Compliance risk management is the process of managing corporate compliance to meet regulations within a workable timeframe and budget. Not every regulated company manages this particularly well, and some even consider noncompliance fines as a normal cost of doing business. Their philosophy is that the fines are far cheaper than deploying and maintaining a compliance process.
This thinking is not limited to smaller and less sophisticated companies. Even very large companies may be aware of noncompliant activities, but if those activities are making a great deal of money than the organization may decide to look the other way. Wells Fargo is the poster child for this type of thinking.
However, as Wells Fargo found out approach is high risk. Regulators such as US attorneys are becoming more aggressive both by shortening compliance investigation timelines, and slapping on higher fines. In addition, noncompliance can be embarrassingly public, which leads to civil lawsuits, investor exodus, the eroding reputation.
Risky Behavior
Let’s look at common issues in corporate compliance risk management, which range from “I don’t wanna do it” to “I need a crystal ball.”
| Challenge | Level of Risk | Solution |
| “Compliance is too expensive and no one is going to check anyway.” | Believes that the cost and complexity of compliance outweighs the risk. | Assess the cost of compliance and real risks – not just regulatory fines but court cases, investor losses, and customer defections. Then act on that assessment with initial procedures and software. |
| “We try to stay in compliance but it’s hard to track everything I should.” | Has compliance procedures but lacks the technology to track it. | Buy simplified, cost-effective technology with automated features. |
| “We spend money and time on compliance, but with over a million documents I don’t know how we can prove it.” | Takes compliance seriously but a single investigation can cost millions and tie up IT and attorneys for months. | Invest in automated compliance workflow and eDiscovery machine learning. |
| “We’re in compliance but I wish we had a better handle on potential problem areas.” | Unable to monitor potential trouble spots such as non-compliant email or suspicious communications. | Proactive monitoring technology analyzes data sources for suspicious patterns. |
Managing Compliance Risk
Managing compliance risk means having a workable plan, procedures, and technology to oversee compliance efforts. Taking the above four categories, let’s look at managing risk by company sophistication and compliance levels.
- Little to no compliance risk management: If necessary, build the business case around the high risk of noncompliance. Form a compliance team to identify compliance needs and requirements, assess the existing compliance program, build a phased budget for objectives, and assign resources to reach the objectives.
- Aging compliance process and technology: Assess compliance and objectives, and invest in new technology. You may want to invest in one product for the entire corporation or point products for a few well-defined hot spots. Choices range from unified GRC frameworks to compliance point products such as financial reporting for SOX, compliant cloud storage for HIPAA, outgoing email checking, or auditing software.
- Active compliance program but millions of documents to review: Some compliance investigations require organizations to analyze and review millions of documents within a few weeks. Start now to research eDiscovery machine learning and automated compliance workflows. These platforms are not cheap but they save large amounts of money on the review process, and companies can leverage them for all legal and compliance discovery.
- Valuable IP is at risk without proactive compliance: It’s much more effective to interrupt potential noncompliance before it turns into a violation. Digital communications monitoring analyzes suspicious patterns in digital messaging, such as employee texting and email patterns, social media, or chat.
You are never too far behind to become compliant, or too advanced that you don’t need to worry about it anymore. Build in annual assessments to your compliance processes, and make sure that your compliance officers understand the changing regulations that might impact your industry. Also track the compliance technology industry for continual advancements and breakthroughs.