An ounce of prevention is worth a pound of cure. -Ben Franklin
Much of compliance management is reactive in the sense that there is a lot of rushing around trying to fix problems after they have occurred. The Question for the compliance experts is what can be proactively done to pinpoint potential problems before they occur? This becomes then a Question of keeping track of activities and of changing regulations. Is there a better way to manage compliance proactively?
Being proactive definitely means keeping abreast of standards and auditing to all regulations that may affect the company. It is a continuous process that keeps you current and diminishes the outcomes of not being compliant. Checklists that audit to the standards you will be subjected to is a good idea. Communication, staff education and the general sharing of information also helps. Assure the business owners (the ones responsible for paying the bills) are closely involved for the entire program lifecycle. For example, business owners should take full responsibility for risk management decisions by documented sign-offs.
Keeping track of activities is surely helpful in being proactive. The effective compliance tool monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting each firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, audit and measure the impact, implement appropriate corrective actions, update policies, and provide training for certain personnel. Applying preventive measures such as resilience or infrastructure investments in the preparedness phase of emergency management can be helpful as well. Testing and monitoring programs can identify problems that do occur before they become ingrained or systemic, and they can possibly prevent the small problems from becoming the "fires" that one has to scramble to address.
There are many software solutions that can help, but software is still just an enabler of a business intention. Senior stakeholders in the business need to be on-board with a program like this. Showing the value internally of proactive compliance can help build a case for performing it. The challenges are to show a way of making it cost effective, and finding internal sponsors. Having all that in place though will truly enable your company to show competitive advantage and assurance because they will not be 'surprised'. Fine tuning of compliance processes will also becomes easier and the cost-benefit more transparent.
There are a number of activities that need to be carried out to make proactive compliance possible. Absolutely, compliance needs to be PROACTIVE! Organizations must seek a process for collaboration, accountability, and most importantly, integration between a regulatory intelligence framework and content provider. In an ideal scenario, there should exist a solution from a single-source provider offering “one-stop shopping” in order to maximize coherence and congruence, while eliminating the potential for an ensuing lack of accountability that results from sourcing these solutions from fragmented, or “siloed” providers.
(1) Process documentation: without knowing what your compliance processes are, you can't anticipate anything. This sounds simple, but it assumes there is a process owner in the business and that someone cares about the outcomes of the process 'failing.'
(2) Dates: a lot of compliance is date related (due date/renewal date). If the dates are wrong, or if the 'early warning' time prior to the important event is wrong, or if there is no owner (of process, control etc) then, it is not possible to do proactive compliance. If there isn't a business process for maintaining these dates, the effectiveness of this sort of compliance quickly falls apart.
(3) Sources to content: sometimes proactive compliance is necessary because a document or regulation has/will change - these could be internal or external. Having visibility to that (or knowing it is scheduled) change is necessary for proactive compliance.
(4) Impact: knowing which areas to focus compliance resources on is important too. Linking events/issues/ near misses/KRIs etc can significantly help this area.
(5) Training: Reasonable, balanced, targeted, and appropriate training (which requires partnership among compliance, SME, and training departments) also is preventative and can eliminate costly errors before they get a chance to blossom. It does, however, also require investment-of time and dollars-in your associates.
None of this is new or groundbreaking. Basically, it comes down to two simple concepts Ben Franklin knew well. An ounce of prevention is worth a pound of cure (preventative measures) and 'A little neglect breeds mischief (find and address the issues while they are still small.