Many companies have the need to ensure their operations are compliant with a variety of regulations. These may be external regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry (PCI). They may also be controls required by internal auditors or customers for accounting, personal information (PII) protection, access control, safety, or certification maintenance.
Most organizations attempt to track compliance via a combination of e-mails and spreadsheets. They collect information as each operational step is performed and recorded in some type of log. This approach may work on a small scale but often falls short in several ways. This blog post examines typical compliance management challenges.
Accuracy and Timeliness
Compliance management (as well as good business) usually requires that operational steps and activities are performed correctly and on-time. From a compliance point of view, this means that critical steps are tracked, reminders are sent when due, escalated when late, reviewed and approved when needed.
Manual systems will use spreadsheets and to indicate when an operational task is due and emails to escalate when late. This is a hit or miss approach depending on how often the spreadsheet is being checked. Email escalations and approvals leave significant opportunities for things to fall through the cracks, often due to personnel logistics and breaks in communication.
Even if done correctly, it can be a nightmare to collect the information to prove it to an auditor or customer. Errors and delays in completing critical operational tasks on-time can often result in risk exposures and client relationship damage.
Anyone who’s been audited knows it is a very time-intensive process. Auditors typically select outcomes (e.g. Employee Carol Smith was transferred to the Reynolds account) and then ask for a mountain of evidence showing that all the steps that were supposed to happen actually happened (e.g. removing access from the previous client’s shared folder, signing the Reynold’s privacy agreement, passing the Reynold’s mandatory drug test, etc). This information, if it exists is scattered among many different systems, logs, emails, documents and papers.
Tracking and assembling audit evidence diverts valuable resources away from their day-to-day jobs and also leads to audit “findings” when information is missing or inaccurate. Or worse yet, when a critical step was just plain missed. So, disciplined audit preparedness presents an enormous challenge and a resource burden on organizations and needs to be addressed way ahead of the actual audit taking place.
Manual operations tracking is bad for compliance and bad for business. Typical operations tracking is ad-hoc, using emails to tell the next person in line that it’s their turn. Manual tracking is easily prone to missed steps, indeterminate delays, lack of proper approval and lack of prompt and timely escalation.
Progress tracking is difficult if not impossible. Often, people circle around to already completed tasks to update missing or amended information. These changes are likely to bypass any controls that are in place and cause damaging audit discrepancies.
Manual operations tracking is usually based on unwritten rules and policies that have evolved over time. Roles and responsibilities are unclear, especially for new employees. Institutional knowledge is hidden with selected individuals. Communication and decision making is done in an ad-hoc manner, often via long email threads with an ever increasing number of people :cc’d along the way. This method of communication can be very useful but results in an audit nightmare when no-one can explain why a particular action was taken in a given situation.
Very often, even seemingly simple operations include activities that involve a number of participants across multiple groups and departments. Making sure that key operational information is captured and communicated clearly through a cross-organizational chain presents a challenge.
A wealth of valuable information is created each time a business operation is performed. Unfortunately, there is no way to learn from the experience as the data is too hard to mine and extract. There is no holistic high-level view as to where the activities stand. Supervisors lack visibility into what is due or overdue. Delays are cumbersome to track down and diagnose. Recycling the experience into future operational improvement becomes based on anecdotes rather than facts and objective metrics.
All of the above challenges can be used to make an effective case for automated compliance management. However, the cost and effort of automating, particularly when everyone is stressed out keeping the ship afloat, is usually a show-stopper. In my next blog, I’ll show how tracking automation can be introduced in a step-wise fashion without large commitments of time and money.