Welcome to this paper called 17 Boardroom Risk and Compliance Governance Challenges. I’m Tim O’Hanlon, the founder of Tim O’Hanlon Strategic Management Services and creator of a revolutionary new Integrated Governance Framework (IGF) for boards and executive teams to govern their companies.

There are 7 pillars to the IGF and the one is called Risk and Compliance Monitoring (RCM). So, this paper is about how challenging the risk and compliance side of governing an enterprise is, based on the thirty years I have been working with Global 2000 companies and 17 issues in particular that I have experienced that have shaped the design of the IGF in the area of risk and compliance.

The IGF is a proposal I table with forward-looking companies wanting to find better ways of governing in the boardroom. I have created content on our website and in papers like this to share details of the blueprint and the lasting value I believe you will get from applying it through the capabilities I am proposing that you establish in your company.

You would be right to ask yourself: what it is that we are not doing on the risk and compliance side right now that could be of such value given our expertise and success in running our company over the years. So, to answer this question, I have put together a premise with supporting issues on which the risk and compliance monitoring solution has been based. It provides an insight into 17 problems companies experience that the RCM solution, and its integration with the other 6 pillars of the IGF, is designed to overcome. As I take you through each issue, it would be useful for you to consider just how many areas in the company are experiencing these problems and how my solution could help them.

If at the end of my input you believe there is real potential to change things for the better in your organisation, then I have achieved my purpose in sharing this material with you. That’s because I am looking for companies like this who would be interested in follow-up discussions where we can explore options for how our solutions could help with board and executive team governance of the enterprise.

So, getting back to the question about what it is that you are not doing right, here is the underlying premise - it's quite a statement to make, so let me take you through the 17 problems that this premise is based on.

"The company’s regulatory governance framework is unable to sustain the solutions delivered through regulatory change initiatives.

Tackling today’s business disruptors at the sharp end without solving the underlying governance problems is like shuffling deckchairs on the pool deck while the engine room is flooding."

1. ENTERPRISE APPROACH

1.1 A negative compliance culture in business

1.2 Organisational complexities

The first problem under Enterprise Approach is 1.1 and says: A negative compliance culture in business is compounded by tight spending and a minimalist approach by line management preoccupied with commercial challenges.

So to get business to take on the need for a risk and compliance governance transformation, the solution has to be compelling for them to take notice. It needs to take away the pains they associate with the regulatory side of business.

1.2 says Organisational complexities, with diverse and fragmented structures and governance practices, are a handicap to cross-entity and cross-jurisdiction collaboration and oversight by staff. Here the solution must overcome the challenges of large, complex structures, that cannot be undone, and find a way of making the application of risk and compliance governance effortless notwithstanding these hurdles. There are 4 key aspects to this that get covered – a uniform approach where policies, practices and standards are built into the governance documentation and training, a top-down approach where the board and executive team steer the efforts and"walk the talk", a technology-savvy approach where digitization, integration and automation deliver a digital solution, and all of this must happen using a carefully engineered approach that uses agile as the basis for incremental transformation.

2. CONTROL OF BUSINESS OPERATING MODELS

2.1 A siloed approach

2.2 Operating model challenges

The next main heading deals with CONTROL OF BUSINESS OPERATING MODELS and has two issues.

2.1 says A siloed approach to introducing regulatory change increases the overhead and reduces effectiveness and efficiency of compliance with each change introduced. To deal with this, the solution specifies a unique approach right at the start of any change initiative for unpacking the legal requirements and integrating them into the existing framework as the first step - otherwise you cannot avoid fragmentation. This will then help with the streamlining of new changes with existing regulatory datasets and structures.

2.2 says Re-engineering operating models in the company is increasingly complex and costly with a growing risk of unintended consequences due to the lack of crucial change information being available to the regulatory change programmes to integrate solutions properly. The key here is for the solution to show how to integrate change solutions that are sustainable into the operating models in the business through detailed knowledge of the existing control framework and a suitable architecture and methodology for dealing with organisation design change so that the transition can be engineered effectively and efficiently.

