The abundance of legislative changes and enforcement may be overwhelming – but they also offer an opportunity for senior leadership, especially those in risk and compliance, to uplevel compliance programs.
Several new European regulations, including the German Supply Chain Act (LkSG), the Corporate Sustainability Due Diligence Directive (CSDDD), and the Corporate Sustainability Reporting Directive (CSRD), are leading the way by mandating diligence and disclosure throughout the value chain. While these regulations do not affect all organizations, many others are on the horizon worldwide. Companies that choose to get ahead of the inevitable compliance requirements will benefit in the long term by avoiding compliance failures, fines resulting from increased enforcement, and protecting their reputation proactively.
In this article, we discuss three top tips for staying ahead of and maintaining global compliance:
- Conduct a holistic risk assessment. Understanding the risk profile for your company, inclusive of third-parties, technology, vendors, suppliers and more, is imperative to stay compliant. Ongoing monitoring of risks and regulatory changes to respond to any legislative changes will keep your business in compliance with global requirements.
- Establish consistent and scalable processes. There should be a standard procedure in place for onboarding and offboarding employees, deploying new systems, and conducting due diligence and monitoring for third parties, vendors and suppliers. Doing so will help prepare for disruptions and enable resiliency. Work closely with your peers in procurement, HR, and IT to ensure enterprise adoption and effective use of these procedures.
- Effective reporting. Data and storytelling about compliance risks – including the specific risks your business faces and the potential cost of compliance failures – is important to gain buy-in from C-suite partners and the board. Board-level visibility is critical before an incident or compliance failure occurs, along with strong regular communication.
Why is a risk assessment important?
Before risks can be addressed and mitigated, they need to be understood. Most businesses still face the issue of siloed risk and lack a comprehensive understanding of the entire risk profile. Start there. The consequences of addressing risk in a non-cohesive way include increased likelihood of falling short of regulatory requirements, reputational damage and enforcement fines.
If reducing risk is a top priority, all regulatory, financial, reputational, third-party and employee risks need to be on the table. Leaders in risk and compliance are well suited to lead the charge in bringing a cross-functional committee to gain a full understanding of the risk landscape. Many of the most pressing risks organizations face today can be addressed by either the CCO (third-party, regulatory requirements, supply chain, etc.) or the CISO (cybersecurity, vendor risk, etc.) So, working closely together gives both the CCO and CISO an opportunity to reduce risk and uplevel their respective programs.
Consistency is key
One major pitfall many organizations face is inconsistent processes and siloed information. Whether we’re talking about onboarding and offboarding employees, or a process for bringing on a new vendor or third-party, consistent processes are your friend.
Specific to third-party and supply chain risk, having standard processes for conducting due diligence and ongoing monitoring will help minimize business disruptions because your partners will be vetted, and disruptions are less likely to catch you unaware. This, in turn, leads to better resiliency and ensuring your partners uphold your organization’s values. Not only will this help your business work with trusted partners, but it also meets many of the requirements present in the various EU regulations concerning third-party and supply chain risk.
Regarding internal risk, processes for onboarding and offboarding ensure IT equipment and access is properly assigned or revoked as necessary. Compliance, IT and HR should all work together to ensure policies and procedures are understood and attested to, training is complete, and technology and system access is appropriate for the employee. Disjointed onboarding not only increases risk, but it also causes a less than optimal employee experience.
Using data for compelling storytelling
Any business creates a wealth of data. Yet, leveraging that data to tell a compelling story still remains an opportunity for many leaders.
Data should be presented in a way that gives context and resonates with the audience. Risk, compliance and cybersecurity leaders usually have only a short amount of time to communicate the threats to the company and gain buy in – and doing so requires the art of storytelling. Leverage benchmarks to compare your company to similar organizations, use real-world examples of what a worst-case scenario would look like, and connect with your C-suite partners to show how a cross-functional strategy to assessing and mitigating risk will save time and resources in the long run.
You may be thinking, “easier said than done.” And you’re right – it is not necessarily an easy task to build the case for investing in proactive risk management. And the “compliance as a cost center” mentality can be tough to shake. However, it certainly is possible given enough discipline and yes, storytelling. It also doesn’t hurt that the current regulatory environment is rife with examples of costly enforcement for non-compliance.
The storytelling should also extend to the workforce to help build a risk-aware culture rooted in ethics and compliance. Regular communication, compelling training, consistently practiced values and accountability are all tenets of a culture that will ultimately reduce the risk facing your business. This won’t happen overnight, but it is a goal worth working toward.
Final thoughts
The regulatory and risk environment is only going to grow more complex. It’s widely recognized the world is far too complex to manage risk and compliance manually and/or separately. For organizations operating globally, this is made more complicated due to the varying regulations country-to-country – so interconnected systems to assess and mitigate risk are a must if you’re looking to stay ahead of (or even on pace with) changes.
If you’re looking for a better way to address risk in your organization, we have resources to help you accomplish your goals. From third-party due diligence and monitoring to policy and procedure management and internal reporting systems, NAVEX can help your organization build a culture of ethics and compliance.
