Advisory Excellence PHOTO

Compliance Centers of Excellence

What is a Compliance Center of Excellence?

While there is no definition of a CCoE, there are several definitions of a Center of Excellence (COE), which I have drawn from for this article.

In a OneSpan article, entitled “Centers of Excellence (Why Create One)”, Jodi Schechter interviewed Mark Kafka, who defined a Center of Excellence as “a discipline within an organisation. The concept of a Center of Excellence is to build out key processes and expertise across the enterprise. It is typically based on a technology, a critical process or an application – to help the organisation adopt that process and become efficient at it.”

From this, you can see it is a team that promotes compliance collaboration within an organisation. It utilises best practices around compliance to drive greater business efficiencies, more profitability and customer-valued results. Drawing from Mark Vaughn’s Navint white paper, entitled “Financial Services: Compliance Center of Excellence”, another way to consider a CCoE is that it is a coordinated team with resources that have a range of interrelated skills and responsibilities, in a collaborative working forum, designed to share knowledge, promote best compliance practices and drive successful business results.

A CCoE should have areas, which the Horizon Group identified in its blog post “What is a Center of Excellence”. First it should offer support to the compliance function’s customer, company employees, third parties and other impacted by the corporate compliance function. It should provide support for those impacted by compliance in an organisation by being a subject matter expert (SME) in the compliance arena. There should be guidance from the CCoE in compliance standards, methodologies and the CCoE should act as a compliance knowledge repository. A CCoE should provide shared learning, including compliance training and certifications, skill assessments, team building and formalised roles which are all ways to encourage shared learning. A CCoE should provide measurements, which demonstrate it is delivering the valued results that justified their creation through the use of output metrics. Finally, in the area of governance, a CCoE should allocate limited resources across all their possible uses, ensuring organisations invest in the most valuable projects and create economies of scale for their service offerings.

From this general description, I see two overarching themes for a CCoE. It should obviously begin with a regulatory backbone, through compliance SMEs supporting the company. It must also deliver demonstrable and tangible results to the business. It would have a clear mission focused on the business and the compliance requirements that must be addressed for each organisation.

However, this should then morph into a more business process approach, as a CCoE would become a team of specialists who work together to develop and promote compliance best practices. While initially it may be focused on providing compliance guidance to a company, it would then move to deliver business services, or operationalise compliance throughout an organisation. Vaughn notes this could include, “areas such as human capital management, project management, quality assurance, regulatory compliance, business analysis, continuous process improvement, and enterprise performance management.

A successful CCoE will aid a company to “understand and set priorities, create a roadmap, standardise approaches and support processes that improve the underlying structures of compliance over time.”

Whichever form it takes, the CCoE model should include SMEs, together with other resources that become an integral part of the compliance function, supporting the business in an advisory capacity and delivering discrete services. A successful CCoE will aid a company to “understand and set priorities, create a roadmap, standardise approaches and support processes that improve the underlying structures of compliance over time.” Indeed Kafka was quoted that a CCoE “establishes a best in class operation AND it’s a scalable and repeatable process. It becomes the organisational standard. In doing so, intel from channels of operation that have already adopted practices reduces the learning curve for those new to the organisation. Documented processes can be easily rolled out to new channels.”

As with the compliance function in total, it should work with the business unit to design, create and implement a compliance solution that can be pushed out to more fully operationalise compliance. Vaughn noted that the CCoE team would “work to develop a roadmap based on careful planning and analysis, including understanding how, through scenario planning efforts, the organisation will pivot one direction or another, to initially address regulatory compliance and improve it over time.”

It would allow compliance to be more integrated in planning and strategy discussions to stay tuned to the ever-changing risk profile of a company. Moreover, through this interdisciplinary approach, it would bring compliance knowhow to help the business folks understand that compliance is, in reality, a business process and as a business process, it can easily be incorporated into business unit operating procedures going forward.

