Better Safe Than Sorry? The Double-Edged Sword of Compliance Management

Better Safe Than Sorry? The Double-Edged Sword of Compliance Management

Nobody likes working with Captain No-No. It’s so disheartening to present a brilliant product or service idea at an all-hands meeting, only to have a cautious manager tear it down with a speech about compliance and regulations.

Yet any compliance specialist or CEO who appreciates the risks of non-compliance is willing to put up with a little name-calling. Because at the same time, nobody likes facing a malpractice lawsuit, or having a regulatory board come into the office for an investigation, or paying a hefty fine to a government agency for breaking the law.

Compliance management is tricky. A business can’t make money if it’s completely buried in rules and regulations. And too many cumbersome regulations ware on a team’s morale and jeopardize the vitality of a business.

Yet the stakes of falling out of line are just as high. A business that’s lackadaisical about rules and regulations pays a hefty cost, as it invites agencies and boards and customers to come in and crack down.

A smart compliance management system see-saws between these tensions. Let’s look at some guidelines to planning a compliance management system, then at strategies to establishing a compliance management system within an organization.

Defining a Compliance Management System

You’ve probably noticed that we live in a litigious and heavily regulated society. Regardless of its industry or location, every business faces an enormity of regulations. A healthcare business must comply to Health InsurancePortability and Accountability Act (HIPPA) regulations, a food service establishment to its state’s Department of Health regulations, and as of 2018, nearly every online business to General Data Protection Regulations (GDPR). Moreover, every business has to follow municipal, city, state and federal law.

A compliance management system (CMS) is like having insurance against all of these laws and regulations. Building a CMS entails establishing systems so that all processes within a business, including marketing, sales, production and delivery, adhere to these regulations.

A Two-Part System

A CMS has two components. The first is the board oversight. This is a central group who oversees and keeps abreast of all the various laws and regulations, and monitors how they change over time.

And the second is the implementation program. As regulations affect all the systems within an organization, implementation includes things like staff training, internal and external communication and responses to customer complaints.

When these two components lock arms and work together, an organization stays under the radar and doesn’t have to deal with any hot messes. However, if the board ignores one area, say overlooking contracts or not keeping abreast of regulatory changes, the company may encounter a sticky situation.

The Area a CMS Covers

Compliance management is a broad topic, and so it’s impossible to create an exhaustive list of everything a CMS might include. Plus it varies from industry to industry, and by geographic location.

However, a CMS almost always includes precautions and processes around internet security, such as reviewing user accounts, surveying internal office communication and protecting the company from viruses and hackers. It also includes contract and human resource regulations.

A CMS establishes systems in the daily operations so the business operates within the bounds of local, state and federal law. It utilizes plenty of internal controls, such as processes for dual login, and delineates clear exceptions to these processes. It also affects the consumer experience.

The consequences of not complying with various regulations range from benign slaps on the wrist to expensive, time-consuming litigation, to loss of licenses and professional reputations.

Compliance management is exacting, and setting up a system takes some work. Changes in a work environment may elevate risk, requiring increased vigilance. For example, a trend toward remote work heightens risks around employees accessing secure company information from personal devices.

The field of compliance is so broad and the number of regulations so huge that pretty much every organization breaks some rules without even realizing it. Having a system keeps an organization in a safe zone. Let’s look at some guidelines to setting up a smart compliance management system.

Making a List, Checking It Twice

No one intends to feed their client a poisoned apple. But when there’s too many (dang!) rules and regulations, unfortunate things happen. We’ve all heard horror stories of doctors operating on the wrong knee, or of financial institutions leaking the personal data of its clients to the public.

So how does an organization approach compliance in such a way that it both mitigates risk and retains enough simplicity to allow the business to run as usual? The answer is creating a priority list and receiving an external audit.

