How to Manage Compliance

What tools are emerging to help businesses manage risk and compliance more effectively? Business management asks Terry Allen, President and CEO of Securac Corporation, for his views.

By nature, the world in which we live in tends to be entropic; in other words, order tends to chaos. It usually takes a major disaster or some other such event to shake us from our ‘happy place’ and stir a primitive desire to put things back in their place – in which case woe betide the persons or things that caused us to get off our comfy couch and into some action.

We got it wrong. In the corporate scandals of 2001 and 2002, Murphy’s Law became the dominant phenomena as an increasing number of large corporations were accused of fraud, poor corporate governance policies or careless accounting procedures. In the United States the press, the Securities and Exchange Commission (SEC) and members of Congress all declared that auditing and corporate governance practices needed to be fixed.

Government departments thus began the arduous process of defining and implementing frameworks that would control how companies could prevent the white-collar crimes, lies and deceit pervading the economy. They hoped that these efforts would bring some degree of trust back into the marketplace and ease the personal losses suffered by innocent shareholders as these man-made events became evident. The frameworks had to have teeth. The teeth had to be able to bite and had to have personal consequences to the perpetrators. More and more we heard the phrase ‘no more’.

In the United States, the Sarbanes-Oxley Act 2002 has become an important guide for defining how publicly traded corporations must behave through the use of a competent system to detect and prevent corporate misconduct. It comes complete with teeth: sentencing guidelines for those who seek to make profit at the expense of other individuals and governments. Yet Sarbanes-Oxley is only one of many frameworks that have been established and agreed upon.

There are a number of issues that must be addressed. Once a company opens the door to the compliance process, it discovers that the biggest issues in terms of putting in processes to measure compliance are cost and acceptance. It costs time and money for an organization to measure their conformance and to put correct actions in place to address areas of non-conformance – and, in many cases, this cost goes directly to the bottom line. The other hurdle is how to comply. A lot of the regulations requiring compliance merely state ‘what to do’ and not ‘how to do it’; the actual interpretation has largely been left up to the big consulting groups to which many organizations have looked for advice. This isn’t necessarily a bad strategy – risk transference risk is an acceptable way forward – but it does come at an increased cost.

The question of ‘to what extent do I have to comply’ is another issue. With no clear definitions in place, this has to be a negotiation between the organization and the auditor on what is sufficient. What is really needed is time for the industry to look at this question over the next few years. Do nothing. Many organizations look at the regulatory landscape affecting their space and then make the decision to avoid the risks associated with non-compliance. We have seen this as a clear strategic direction – indeed, many publicly traded companies in the United States, regulated by Sarbanes-Oxley, have reverted to ‘private’ status. There is nothing wrong with this approach – indeed, it is good risk management. Like a lot of strategic business decisions, a balance has to be struck; why comply if it means driving the business into the ground on cost? A better perspective is to manage the compliance while looking at the risk – the risk of complying versus not complying; how much compliance is necessary; and where to spend the money – in what areas and with what priority.

So how do companies get an edge and get started? Securac’s suite of risk management and compliance solutions, Acertus, is independent of any legislation, regulation or standard, thus enabling establishment of control objectives specific to any organization or industry type. The Acertus platform enables organizations to become risk intelligent. At the core of the product suite is our risk management engine that establishes current residual risk and then provides a mechanism for those risks to be managed until acceptable residual risk has been achieved. These powerful benchmarking capabilities will allow enterprises to build a valid and enduring enterprise risk management and compliance strategy.

Now that the first phase of Sarbanes-Oxley has come and gone – requiring executives to certify their company’s books and the effectiveness of internal controls under penalty of fines and even jail time – phase two is now upon public companies, requiring the embedding of compliance measures into day-to-day operations. Securac has noticed that until now, many companies have been using low-tech, paper-based methods to document internal controls. Our Acertus compliance software can help your organization integrate and govern all compliance issues across the organization. We want everyone to sleep well at night.