Many companies are fairly indiscriminant when it comes to gathering data.
The idea is that if it might be useful at some point, they keep it. The result is that companies can easily become overwhelmed in a sea of data and find analyzing it, and knowing what to do with all of it trying.
Colin Campbell senior vice president of GRC product management for SAI Global, says the challenge for many companies comes down to taking data and turning it into knowledge they can use to identify risks and make their organizations operate more efficiently.
It's about assessing the data and asking the appropriate questions: “What risks am I seeing across my business? How do I then shape my remediation and response to those risks? Do I respond with additional training and awareness? Do I respond with putting new policies and procedures in place?” says Campbell.
One company that is now tackling that process is EMQ FamiliesFirst, a non-profit children's behavioral health organization that recently deployed an enterprise-wide governance, risk, and compliance solution in order to gain a better understanding of its risks.
Due to the nature of EMQ FamiliesFirst's business, the majority of its 1,400 employees dispersed throughout the country don't work in offices, because they're delivering outreach services to schools and homes, “and that makes it more challenging to manage risk,” says Kathryn McCarthy, EMQ FamiliesFirst's chief legal counsel.
So when McCarthy came on board as the organization's first general counsel more than two years ago, “we decided we need to take a look at a comprehensive way to address governance, risk, and compliance,” she says. The company chose Compliance 360, a provider of software-as-a-service solutions for enterprise governance, risk management, and compliance, to enable the company to have easy visibility and access across its enterprise.
“Probably the most important thing was finding a way to strike a balance between risks that need to be managed across the agency and providing autonomy to the business owners in those regions to allow them to run their businesses,” says McCarthy.
Without a consistent strategy to conduct compliance and risk assessments simultaneously, “GRC processes run the risk of operating in silos,” says Campbell, creating pockets of knowledge and behavior. Employees cannot properly identify compliance deficiencies in their programs, or what areas to invest in to be more efficient, he says.
By employing an automation assessment tool, for example, EMQ FamiliesFirst overcame the obstacle of operating in silos by streamlining its procedures at every level throughout the enterprise. “It allows us to see at a high-level where the gaps are, so if we have the same gap in multiple places, we can fix it one time instead of having people independently trying to address the problems,” says McCarthy.
Don't be mistaken that a small non-profit doesn't face a lot of regulations. Because we represent children, it's “highly regulated work” that entails working with several different licensing agencies that provide “significant oversight,” says McCarthy.
“By bringing that data in through an automation tool, you can get a sense of training on third-party risk areas.”
—Colin Campbell,
SVP of GRC Product Management,
SAI Global
The organization's new GRC system allows the company to create a customized program for all the regulations it must comply with. “It also allows us to reassure the regions that we are in compliance across the agency on things that we're required to do,” says McCarthy.
Such regulatory requirements may be something as simple as ensuring that each of the organization's worksites throughout the country have posted in a conspicuous area for all employees to see certain regulatory notices that are required by law. In that case, HR managers can log onto the system and check off whether or not the notices have been received and posted, says McCarthy.
EMQ FamiliesFirst also uses the automated solution to maintain requests for proposals and incident reports, “so that incidents are reported properly and remediation is done properly,” she says.
Reining in Third-Party Risk
For multinational companies operating on a global scale, one of the biggest risk areas is the risks presented by third parties. The larger the company, the greater the need to implement an auditing system that additionally allows for the collection of risk data on its third parties—resellers, distributors, agents. “One area that clients are using their data is to target training of third parties, or to target distribution of supplier codes of conduct,” says Campbell.
Monitoring and confirming the effectiveness of the risk and compliance program comes next. At EMQ FamiliesFirst, for example, depending on the regulation, "we can recheck certain compliance controls on a weekly or monthly basis. Ultimately, the person doing the assessment determines how frequently that control should be checked," says McCarthy.
“Once you've been through the cycle, it's automated and repeated at a frequency we can customize and change.” For example, if there is an issue in a particular region, the cycle of checks and balances can be shortened until the problem gets resolved, she says.
“By bringing that data in through an automation tool, you can get a sense of training on third-party risk areas,” says Campbell. Using that data also helps drive behaviors and efficiencies into compliance and risk programs, so that companies can start becoming more familiar with their third-party risks, he says.
But not everything is—or should be—automated.
EMQ FamiliesFirst has a director of corporate compliance, part of whose role is to work side-by-side with the director of quality assurance to conduct internal regional and department audits. That is done by either spot-checks, or meetings with each region. “If we find a gap, we try to understand why. Was it a lack of clarity?” says McCarthy.
Additionally, EMQ FamiliesFirst just recently upgraded its compliance committee process, so that the process now reports to the company's internal committees, and ultimately gets reported to our board.
EMQ FamiliesFirst also has an operational compliance committee made up of directors of each department, who are responsible for assessing trends and deciding whether or not there are issues that need to be responded to, says McCarthy. The group then meets quarterly and comes up with a list of five to 12 risks they want reported from their region each quarter.
The compliance director, who heads that compliance committee, then makes a quarterly report to the senior leadership team. From there it goes to the board's finance and risk committee before issues are reported up to the full board.
No comments yet