Strengthening compliance programs and internal controls
Posted 13 Jul 16 by Sean Dillon
Compliance is most often seen as an inefficient use of resources - having to look back at what has transpired to determine whether or not an organisation has met the required standards imposed. Mention the word at an advisory board meeting and watch as seemingly in unison people gravitate to their iPhone to look for an email to have to respond to.
It can be difficult when advising clients in this area of their business to articulate the value of investing in risk mitigating strategies as it is only after a breach when the 'value' can be measured.
Internal controls play a part in providing comfort that the risk of a compliance breach is mitigated. No doubt that investment in mitigation is worthwhile. Cost effective. Set and forget. However organisations who rely solely on internal controls to avoid compliance breaches are still leaving themselves at risk.
Internal controls require investment, routine review and reassessment otherwise they become outdated. Think of how quickly business operations adapt and change and extrapolate that to risk factors and whether internal controls set still achieve their objective to mitigate the risk of compliance breaches.
There also one other issue with this strategy. One clear aspect that is often overlooked is that internal controls and policy documents don't commit breaches. It's people who do that. So simply having an internal control framework with strong policy documents won't always stop compliance breaches from occurring.
The most critical determinant of minimising compliance breaches is culture. People will be the most critical risk mitigating factor in compliance risk, so the question is whether you have invested in your culture and does organisation's culture stacks up when it counts?