Companies Need Structured Compliance Approach

By Michael Greene

Oct. 29 — To effectively manage governance and risk management issues, organizations need a “federated approach” to compliance, according to Michael Rasmussen.

Compliance issues are often distributed to various roles and departments within an organization, and there should be a common architecture that allows these departments to share information and resources, he said. Only a federated approach, as opposed to a centralized or scattered approach, can pull this off.

Rasmussen spoke Oct. 28 at the Network's “Compliance By Design: Federating the Disconnected Silos of Compliance” webinar.

Challenges Ahead

According to Rasmussen, the two greatest challenges that organizations will face in the next decade are staying compliant in a changing regulatory environment and managing third-party risks.

Organizations will need operational compliance to combat these challenges, he said. “Regulators are tired of paper-based compliance programs,” he said, which means that regulators want to know how organizations are operationally compliant—not just how they document compliance issues.

To meet this criteria, the policy must be understood within the organization, he added.

Rasmussen also mentioned that more compliance programs are moving out of legal departments because often there is conflict between a legal department's duty “to deny and protect” and compliance's duty to “discover and fix.”

‘Federated Approach' Best

Compliance is a very “distributed function,” Rasmussen explained.

Accordingly, centralized approaches to compliance do not really work, he said, because different groups lose visibility and focus, which can lead to disasters.

Moreover, although organizations may have chief compliance officers, they are probably not “truly responsible for all of compliance.” Instead that role is focused on big picture, enterprisewide issues, he said.

Therefore, most organizations have decentralized approaches to compliance—i.e., “scattered silos of compliance,” Rasmussen said.

But these departments often do not collaborate, which leads to wasted resources, and these silos are often disconnected and “do not see the big picture” of compliance risks and exposures, he said.

Accordingly, Rasmussen said that organizations need a “federated approach” to compliance.

In this approach, different groups within the organization share services, technology and information that can be used in different ways. Organizations can “harmonize and rationalize” their enterprise and local business units levels under this approach, he said.

Rasmussen noted that organizations might still have visible compliance leaders that organize and ensure everybody is working together.

However, what is most important is that the organization create a compliance architecture, he said.

To contact the reporter on this story: Michael Greene in Washington at mgreene@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com