Did you know that the use of car seat belts wasn’t mandatory until 1984? Even today, in 15 of the 50 U.S. states, not wearing a seat belt isn’t a violation. However, the 1968 Motor Vehicle Safety Standard was the first regulatory compliance that made it mandatory for car manufacturers to provide seat belts for all vehicles. In other words, car manufacturers have to offer seat belts, but drivers don’t always have to use them.
It is estimated that the use of seat belts saved 255,000 lives in the U.S. between 1975 and 2008. At the same time, 2,500 more lives would have been saved in 2016 if everyone had buckled up. This shows why regulatory compliance is important: It protects us, sometimes from ourselves. These statistics also illustrate one of the most critical challenges of compliance: enforcement. Laws and regulations aren’t beneficial unless they are followed by us, or enforced by authorities when we’re not willing to comply.
Similarly, there are laws that concern businesses and are supposed to protect them, as well as anyone interacting with them: customers, partners, employees, and the public. Some regulations are specific to businesses, while others apply mostly to consumers; there are also compliance regulations that exist for both. A good example of regulations for both businesses and individuals is financial fraud compliance. Since people and companies can use debit and credit cards, card fraud impacts everyone. Card fraud losses worldwide amounted to $31.26 billion in 2018, and are expected to reach $32.82 billion in 2019.
What is compliance (and why does it matter)?
Compliance can be categorized by multiple criteria, the most important being:
Who defines and enforces it, such as governments for laws and regulations, professional associations and industry organizations for industry standards, and businesses for corporate policies. For instance, the International Organization for Standardization (ISO) develops and publishes international standards (such as ISO 9000 for quality management) that are not enforced by governments.
What problem it addresses, such as safety, fraud, privacy, human rights, the environment, and so on. This type of compliance can be enforced by governments, such as the Food Safety Modernization Act (FSMA) or an industry-specific standard like ISO/IEC 17025 for testing and calibration laboratories.
Industry-specific compliance is important because risks can be very different depending on the sector. A few examples are the Health Insurance Portability and Accountability Act (HIPAA) for health care, Bank Secrecy Act (BSA) for banking, and the Family Educational Rights and Privacy Act (FERPA) for education.
These types of compliance can be combined in many ways, which can make it difficult for companies to follow regulations and for governments to enforce them. While companies can self-regulate through corporate social responsibility (CSR) initiatives, there are also ISO standards related to CSR. Furthermore, CSR policies need to comply with local and national laws in any location where they are implemented.
All these options—and the fact that they are continually updated and revised—led to the development of software products that focus exclusively on various types of compliance.
As business becomes more complex and global, exposure to risks is also increasing. Unfortunately, new technology advancements can be used by scammers either to bypass security systems or to take advantage of our lack of attentiveness when making financial transactions online and offline.
Compliance software is delivered in multiple options:
Platforms that provide all features on one single solution, also known as governance, risk, and compliance (GRC) platforms. These tools allow companies to define, manage, and implement policies across multiple departments, from IT and production to sales and HR.
Best-of-breed software focuses on one specific type of challenge, such as risk management. Other solutions cover a single type compliance activity, such as auditing or policy management.
Point solutions are designed to cover particular types of compliance, such as HIPAA or GDPR. Other examples include IT risk management software and third party & supplier risk management software.
Through mergers and acquisitions or internal development, many vendors now provide a mix of all the options described above. All options are necessary, as customers have different needs based on the company size, their industry, or geographical presence. For instance, European companies require GDPR software and features, which are less important for North American companies.
To better understand compliance software, it’s essential to grasp the compliance lifecycle. Or rather a continuum, because compliance initiatives never end, are intertwined, and have only one of two outcomes for companies: compliant or noncompliant.
It all starts with a clear understanding of what types of compliance apply to the company, where it should be implemented (department or geographical location), when (monthly, yearly, or ongoing), and how (internal teams or working with consultants). Everything else depends on this, from designing and implementing compliance programs to training and audit. When policymakers update compliance information or create new regulations, the information needs to be updated, which may trigger changes in some or all other activities.
To help with these challenges, GRC platforms provide features for various types of compliance and risk management in one integrated solution. This type of software is a mix of multiple types of functionality that are usually delivered as stand-alone products. While GRC platforms are generally industry-agnostic, some vendors also offer features that are specific to sectors such as finance and banking, manufacturing and distribution, or IT. The most important types of stand-alone software for compliance are summarized in the image below:
All these software products were designed to serve a clearly defined purpose. Some of them focus exclusively on managing and updating compliance and policy information. Others can be used to manage risks that may impact businesses only, or both companies and the public. There are also tools that help companies audit their compliance activities, investigate and address issues, and train employees for compliance purposes.
Software to define internal policies and stay up to date with national and international laws:
Regulatory change management software ensures that companies are up to date with the latest changes in any type of compliance that concerns them. This type of software is particularly useful to multinational companies that need to comply with regulations in multiple countries. Regulatory change management software does not cover corporate policies or industry standards.
