Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Top Threats to Effective Compliance Management: And the tools and strategies to address them

Noggin

Continuity Management Software

Updated September 29, 2023

The state of play in compliance management

Even before the pandemic, challenges to effective compliance management were acute. Unexpected political outcomes, such as Brexit and the 2016 election of Donald Trump, led to major regulatory changes, overhauls which left businesses catching up.

Nor had businesses completely recovered from the previous systemic shock: the global financial crisis of the late 2000s. Following that crisis, national and supranational bodies issued sweeping financial reforms. 

The years 2009 to 2012 saw more than 50,000 regulations sweep across the G20i . That number rose to 50,000 in the year 2015, according to the London-based think tank, JWG.

Those regulations had the effect of upping the ante on compliance management, especially on the cost side. Compliance with the Dodd Frank Wall Street Reform and Consumer Protection Act cost banks USD 36 billion, according to the publication, Trade. All told, regulatory compliance cost banks USD 100 billion in 2016. 

Financial regulation, though significant, isn’t the only contributor to ever-increasing compliance costs. Australian enterprises spend around AUD 94 billion to administer and comply with public sector rulesii. 

Besides adhering to external edicts, companies also develop their own set of rules, regulations, policies, procedures, and by-lines. Compliance with these internal mandates have cost implications, as well. Australian enterprises spend around AUD 155 billion to administer and comply with self-imposed rules and regulations, according to Deloitte. 

Top governance, risk and compliance (GRC) threats

Sure, the rules are meant to improve the health and functioning of companies. That doesn’t make them any easier to comply with. 

Indeed, compliance management – the end-to-end process of monitoring and assessing systems, tools, and structures needed to adhere to rules and regulations – only becomes more difficult in moments of regulatory upheaval.

Difficult but not impossible. 

Of course, companies must fully understand the threats stacked up against the governance, risk and compliance practice before they can effectively tackle them. And that’s why we’ve pulled together a non exhaustive list of common threats. They include the following:

  • The lack of an overarching framework for compliance
    From third-party auditors to internal GRC departments, companies pay a lot of money to get things right. The question is, though, do their investments hold up? 

    If you ask the experts, the answer is no. The problem they contend is that firms allocate resources to governance, risk and compliance without having first developed an enterprise-wide framework. 

    The lack of an overarching framework means that a piecemeal approach to compliance often takes over, one in which individual teams begin managing specific requirements as they see fit – usually with a different set of roles, activities, and systems. 
  • Siloed functions and disconnected systems limit visibility.

    Why does that matter? Besides being costly and ineffective, the piecemeal approach inevitably limits the situational awareness of senior leaders, whose statutory responsibility it is to manage compliance threats. 

    These leaders can only meet their obligations, though, if they have an accurate picture of risk. Siloed functions and disconnected systems limit that visibility, driving up costs and creating work duplications in the process. 

    In fact, businesses might end up paying double for advanced compliance management systems that perform the same functions but aren’t configured to exchange relevant data. 
  • Manual processes.

    That is when the systems are digitised at all. Often, compliance management is overwhelmingly manual, with practitioners reliant on spreadsheets, word processing, and shared folders. 

    A fledgling company might get by like that. The home-spun structures, however, won’t scale as firms get larger, their reporting requirements more onerous.
  • Rapidly changing regulatory picture.

    And, of course, the sheer volume of regulation a company must comply with also makes compliance risk management more operationally complex. 

    More regulation will often mean more resources needed to implement changes. Resources aren’t always available or adequate, rendering it difficult to meet regulatory expectations. 

    The inability to meet expectations, then, ups the potential for increased supervision (not to mention sanction) from regulators. 

Strategies for getting compliance management right

What can be done to overcome the threats? Senior leaders must first redirect their company’s compliance efforts and resources away from piecemeal interventions, instead, towards an enterprise-wide strategy, unfurling in multiple stages. 

Implementing such a strategy begins with first identifying the areas in the organisation with the highest compliance risk, then recalibrating the compliance function to monitoring these risks. 

Here, some concrete steps to turn enterprise-wide compliance management into a reality include developing a single, overarching framework for compliance across the organisation. That unifying thread, in turn, will govern processes taken and tools procured. 

Of course, that strategy must be premised on a comprehensive understanding of the company’s compliance risk, especially existing levels of regulatory scrutiny, which are predictive of future scrutiny. How to achieve such an understanding?