A CCoE can become a very powerful tool for the compliance function in an organisation. Compliance is properly seen as business process. If you integrate the compliance framework of controls, incentives, continuous information and its feedback into your company’s business process, it will not only make your organisation more efficient but at the end of the day more profitable.

Design of a Compliance Centers of Excellence

Next, I want to expand out into how a Chief Compliance Officer (CCO) or compliance practitioner would design a CCoE) for compliance and then conclude with how you might fit it into your organisation.

About the best representation of a CCoE comes from Mark Vaughn, author of the Navint white paper, entitled “Financial Services: Compliance Center of Excellence”.

Through this diagram, Vaughn lays out a way for you to think through your CCoE. He believes a CCoE will be successful, in large part, because of the personnel you assign to it in a variety of areas. These areas include advanced levels of compliance knowledge and compliance competencies and would include training and certifications. Moreover, your CCoE staff must be “capable of working in a consensus-based organisation and committed to knowledge sharing, developing and leveraging various standards and methodologies and be able to communicate new approaches and leading practices to the organisation.”

This circle clearly represents many concepts that every CCO and compliance practitioner will be quite familiar with from their own experience. Under Risk and Controls environment, it would include the three steps of the risk management process and then add on remediation management. It would also include risk data information, data protection and data privacy components that you would need to test. Finally, if there was a breach, it would facilitate both investigation and root cause analysis.

Policy and Process moves beyond simply compliance policies and procedures to include compliance as a business process; delineating roles and responsibilities. There would be a focus on both reporting requirements and governance. Further, the CCoE would develop metrics and independent testing for verification and feedback.

For Solution Design, there would be focus on the overall compliance regime requirements to provide a functional solution design. This area would provide the support architecture needed to create the infrastructure and roadmap for compliance moving forward. After deployment of new solutions, this area would also provide continued support.

Under Go-Live Support, there is roll out, deployment and ongoing support activities from the CCoE to the business units. This helps to facilitate knowledge transfer and further the operationalisation of compliance down to the business unit level. This area would also include certifications, examination and audit support. Finally, it would also facilitate ongoing compliance communication.

In the Requirement Analysis quadrant, there would be a group focusing on your internal control and rule-making lifecycle. It could provide legal analysis of anti-bribery and anti-corruption requirements across the globe; providing consistent definitions which would assist the employee base. You could also include industry bench-marking in this group. Lastly, the Training and Education grouping would help to develop the compliance training materials for both internal stakeholders and external business relationships such as agents, distributors, vendor, joint venture partners or others similarly situated. This group could also work with your corporate Human Resources (HR) function to communicate company expectations around ethics and compliance throughout the lifecycle of the employment process. It would use social media for ongoing communications on compliance and develop best practices in this area as well.

What would success for a CCoE look like? Here Vaughn has some criteria. A successful CCoE would help to build a tighter and frictionless alignment between the business and infrastructure units — especially compliance, risk, reporting and technology. It could move more quickly and more forcefully to improve the adoption of and adherence to compliance requirements from a wide variety of regulators literally across the globe. It could then pair this with end user solutions supporting compliance reporting with better design, planning, training and fit to purpose tools.

A CCoE would take the lead in developing the strategies and business priorities to meet regulatory compliance initiatives and would work to achieve overall business agility by increasing the success of processes and technology through ongoing improvements. Next it would increase the success of designing and deploying the compliance solutions and technology required to meet compliance requirements; thereby delivering more value, less cost and less time.

Vaughn ends by noting that in developing and delivering the compliance needs of any global, multinational organisation requires an integrated approach, which requires an interconnected organisation aligned to support a common set of goals and objectives; most directly to more fully operationalise your compliance regime. Deploying a CCoE requires the broad participation of the company and the commitment of senior leadership to drive the organisational transformation. This transformation requires a clear vision of the people, process and technology required, properly aligned to support policy, strategy and governance. Applying the principles of a CCoE will provide organisations with the strategic platform they need to more fully operationalise compliance across the ever-widening scope of anti-corruption requirements across the globe.

