and summarizing compliance risk. This includes an audit trail that evidences the compliance risk profile, whether improvements have been made, how the process is being sustained, and gaps that need to be addressed.

Issue and Action Planning

Fourth, is the GRC software’s ability to efficiently execute issue and action planning. Areas of conformance that are either above defined appetite and tolerance levels or requiring resources and capital to mitigate compliance risk necessitate a simple, yet effective set of actions to assure that the organization gets compliant quickly. The software can enable the first and second lines of defense to identify individuals who need to take action, automatically send out communication of necessary tasks, and monitor progress to closure.

Insightful Reporting

Last, but certainly not least, is the ability for the GRC solution to summarize the data for insightful reporting. To be valuable the GRC solution needs to be configurable, or easy for the end user to make changes in the software itself to make it meaningful and relevant to the individual’s role or function. Software that is easy to use and takes full advantage of dashboards and solid reporting assures that the nuances of compliance are depicted accurately. This is essential to supporting conclusions of conformity with each applicable law and regulation. Moreover, the ability to aggregate data, and to drill down into the detail, across the lines-of-defense is crucial for reporting purposes. This gives all stakeholders, from the business, executives, audit, and the regulators, the confidence that the reporting is an accurate reflection and therefore the compliance program is working as intended and being sustained.

A GRC solution that is malleable to support the compliance program is critical to support day—to-day activities as well as being adaptable to respond to new expectations and emerging risks. Additionally, integrating the data from compliance into the broader risk categories, such as information security or operational risk management, assures that the data from the compliance program is part of the entire organizational risk management program. Without it, manual and disconnected processes, disjointed methodologies, and silo reporting will leave many questioning whether the organization really is compliant. For more information, please contact us.