  • Run regular risk assessments.
    The best practice in the field is to run regular risk assessments, particularly after major business changes (e.g., COVID). Barring largescale shocks, businesses should run assessments at least annually, looking out for minor tweaks to statutes, standards, regulations, and court rulings that can affect compliance requirements.
  • Factor in third-party risk.
    Business partners need to be part of this calculus, as well. Vendors and contractors deemed unethical in the past also increase compliance risk. They should be factored into a company’s risk-monitoring framework. 
  • Move on to analysis.
    After isolating all potential compliance risks, teams will move ahead and analyse those risks, asking themselves how likely an individual risk is to occur, and the potential impact of that risk were it to become an incident. 
  • Introduce standardised risk methodologies.
    Then comes prioritisation. That means triaging risk based on pre-established criteria. Companies don’t have infinite resources to deal with identified compliance risks. Instead, they will have to use a standardised risk methodology, usually a risk matrix, to determine which risks they will seek to control. That assessment is often made based on (proportional) levels of risk.
  • Sign off on appropriate risk controls. 
    Finally, the compliance decision maker, usually a C-level executive reporting directly into the Board’s audit committee, will need to sign off on risk controls. Those are the actual strategies and tools teams will implement to manage high-level risk and promote compliance, either by mitigating the risk or eliminating it altogether.
  • Ensure constant improvement.
    To make this staged approach work, teams will need to ensure that their processes, policies, and procedures are all standardised. Further, they will need to ensure that the centralisation of the compliance function is reinforced by training and education, as well as clear reporting methods and mechanisms, which keep due diligence and risk assessment efforts current. 

Turning to industry best practice to mitigate the threats

Beyond taking common-sense compliance measures, organisations should be turning to industry best practice, as well. The industry has been rolling out best-practice standards to inform organisations seeking to get their compliance house in order. The best of the lot in this respect is international standard, ISO 31000.

Published originally in November 2009, ISO 31000: 2018 is the international standard for the practice of risk management. The standard is broadly applicable, independent of type of operation, size, complexity, or type. 

The standard itself offers a framework for establishing the context of, identifying, analysing, evaluating, treating, monitoring, and communicating risk, prioritising executive buy-in. The logic, here, is that only a proactive stance on part of senior leadership can ensure that best-practice risk processes are fully integrated across all levels of the organisation.

Per the standard, senior leaders are advised to do the following:

  • Define and endorse risk management policy
  • Ensure that the organisation’s culture and risk management policy are aligned
  • Determine risk management performance indicators that align with performance indicators of the organisation
  • Align risk management objectives with the objectives and strategies of the organisation
  • Ensure legal and regulatory compliance
  • Assign accountabilities and responsibilities at appropriate levels within the organisation
  • Ensure that the necessary resources are allocated to risk management
  • Communicate the benefits or risk management to all stakeholders
  • Ensure that the framework for managing risk continues to remain appropriate 

The standard also calls on individual business process owners to identify and consider risks in their business decisions, as well integrating risk management principles in all other key aspects of decision-making.

That’s not all. The standard offers strategies on how to design and implement the risk management framework so that it is comprehensive. Risk framework design pointers include:

  • Accountability.
    Risk owners should be identified and given the requisite authority to manage risks. That authority comes with accountability for the development, implementation, and maintenance of the framework for managing risk. 
  • Integration.
    The risk management process can’t be distinct from all other organisational practices and processes. Instead, the risk management process should be embedded effectively and efficiently.
  • Resources.
    Appropriate resources should be delegated to risk management, including people with relevant skills, experience, and competence.
  • Communication and reporting.
    Well-functioning risk management processes depend on effective communication and reporting. Internal and external communication should be covered; specifically, plans should be made and implemented for communicating with external stakeholders.
Effective risk management should also be iterative, providing for the implementation, monitoring and review, and continual improvement of risk management processes and frameworks. To that end, risk management implementations should be measured against indicators that are periodically reviewed to assess their continuing appropriateness. Based on the results of these reviews and assessments, organisations can alter risk management frameworks, policies, and policies.

The benefits of governance, risk and compliance software

How to operationalise the standard and other bestpractice strategies (more broadly) meant to overcome the threats to compliance management? That’s where digitised governance, risk and compliance software comes in.

