Governance, Risk, And (Maybe) Compliance

Bruce McCuaig

Regulatory compliance is an enigma to me. What does it have to do with governance and risk?

I’m asking this as both a marketing guy and a long-time GRC professional. I find myself writing messaging with such phrases as “…complex and rapidly changing regulations…” That’s ok, but as a GRC practitioner and marketing guy, I’ve been speaking, reading, or writing about the dangers associated with regulatory changes for about 20 years. (I’m not sure the fur traders didn’t face the same issues, but that was a little before my time.)

Surely, we have solved some of the problems of complexity by now. What is it about regulatory change that causes so much alarm? Are the concerns justified? Are we missing opportunities? Do we really need to parse every single regulation into its detailed clauses and entrench them in our software?

Here are some questions to size up your approach to regulatory change.

1. Do regulatory changes impact my business model?

For example, financial regulations in many countries constrain the types of risks banks can assume. Other regulations restrict trade between certain countries or trade in certain goods and services, or restrict what you can produce and whom you can sell to.

If your answer is yes (your business model is already impacted by such regulations), then you can advance to Question 2. But do take time to consider whether regulatory changes present an opportunity. For example, are you better positioned than your competitors to adapt? Can you adjust your business model quickly? Can you diversify?

This is where regulatory change management begins. When you have a strategic risk impacting your basic business model, you need to assess so you understand both the risk and the opportunities the regulation presents.

Questions you need to ask:

  • How can we influence the regulations?
  • How can we exploit the regulations?
  • How will my competitors be impacted?
  • What does technology offer us?

Remember—you need to be able to scan the horizon for regulatory change with surveys and regulatory intelligence tools, identify and assess the risks, develop compliance or business strategies, and model the impact or opportunity using scenario analysis and planning tools.

2. Do laws and regulations prevent me from making good operating decisions?

Some laws and regulations don’t impact your basic business model but they do impact practices. Thinking back to my days in the oil and gas business, there were certainly laws and regulations governing where, when, and how you could explore for or produce hydrocarbons. Generally, the regulations were good and necessary.

Compliance here is not the problem. It’s the opportunity. You need a detailed understanding of the regulations in order to comply with them better than your competitors. If you understand the fine print better than your competitors, you can make better business decisions.

Questions you need to ask:

  • Does operating management have a good working knowledge of the regulations?
  • Do we consider how to maximize our return without breaching the laws and regulations?
  • What technology will help? Certainly, you need strong regulatory content management and policy management tools. You also need tools to monitor compliance and you need to assess capital operating and expenditures for compliance risk, or opportunity.

3. Has my business faced unanticipated fines or sanctions?

Regulatory fines and sanctions can have a catastrophic impact on your business. Regulators can impose huge financial penalties, levy criminal charges, interrupt your business, or restrict your rights to do business.

If you’ve faced unanticipated fines or sanctions, go back to question 2 and reassess your performance. Unanticipated fines or sanctions may mean you didn’t understand the regulatory change and build it into your practices.

Unfortunately, it could also mean you have a people management problem. Do your employees or contractors know how to comply and why compliance is important? Are they motivated to comply, and do they have the tools and technologies to detect when they are not complying?

Unanticipated fines or sanctions suggest the capability to comply is absent, or the will to do so is undermined. The vast majority of errors in any field of endeavor is due to human failure.

That’s not a compliance problem. That’s a governance and management problem.

Questions you need to ask:

  • Have we made it clear that our employees’ compliance is important to our business?
  • Do we reward compliance and penalize non-compliance?
  • Do our employees know how to comply with the specific laws and regulations?
  • Do we monitor for non-compliance?

We have well-known standards for risk management, quality, internal control, and a variety of other business issues. The only compliance standards I am aware of are AS-3806 Compliance programs from Australia and ISO 19600:2014. Both are proprietary and must be purchased.

Compliance management here is a people management problem; control management is one element. Useful technologies include policy management, read and comply certification, performance management, code of conduct and specific skills training, related record-keeping, and traditional GRC tools such as audit, control risk, and fraud management solutions for monitoring compliance.

To sum it up

When was the last time you experienced a good business decision being blocked by a law or regulation? I can recall few, if any.

That suggests we are actually doing a decent job of managing regulatory change. But my guess is that we could be doing it faster, cheaper, and simpler with the right technological tools. And we could be managing people better.

Are you missing your opportunities to do so?

For more on compliance strategies, see Internal Control — From Necessary Evil To Operational Excellence.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.