Despite the very public corporate scandals making headlines, the C-suite is reluctant to invest further in compliance programs. But in the high-speed information age, a comprehensive compliance infrastructure can be an incredible advantage.
With personal information and digital privacy concerns evolving alongside technology, it’s not enough for enterprises to pursue bare-minimum regulatory compliance. Today’s employees increasingly use their personal devices to access work files, emails, documents and information on-the-go — opening up entirely new platforms to police for non-compliance. To avoid reputation-damaging compliance scandals and pricey legal battles, enterprise legal teams must be vigilant about regulatory code changes and make sure that the entire organisation remains compliant.
Non-compliance hurts more than just reputation
For industries that handle particularly sensitive information, like the finance and healthcare sectors, navigating industry-specific legal compliance standards is an ongoing challenge. But the standards of other compliance frameworks are felt everywhere. By now, any organisation doing business even tangentially in Europe is aware of the European Union’s General Data Protection Regulation (GDPR) and the challenges that the framework presents.
The consequences of non-compliance to these rules can be severe, ranging from plunging stock prices to major fines. Earlier this year, Google felt the sting of GDPR non-compliance for failing to disclose how it collects user data across its suite of services. While GDPR fines can reach up to 4 per cent of a company’s worldwide annual revenue (that’s $4 billion for Google), the tech giant paid only $57 million in fines. While the penalties didn’t make a significant dent in Google’s bottom line, they did serve as a harsh warning: all organisations, even the world’s largest, can run afoul of these sweeping regulations.
What prevents compliance from being easy?
There are two primary reasons that compliance is difficult for enterprises — the first challenge being change management. With the GDPR or the newly enacted California Consumer Privacy Act (CCPA) to consider, legal teams must factor in how employees’ lives will change under the new regulatory frameworks. Often, legal departments do not funnel enough resources into analysing how company policies will impact processes. For example, new regulation may change the way that the organisation can share data with third parties. If the organisation simply restricts sharing the data without providing a straightforward alternative, employees will find a way around the rule. Organisations tend to focus only on what the internal policy changes need to be in order to comply with new law — and not enough time on how employees will act when faced with the new rules.
While the consequences of non-compliance are serious, it often happens that enterprises with good policy on paper struggle to remain compliant (especially on a global scale). This is a result of enterprise legal departments not fully understanding the day-to-day work of the business units. Legal teams spend a majority of their time putting out fires and answering questions of law or internal policy rather than understanding operations — which is a huge mistake.
Legal departments must invest the time to understand their business units. It is not enough for legal departments to put out “good policy,” the rules must also create minimum disruption to employee workflows — because the fastest way to get employees to not comply is to make their daily lives harder. Legal and compliance departments must work to truly understand how the business units operate in order to develop the best compliance schemes.
What do legal teams need to make compliance easy?
Legal teams don’t have time to monitor every piece of communication that leaves the organisation. And It’s nearly impossible to keep pace with the global regulation shifts without some help from technology, especially at scale.
The right business tools can give legal teams some control over what employees are producing. This list is not exhaustive, but below are a few examples of common tools organisations use to make compliance easy:
- Incident management software: It’s difficult for management to get a good visual on what is happening on the compliance front, especially in large, multinational organisations. Incident management software tracks and mitigates compliance incidents, letting the company determine if there are any incident trends and allow them to put policies in place to assure that such incidents do not happen again in the future.
- Compliance management software: This tool allows for the overall monitoring, controlling and planning of compliance activities, similar to how sales teams have customer relationship management tools (CRMs) and operations and the business units have project management tools. The biggest danger in compliance are blind spots, this tool provides some visibility.
- Regulatory compliance software: As mentioned above, financial services, pharmaceutical companies and other industries must follow industry specific, complex regulatory frameworks. This type of software eases the burden on companies having to manage these complex schemes on their own. Plus, as the law changes, the software is updated alongside it.
- Document automation tools These tools are designed to ensure that every asset leaving the organisation is equipped with the proper legal warnings and language. They police for access and monitor for adequate disclaimers, labels, disclosures and language. Document automation tools also let legal teams roll out updates enterprise wide with a centralised asset depository.
Support from the top
Legal teams need support from leadership to successfully implement enterprise compliance changes. Organisational culture is created from the top and leadership’s tone surrounding any changes trickles down. Therefore, one of the first steps in a major compliance change is ensuring that leadership fully understands the depth and breadth of the data and privacy concerns the enterprise faces and the full consequences that comes should non-compliance occur.
More specifically, support from leadership means direct engagement and sponsorship of compliance initiatives — like when a business leader officially sponsors a project and is willing to put their name on it via communication to the organisation. When the CEO, Chief Commercial Officer or other leader officially support an initiative, the perception changes from “legal is getting in our way of doing business again” to “we need to do this for the good of the company.”
The other key type of support is budget and resources. Lip service alone will not lead to better compliance. Leadership must ask themselves if the legal team has the right resources to complete the project. If the answer is no, then they must make sure the adequate number of people and appropriate budget are deployed to the cause.
Once both leadership and the legal team are on the same page, they must work to communicate workflow changes to employees on the front lines. But it’s getting these front line users to act on the changes that often proves to be the most difficult step. Switching up the routines of employees throws a wrench in their workflows — especially when employees find out their way of working for years is suddenly creating compliance issues. It’s imperative that front line users are enabled with technology and armed with information so they can do their duties in alignment with regulations.
A methodical approach to compliance
When a compliance tool is successful, nothing happens and no changes are felt — which makes it difficult to prove value. However, comprehensive compliance infrastructure should not be a reaction to a major legal struggle or fine, but rather proactively implemented to prevent these things from ever happening.
Ultimately, legal, compliance and the business units must present a united front in order to prevent compliance failures. Organisations should be prepared to “put their money where their mouth is” and support compliance initiatives via leadership sponsorship or resource allocation.
Big policy and workflow changes require extensive planning and technological assistance. It’s important that enterprise legal teams are methodical in their approach to compliance — to ensure that everyone is onboard, educated and compliant from the start and into the future.
Jean-Marc Chanoine, Global Head of Strategic Accounts, Templafy