Of course, not all software is created equal. That’s why we recommend risk and compliance leaders invest in tools, such as the Noggin Governance, Risk and Compliance module, that collect real-time risk data from multiple stakeholders, across the organisation. 

These solutions are based on ISO standards, as well fully customisable. With everything from a simple pre-task assessment through to an organisational risk register, the solutions make it easy to capture risk data and provide the analytics to derive rich insights.

What else? These solutions also provide better bang for your buck, a consistent set of common GRC features that can be used in out-of-the box, safety and security management software. 

Other GRC features to look out for include:

Governance Risk Legal Compliance Standards Compliance
  • Objectives
  • Controlled documents
  • Auditing/Audit Library
  • Audit Reporting



  • Threat/Treatment Library
  • Risk Assessments
  • Scheduled Risk Reviews
  • Risk Context
  • Risk Reporting


  • Compliance obligations
  • Compliance breaches
     – Investigations
    – Case notes



  • ISO standards
  • Other standards
  • Compliance audits
    – Compliance audit library
    – Audit project
    – Inspections
     – Checklist question

Dedicated governance business workflows including:

  • Scheduled compliance audits
  • Copies data from audit library
  • Send notifications
  • Admin functions

Dedicated risk management and assessments business workflows including:

  • Risk lifecycle workflow
  • Scheduled risk reviews
  • Copy data from library
  • Send notifications
  • Admin functions

Dedicated compliance management business workflows including: 

  • Schedules audits
  • Copies data from audit library
  • Send notifications
  • Admin functions


Dedicated compliance management business workflows including: 

  • Schedules audits
  • Copies data from audit library
  • Send notifications
  • Admin functions


 

More Noggin GRC features and benefits
Controlled documents
  • Primarily used for policies and procedures, but can be used for any document type
  • Includes a document approval workflow (reviewer/owner)
  • Includes a document review & archival workflow
  • Supports automatic document version control and links to previous versions from current version dashboard
  • Supports stakeholder email notifications & acknowledgements that documents have been read & understood
  • Supports links between documents and risk controls
  • Supports a controlled document register search
  • Allows filtering of documents by tags for each Noggin solution
  • Documents are accessible from web browser and mobile devices
Audits
  • Audit projects consisting of multiple sections and questions that can be configured by authorised users
  • Audits can be scheduled to occur on a user-defined cycle
  • Multiple auditors can work simultaneously on the same audit project
  • Each audit can consist of multiple questions, each of which can be weighted for importance
  • Each question can include guidance notes
  • Audit responses are automatically converted into a percentage that facilitates consolidation, comparisons and trend reporting
  • Non-conformances can be recorded for follow-up action
  • Photos and files can be captured as evidence
  • Corrective actions can be raised and tracked through to completion

Risk assessments
  • Can be used for any type of risk assessment
  • Risk assessments are created from a library of pre-defined risks and controls that users can extend
  • A Risk Assessor can automatically calculate the Inherent risk severity when the likelihood and consequences are entered
  • An Assessor can rate the contribution of each control toward likelihood and consequences, which automatically calculates the Target risk severity level using the  contribution of multiple controls
  • The Risk Owner can approve the risk assessment
  • Once implemented, the effectiveness percentage of each control is used to automatically recalculates the Residual risk severity level
  • Risk assessments can be scheduled for periodic review
  • Users can generate ad-hoc risk reports that explains what has changed within a date range

 

Finally, effective compliance management is most difficult in moments of crisis and regulatory upheaval, like the present. But that doesn’t negate the reality of everyday threats to compliance management.

Understanding those threats, as we’ve sought to do with this guide, is the first step to mitigating their effectiveness. After that, implementing cohesive compliance risk management strategies, in tandem with technology investments like the Noggin GRC module, is the best way to capture the risk data that provide the requisite analytics and insights needed to keep your organisation safe and compliant.

Sources

i. Tom Groenfeldt, Forbes: Taming The High Costs Of Compliance With Tech. Available at https://www.forbes.com/sites/tomgroenfeldt/2018/03/22/taming-the-high-costs-of-compliance-with-tech/ sh=531894495d3f.

ii. Deloitte: Get out of our way: Unleashing productivity. Available at https://www2.deloitte.com/au/en/pages/building-lucky-country/articles/get-out-ofyour-own-way.html

New call-to-action