The “Must” List

It takes just a few simple steps to determine which regulations an organization must comply with, and those it can push to the margins or ignore completely.
The first step is to look at all the regulations within the particular business and industry. For an ecommerce business, this probably includes the Payment Card Industry (PCI) Data Security Standard and GDPR. For a business that makes calls to cell phones, it includes Telephone Consumer Protection Act (TCPA) regulations. For any business, the expectations of the clients, say around issues related to privacy, are also included in the mix.

Next, combine the regulations of all these organizations into one massive list. This will look pretty overwhelming, but don’t stress—it’ll be thinned out soon enough.

The third step entails looking closely at everything on the list and determining all the “musts” and the “maybes.” Anything that doesn’t fall into either of these categories can be scratched off and forgotten!

Finally, create a final list that includes everything in the “must” category, and in the second tier include all of the “maybe” items. This final list is the blueprint for the compliance management system. Everything on the “must” side will be included, and only some parts of the “maybe” list, at the judicious discretion of the compliance board.

The Audit

Even when an office is scrupulous around compliance and regulations, chances are it hasn’t addressed everything. The number of regulations is too vast for one or two pesky things not to be overlooked.

The auditor is someone from outside the organization who’s rooting for its success. They know an office is dedicated to providing honest service to its clients, and appreciate what it’s up against with a deluge of regulations from various organizations. A thorough audit spots what a business does well and those things it might change, to make the situation safer for itself and the customers.

Experienced auditors spot red flags right away. They’ve seen the very worst in compliance violations, and are intent to help the next person avoid the pitfalls.

In conclusion, although it takes some time and dedicated effort, it really is possible to create a solid compliance management system. And with a sound CMS established, everyone can breathe easy and go about their workday knowing the processes are free of any serious error or violation.

Convincing the CEO

If a CEO is already paying for a compliance specialist, he may not be keen on making additional investments in technology to streamline a compliance management system. Here are a few pointers to help the CEO understand that a CMS is a savvy business investment.

Explain How a CMS Improves the Bottom Line

A CMS saves money across the board, plain and simple. A company earns more profit when compliance management is streamlined. Team members spend fewer hours at meetings discussing and overseeing compliance. This time instead is dedicated to productivity.

Highlight the Benefits

When working to persuade the CEO to adopt a CMS, frame the proposal in terms of her priorities. Naturally, she’s averse to spending money needlessly, but when she understands a CMS is ultimately about mitigating risk and saving money, she’s more likely to get on board. Communicate the cost of not being compliant, as well as the cost of manual compliance (an increase in labor hours).

Measure the ROI

A good CMS has a significant ROI, even in the short-term. For example, imagine that a streamlined CMS allows employees to dedicate 5 more hours each month to doing their job, which they’d formally put into compliance. This adds up to 60 hours per employer each year. In a team of thirty employees earning an average of $50 an hour, this means an annual savings of $9,000!

Gaining buy-in from the CEO may be tricky at first, but it certainly isn’t a long shot. Understanding the business sense behind the investment makes him or her more willing to go for it.

Riding the Compliance See-Saw

It’s quite a challenge for a business to remain both competitive and compliant in this culture where technology changes rapidly.

Consider, for example, businesses and departments heavily dependent on communication and outreach, such as collections agencies or marketing departments. They’ve seen a seismic shift in their preferred methods of communication over these past twenty years, when the telephone and snail mail have largely been replaced by email, cell phone and text.

From a business standpoint it makes more sense to utilize these new forms of communication, as it increases the likelihood the business will reach the consumer. However, from a compliance standpoint this is a real headache, as email, cell phone and text introduce regulations that didn’t exist with mail and telephone.

The bottom line is that a business cannot turn a profit and be 100% compliant, nor can it ignore compliance entirely without exposing itself to immense financial risk. This means every business must find a balance by answering questions such as: Which regulations must we adhere to? Where are the grey areas? What are the business costs to compliance?

It’s a complicated arena, and each business arrives at its own answers.