The Federal Deposit Insurance Corporation (FDIC) stipulates that a Compliance Management System (CMS) is how an institution learns, understands and manages:
- Compliance responsibilities;
- Employee understanding of compliance responsibilities;
- Incorporation of compliance requirements into business processes; and
- Taking corrective action where required and updating compliance and operational materials as necessary.
There are two major areas an effective CMS will manage risk for the organization:
- The risk associated with changing products and services offered to customers; and
- The risk associated with the impact of new legislation and regulation in the wake of market developments.
Further, the FDIC advises there are three components of an effective CMS:
- Board and management oversight – in particular, appointing a compliance officer or committee;
- Compliance program – this manages a range of issues, but primarily on customer complaints are handled, and also to act as a source document for the organization; and
- Compliance audit – whether internal or external, and the frequency of such audits as well as what their remit will be and reporting.
So now we have some context on a CMS, and while this is an overview of what the FDIC recommends, this can be applied to any and all compliance situations in or out of the financial services sector.
What are some of the major problems with managing compliance in an organization?
- Interpreting regulations and legislation – “regulatory clarity”
- CMS agility to respond to changing regulatory and consumer demands
- Engendering and fostering a strong risk culture
- Issues with data quality, especially at the enterprise-wide level
- Strong reporting and notification
- Risk management applications which are readily adopted by the organization
- Issues with investment in risk management
- Issues with collaboration between risk and compliance management and the business
- Integration of risk management CMS with business systems
- Prioritizing risk and compliance management – this starts at the top!
There are other issues too, however this is not an exhaustive list, but are to my mind the major ones, or certainly my top 10 (this is a very personal view).
So, how can a Lean BPM solution tackle these issues and what are the benefits for the business?
First of all, putting risk and compliance management onto a single, unified work platform ensures standardization of compliance rules and procedures across the business, irrespective of departmental demarcation or whether customer-facing or back office. This simplifies the major issues of enforcement, change management, reporting and notification, as well as easing solution support and user adoption. A further benefit is the enhancement of collaboration between the business (and across and between business units) with the risk and compliance unit.
We are also firmly entrenched in an era of increasing change in how we do business, and not just customer-driven change, but regulatory change as marketplace developments unfold (not to mention the fallout from the near collapse of the banking system in 2008). The ability to change with true agility is high on the list of many wish-lists, but in reality is as far away for most organizations as it has ever been.
Lean BPM delivers true agility to the business by removing the need for specialist coding and dev skills – IT itself is not required to change of create new business processes (unless there is heavy integration work involved). By putting the functionality of a Lean BPMS into the hands of business people – including risk and compliance staff – then by using visual workflow tools, changes (new processes or modifications to existing ones) can be effected very, very rapidly.
The bottleneck of waiting on IT to deliver business requirements is removed, speeding up the change and adoption of business processes which benefits how the business operates, but also reducing the burden on IT to deliver changes requested. For instance, as a result of a compliance audit, an area of weakness is identified which requires the collection of an additional piece of customer information prior to performing a transaction – this can easily be added to the process through the Lean BPMS in minutes, and made a compulsory step as well as collect and store any required documentation within the platform.
If a Lean BPMS is used to run business operations, then it becomes a relatively simple matter to incorporate risk and compliance management at the most fundamental level. The power to enforce every step in a workflow or process prevents the formation of shadow processes, or the bypassing of compliance rules, while at the same time maintaining a non-repudiable log of every action on the platform by both users and administrators. Compliance becomes a way of doing business rather than an afterthought, and it is built into the processes themselves, contributing to the creation of a robust risk culture across the organization.
A Lean BPMS, such as JobTraQ, are heavily reliant on visual tools with clean UIs, leading to faster and deeper user adoption. Ensuring users across the organization are familiar and happy with using any system or application is crucial to the successful outcome expected from deploying it. In the case of risk and compliance, the higher and deeper the adoption by users, the more integrated compliance and risk management becomes ingrained within the organization, frequently without user seven realizing they are systematically and automatically behaving in a compliant fashion.
A Lean BPMS benefits the organization by providing strong reporting and notification tools, including on-click audit functionality and the distribution of automated reports and notifications. For instance, the compliance team can be notified instantly/concurrently with the business of the receipt of all customer complaints. By working with a secure, universal work platform, it is a simpler exercise to run reports and trigger notifications and alerts off of workflows automatically, alerting not only the risk and compliance unit but also the business unit managers and staff themselves where applicable.
Of particular significance though is the ability to generate audit reports instantly, and to change the parameters of the audit at will. For instance, moving the audit from transactional sampling, such as customer complaint resolution metrics, to a broader consideration of qualitative issues. Examples include, how fast does the tax department identify, recognize and adopt changes in tax legislation; or, how does the organization communicate compliance protocols (from the top!) and how can it demonstrate these communications are received, read and adopted by business units and staff across the board?
We cannot make the claim that simply moving your CMS to a Lean BPM platform (or any BPM platform for that matter) is going to cure every pain point you are experiencing. While the tool can, and will, resolve many issues that exist with adoption, collaboration, enforcement of procedures and rules, auditing & reporting, and especially the ability to become much faster at implementing new procedures, the ultimate issue with compliance and risk management will continue to revolve around what compliance framework should look like, what policies and procedures ought to be, and what changes are required.
What a Lean BPMS will do is speed up your ability to change in the face of regulatory and customer-driven demands, and embed compliance and risk management as a fundamental part of business processes and workflows, making compliance elemental. By removing the implementation and execution of compliance management, more time is created to focus on “what” the compliance regime ought to be and to be much more proactive, as opposed to trying to close the stable door after the horse has bolted.