Com PHOTO

Businesses struggling with GDPR compliance

According to a recent survey conducted by Deloitte, only 30% of organisations are have been responding to customer requests regarding their personal data within the GDPR timeframe.

What is GDPR?

The General Data Protection Regulation (GDPR) came into effect in May of this year. A measure put in place to modernise previous data protection directives from the 1990s, GDPR aims to keep pace with rapid technological changes when it comes to protecting customer information. Furthermore, GDPR was implemented to set in a place a more consistent set of guidelines across Europe.

Although GDPR regulations have been more effectively applied to technological advancements, it took more than four years of negotiation and discussion before GDPR guidelines were decided upon. This highlights how, even though steps have been taken, uptake is still too slow when compared to the innovation of the technology sector, and the potential misuse and monopolisation of data.

Each European country had the option to alter the laws slightly according to their own jurisdictions. In the UK, the Data Protection Act 2018 was initially greeted with some controversy since guidelines were amended in this country to protect cyber-security researchers.

These guidelines protect the consumer by allowing them easier access to what data a company has access to, as well as introducing steeper fines to organisations who go against regulations. This is overseen and implemented by the Information Commissioner’s Office (ICO). Companies must inform the ICO no later than 72 hours after any form of breach occurs where data they have stored has been accessed.

Businesses were allowed from May 2016 to May 2018 to prepare for and implement new GDPR measures, and so the question remains: why are businesses not fully adhering to the GDPR timeframe?

Is it the Brexit effect?

Post-Brexit changes should not have an overwhelming effect on GDPR guidelines, this is largely due to the contingencies each individual European country has been allowed to make so the laws most effectively work.

The two prior years businesses have had to fully prepare for GDPR have meant that businesses had the time to source other effective ways in which to gather the relevant information they need to conduct business, without breaching a customer’s right to privacy.

An example of a data breach story that made the headlines would be Facebook’s admission that 50 million ‘access tokens’ for accounts had been taken by unknown hackers. This is the kind of eventuality that GDPR regulations hopes to reduce through the introduction of stricter measures and hefty fines.

Survey conducted by Deloitte

“Six months in, what is clear is that some organisations are still grappling with the implementation of their GDPR compliance,” said Peter Gooch, cyber risk partner at Deloitte.

Deloitte has stated that in the six months GDPR has been in effect, more than two-thirds of organisations who took part in their global survey (consisting of answers supplied by 1,100 organisations) have been responding to customer data requests late.

Gooch continued: “Given the complexities of such programmes and increased consumer awareness of such requests, we would expect some bedding-in time. However, our research found that a fifth of organisations only aimed for bare minimum compliance back in May, which may be indicative of the delays some customers are currently experiencing.”

The GDPR timeframe for handling data requests submitted by the consumer (for example, the option to opt out of direct marketing or to erase their details from company systems) is one month. Although statistics for the fulfilment of this are low, it is an improvement on previous measures.

“That said, 33% of organisations surveyed continue to invest in their privacy practices, including in technology and talent,” said Gooch. “Since May, 70% of organisations surveyed have seen an increase in staff who are either partly or fully focused on GDPR compliance. For many, this included the recruitment of a dedicated Data Protection Officer (DPO). Of the countries surveyed, the UK leads in this respect, with 92% of respondents assigning a DPO.”

With DPO’s now being assigned role-specific responsibilities to handle GDPR guidelines, the number of businesses who are handling data requests in a timely manner should increase.

Gooch concluded: “Overall, organisations are taking the right steps in continuing their GDPR implementation and the majority (92%) felt confident in demonstrating their ability to conform in the long-term. In the immediate term, though, many will need to address today’s pressure to respond to data requests. This is particularly the case as online tools, enabling consumers to make mass data requests, increase in popularity.

“Those that are currently responding with some delay will need to take a more customer-centric approach, not only to meet the existing volume, but also the influx of requests their tools could create.”

If you would like to view our Privacy Policy, please click on the following link: https://www.advisoryexcellence.com/gdpr-privacy-policy/