Policy management software allows companies to create, implement, and monitor internal policies. Corporate policies are created to deal with potential risks that are not always covered by the law. For instance, companies define policies for the proper use of social media channels. While sharing unauthorized business information is regulated by the law, businesses need social media policies to protect their brand and online presence.
Software to manage compliance for companies and other stakeholders, such as employees, partners, and the public:
Anti money laundering software helps companies identify suspicious customers and partners that may be involved in illegal financial fraud activities. This type of software provides databases of individuals from all over the world that have been involved in illicit transactions. A few examples of suspicious people are corrupt politicians, warlords, drug and arms dealers, and anyone involved in money laundering. Companies try to avoid doing business with this type of people because they usually cannot be trusted. Also, this may harm the public image of the company.
The Panama papers are millions of leaked documents on suspicious activities of more than 200,000 offshore entities. While this type of company isn’t illegal, it can be used for money laundering by corrupt politicians or drug cartels.
Data privacy software protects companies and their customers from data breaches. This type of software stores and securely manages personal and business data. Depending on the industry and the locations of the company, businesses need to comply with various regulations and standards for data privacy. Data privacy software can help identify what types of compliance are required and assess related risks, as well as provide actions to mitigate risk.
Disclosure management software manages requirements for various types of information that companies are required to share with governments or the public. This is critical for publicly traded companies that disperse ownership by selling shares of stock to other businesses or individuals. Because anyone can buy their shares, this type of companies are required by law to share information on the financial performance of the company.
Software to implement and monitor compliance that is specific to businesses:
Business continuity management software aims to address disruptions that may impact the activity of a company. As much as companies try to avoid risks, problems will happen, and they need to be ready to recover quickly. Any type of risk requires specific actions to keep the company up and running. For instance, technology issues can be temporarily solved by using backup systems, while natural disasters may require relocating the company to a temporary location.
Third-party & supplier risk management software focuses on any risk related to working with partners. In a global economy, companies may do business with partners from all over the world, which increases their exposure to financial and operational risks. One example could be a supplier that receives payment for goods that aren’t delivered. If the customer is based in a corrupt country where legislation isn’t enforced, the company that made the payment will have a hard time getting its money back. It is, therefore, essential to make sure that partners are reliable before doing business with them.
IT risk management software focuses on risks that are specific to technology, such as hacking, outages, or viruses. Companies also use IT risk management software to monitor the internal use of technology, such as software or mobile devices. While business software and hardware are usually secure, employees may find ways to circumvent safety protocols.
The most extensive data breach experienced by a Canadian bank was caused by an employee who “improperly accessed and shared the information of 2.7 million individuals and some 173,000 businesses.”
Operational risk management software monitors and assesses risks that may impact the operations of a company. This type of software can be used in any department of a company, from accounting or HR to sales and operations. Operational risk management features can be delivered as part of a business continuity management software, or as a stand-alone product. For the advanced needs of departments like IT or distribution, companies benefit more from using third-party & supplier risk management software and IT risk management software.
Software to audit and address risks and compliance violations:
Audit management software is used to define and implement procedures to monitor how policies and regulations are being implemented in a company. Companies adopt this type of software to ensure that they are compliant, which helps them avoid fines, as well as prevents accidents or product recalls. Depending on the regulations that the company needs to comply with, auditing can be continuous or performed occasionally. For instance, safety measures need to be audited continuously while financial compliance may be audited monthly or yearly when the company is closing its books.
Ethics and compliance learning software manages training and learning materials that companies and their employees need to ensure compliance with laws and regulations. Compliance training can be mandatory (for safety compliance) or optional and can cover topics from financial fraud to sexual harassment. This type of software can also be used to familiarize employees with internal policies that are not enforced by law but are imposed by businesses. Ideally, ethics and compliance learning software prevents issues but can also be used to fix problems.
Starbucks recently closed more than 8,000 stores across the U.S. to train its employees after an incident of racism in one of its locations. According to the company, “175,000 Starbucks partners could come together for a conversation and learning session on racial bias.”
Investigation management software tracks incidents and addresses them to limit their impact on the company. This type of software can be used for any kind of incidents, like safety, fraud, harassment, and so on. Internal investigations are not an alternative to the rule of law and are usually conducted when employees or partners violate corporate policies. When individuals or companies break the law, the appropriate authorities take over the investigation and the company that started it is required to cooperate.
Gabriel’s background includes more than 15 years of experience in all aspects of business software selection and implementation. His research work has involved detailed functional analyses of software vendors from various areas such as ERP, CRM, and HCM.
Gheorghiu holds a Bachelor of Arts in business administration from the Academy of Economic Studies in Bucharest (Romania), and a master's degree in territorial project management from Université Paris XII Val de Marne (France).