Technology designed to manage compliance at organizations is changing. Rather than providing simple regulatory data feeds or narrow, industry-focused solutions, increasingly vendors are offering more integrated regulatory intelligence capabilities.
Given this shift, chief compliance officers (CCOs) should stop looking for risk-specific software and instead seek IT solutions that manage broader compliance and adherence issues across a wider range of risk domains, said Zack Hutto, director of advisory at Gartner's legal and compliance practice.
According to Hutto, historically there has been a tendency for vendors to offer solutions that address different segments of compliance issues. "When you think about the technology architecture of a company, you largely had functions leading the charge with some specific applications, hubs or platforms set up to cover that domain," Hutto noted.
As an example of new compliance integrations, Hutto said, the finance department's transaction-monitoring solutions are now incorporated into enterprise resource management platforms. Another example is HR employee data management solutions, which have morphed into human resource information system platforms.
"Increasingly these platforms are becoming more and more cross-functional in terms of the user case that they are trying to address and they are trying to interact with," Hutto said.
"We are finding the greatest opportunity for compliance leaders lies in better exploiting embedded control opportunities within existing solutions or within cross-functional solutions rather than trying to buy some compliance-centric solution that's going to be added on top of all these other platforms," he added.
A September 2021 Gartner survey of 755 employees showed that when compliance teams don't embed their controls into employee processes, they experience a higher rate of compliance failures.
Thirty-two percent of employees polled said they couldn't find relevant information when they missed a compliance obligation. An additional 20 percent didn't recognize information was required and 19 percent didn't remember. The remaining 29 percent of respondents who missed a compliance step said they didn't understand (16 percent) or they failed to execute the step (13 percent).
Embedded controls not only provide critical information to employees that remind them of what they need to do during the workflow process, but they also help them execute on compliance obligations which leads to reduced risk.
According to Amy Matsuo, leader, regulatory insight and regulations and compliance transformation at KPMG, CCOs must make sure embedded controls achieve results in the way they were intended.
"When organizations adopt embedded controls, the first thing they need to do from a compliance perspective is make sure that they do the appropriate diligence and user testing upfront before those controls are put into workflow processes to make sure the efficacy and the outcomes are appropriate. It's the old kind of 'trust but verify,' " Matsuo said.
She added that while companies are striving for automated controls to manage their regulatory and compliance needs, companies will have to continue monitoring their systems to keep up with process and regulatory changes.
CCOs can expect the future of compliance to look much like the past, but perhaps more complex. Adding to the challenges of managing compliance among a virtual workforce that has grown since the pandemic, CCOs are bracing for new regulations that will add more tasks and result in a greater compliance burden on employees.
One example is the Securities and Exchange Commission, which is moving ahead with an ambitious regulatory agenda this year that includes proposed new disclosures that public companies will have to make in several areas, such as human capital management, climate-related risks and cybersecurity, as well as proposed requirements for investments related to environmental, social and governance disclosures.
The anticipation of more regulations has convinced many CCOs that their best bet is to make automation and technology an integral part of their compliance strategy.
A KPMG survey, published in August of 2021, which polled compliance leaders at 249 organizations, found that 67 percent of respondents indicated that their compliance division planned to enhance the use of automation and technology in the next one to three years.
Nearly half of respondents (49 percent) expect their overall ethics and compliance department budgets to increase year-over-year while the majority of respondents (more than 75 percent) expect their technology budgets specifically to increase over the next three years.
For those CCOs who are engaging vendors to purchase software for regulation and compliance management, Matsuo warned that buyers should beware. "Don't jump too fast to technology as the fix," she said.
Matsuo urged CCOs to ask themselves the following: What are your challenges? What are your three-year goals? What skills and talents do you need? And where are the gaps within your current coverage model?
"CCOs have to take a very thoughtful approach," she said. "Once they've identified the critical challenges, the critical need and the critical risk and then look at the technologies and features being offered, they then have to focus on the pros and cons. Based on that analysis, CCOs have to assess the software to find the right fit."
Nicole Lewis is a freelance journalist based in Miami.