By Rachel Wolcott, Editor at Thomson Reuters
Firms reliance on unagile and often manual methods to communicate policies, ensure and enforce compliance will complicate their
ability to maintain a compliance culture amongst distributed workforce. In particular, the ongoing use of documents, spreadsheets and
emails to drive compliance will become a mountain of paperwork that will work against them, said Michael Rasmussen, a GRC analyst
at Wisconsin-based GRC 20/20 Research.
"People are working from home. They are not working in the same office with the same oversight, controls and processes within an office. How do we ensure proper compliant behaviour in a distributed workforce? That becomes critical. Even where regulations haven't changed, the business patterns and behaviours have changed and still need to be compliant. We still need to meet those requirements whether they are privacy requirements related to GDPR, market conduct requirements, UK SMCR, bribery and corruption and health and safety requirements. We need to be able to meet all these requirements with a distributed workforce in the pandemic," Rasmussen told listeners to ClauseMatch's recent webinar : "How to Maintain a Strong Compliance Culture when Working Remotely".
Firms still need to be able to see and monitor individual behaviour, communicate what behaviour should be in policies and ensure compliance across employees working from home. It is a lot easier in traditional office environments, but as firms respond to the pandemic it becomes a lot more challenging to monitor and control that behaviour in remote office settings. Working remotely has raised some difficult questions for firms in terms of how to manage and monitor market conduct, IT security as well as other key compliance and risk management tasks to protect themselves while meeting compliance requirements when
employees are working from home.
"This scenario where unagile processes particularly with documents and spreadsheets and emails just do not work. When we have
documents, spreadsheets and emails it's hard to understand whether somebody actually did understand that policy they acknowledged.
Did they answer the questions for compliance and understand what is expected of them in this time of crisis? Documents, spreadsheets
and emails become a mountain of paperwork and they work against compliance," said Rasmussen.
To illustrate how unagile the manual approach is Rasmussen used an example of a firm he met prior to the crisis that spent 200
employee hours to build a compliance annual report for its board. It took 200 hours, because the management information was dispersed throughout hundreds of documents, spreadsheets and emails. In that context, he explained a firm is not managing compliance, but reacting it as issues arise that have not been addressed. This approach becomes even riskier in the fast-moving pandemic environment in which firms currently find themselves, he said.
"Documents, spreadsheets and emails slow the business down, don't have a proper audit trail and system of record of what was communicated to employees and how they acknowledged it. We need a system that can communicate policies, track attestations, clearly illustrate what proper behaviour is in normal business times, but even more so in times of crisis," said Rasmussen.
Too many messages sent in too many ways
In managing the new compliance reality whereby most of firms' workforces are working remotely, some are finding out they have up
to 20 different policy portals. At a time when policies are evolving to address the current crisis where changing business processes
and behaviors have emerged, firms are finding their policies are an "absolute mess" says Rasmussen. There are different portals,
templates, formats and styles. Language is being used inconsistently. All this is working against them in a time of crisis.
"Organisations need a single view into its policies to maintain that culture of compliance. When there is a policy change, there should
be a go-to place to find that policy. Time and again I'm having conversation after conversation with organisations that are realizing it
is hard to maintain that strong culture of compliance integrity particularly when policies are evolving and changing and are scattered
across all these different portals, templates and approaches," he said.
Currently, employees working from home are getting too many messages sent in too many ways. Firms must shift to automated
approaches to help employees stay on top of change and maintain a culture of compliance.
"We're moving from a past where compliance was document centric where compliance was managed, monitored and communicated in
a variety of documents, spreadsheets and emails, manual processes, reports that took 200 hours to build, policy portals are scattered, to a future where compliance is automated, monitored and there's a single portal for the policies. Those policies are kept current as regulations change and business change and adapt pandemics and times of crisis," said Rasmussen
This article was first published at Thomson Reuters.