To Best Manage Governance, Risk, Take ‘Federated Approach’ to Compliance

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Michael Greene

Oct. 29 — To effectively manage governance and risk management issues, organizations need a “federated approach” to compliance, according to Michael Rasmussen, chief pundit for governance, risk management and compliance with GRC 20/20 Research, LLC.

Compliance issues are often distributed to various roles and departments within an organization, and there should be a common architecture that allows these departments to share information and resources, he said. Only a federated approach, as opposed to a centralized or scattered approach, can pull this off.

Rasmussen spoke Oct. 28 at the Network's “Compliance By Design: Federating the Disconnected Silos of Compliance” webinar.

Challenges Ahead

According to Rasmussen, the two greatest challenges that organizations will face in the next decade are staying compliant in a changing regulatory environment and managing third-party risks.

Organizations will need operational compliance to combat these challenges, he said. “Regulators are tired of paper-based compliance programs,” he said, which means that regulators want to know how organizations are operationally compliant—not just how they document compliance issues.

To meet this criteria, the policy must be understood within the organization, he added.

Rasmussen also mentioned that more compliance programs are moving out of legal department because often there is conflict between a legal department's duty “to deny and protect” and compliance's duty to “discover and fix.”

Centralized Nor Scattered Approaches Work

Compliance is a very “distributed function,” Rasmussen explained.

Accordingly, centralized approaches to compliance do not really work, he said, because different groups lose visibility and focus, which can lead to disasters.

Moreover, although organizations may have chief compliance officers, they are probably not “truly responsible for all of compliance.” Instead that role is focused on big picture, enterprisewide issues, he said.

Therefore, most organizations have decentralized approaches to compliance—i.e., “scattered silos of compliance,” Rasmussen said.

But these departments often do not collaborate, which leads to wasted resources, and these silos are often disconnected and “do not see the big picture” of compliance risks and exposures, he said.

Federated Approach Best

Accordingly, Rasmussen said that organizations need a “federated approach” to compliance.

In this approach, different groups within the organization share services, technology and information that can be used in different ways.

Organizations can “harmonize and rationalize” their enterprise and local business units levels under this approach, he said.

Rasmussen noted that organizations might still have visible compliance leaders that organize and ensure everybody is working together.

However, what is most important is that the organization create a compliance architecture, he said.

This architecture creates a framework where all the different compliance roles can come together for strategic planning and information sharing.

To pull this off, organizations need technology that enables this framework because organizations are often buried in documents such as e-mails and spreadsheets that are difficult to produce and share, he said. This allows organizations to become intelligent in managing compliance issues across many departments sharing the same architecture.

To contact the reporter on this story: Michael Greene in Washington at

To contact the editor responsible for this story: Ryan Tuck at