3. HARNESSING LEGAL VALUE

3.1 Limited legal contributions

Under the heading HARNESSING LEGAL VALUE you have 3.1 that says Managing legal contributions has considerable value that is not fully realised due to poor structures, practices and tools for managing these contributions that have a significant impact on how the organisation deals with regulations and how it positions itself on specific issues and defends itself accordingly when challenged.

This is such an important issue that the standard has dedicated a special section to it. How can you implement regulatory changes when you have not finalized the meaning of the legal content properly. The standard covers how you get everyone singing off the same hymn sheet, but not just during the change initiative.

There are various practices and standards that are set up to make sure that interpretations are documented with the decision criteria captured in a Register of Rulings. Every major piece of legislation must have this rigour applied to ensure there is proper due diligence in support of the position that the board and executive team takes on these issues. It provides a sound reference for defending the company's position when challenged.

4. THE STANDARD OF DELIVERY

4.1 Compliance overload

4.2 Insufficient detail

4.3 Manual processing risks

The fourth heading, THE STANDARD OF DELIVERY, is all about delivery problems with the three issues being highly interconnected.

The first one 4.1 says Compliance overload is a problem as the compliance burden increases with each new solution that is delivered, reducing oversight capacity under limited budgets and driving up the potential for residual risk creep. The standard talks about dealing with change alerts and how their resolution gets tackled in a smart way to manage the impact on existing capacity and ensure sustainability of the solutions implemented.

4.2 says the Level of granularity at which control is exercised is limited by the manual approach, under-resourcing and increased volume of information processing required that introduces the potential for disruptive breakdowns. To tackle this the standard covers how gap analysis and risk assessments are done at a granular level, along with the detailed level at which controls are set up and monitored.

4.3 talks about how Manual processing of compliance data and use of spreadsheets for analysis and tracking creates a heightened risk of errors and inaccuracies with a limited ability to meet the granular processing required in a responsive manner. In concert with 4.1, the solution provides an automated manner of evaluating the impact of regulatory changes with digitized requirements that are incorporated in an assessment tool for delivering instant reporting and analysis. The solution covers more about automation under the headings coming up.

5. PROCESSING REGULATORY INFORMATION

5.1 Inadequate change control

5.2 Missing interconnections

Heading number 5, PROCESSING REGULATORY INFORMATION, is at the core of regulatory control and deals with a technical design needed for ensuring that all regulatory content generated by the company is properly controlled along with its relationship complexities.

5.1 says that Change control of key data sets across the compliance framework is a growing burden as new regulations, and changes to existing regulations, load the framework with more content and increased change complexities that manual processing is unable to keep up with.

Then 5.2 talks about the issue that Managing the interconnections between the multiple data sets that make up the compliance framework is missing so understanding the impact of changes on the organisation is a highly manual and invasive exercise with each change initiative requiring repeat analysis that could be avoided.

For dealing with both of these issues, the standard includes a relational database model that gets applied to deal with all regulatory content. Significant rigour and technical expertise has been applied to this aspect of the solution to ensure a robust information architecture.

6. CONTROL OF REGULATORY RISK

6.1 No real-time enterprise view of regulatory risk

6.2 No preventative maintenance model

6.3 Overburdened staff in key roles

6.4 High churn rate of key resources

6.5 Complexity of regulations

Heading 6, CONTROL OF REGULATORY RISK, is where the rubber hits the road. The first two issues deal with the subject of monitoring so let me take you through these first.

6.1 says A Real time enterprise view of regulatory risk is not possible due to limited and fragmented digitization and automation efforts and 6.2 says A preventative maintenance model is out of reach because of a reactive approach where putting out fires and unplanned changes overburden staff.

To deal with these two issues the standard covers an enterprise PARA monitoring cycle of Plan Action Review Attest and the Compliance Monitoring Programme that is based on a user-maintainer preventative maintenance model within the Three Lines of Assurance compliance framework.

The next three issues are about a dependency on resources, so I will deal with them together.

6.3 says that a Dependency on staff doing the right things is a serious vulnerability as staff in key roles are overburdened and the business is only as compliant as these people doing the right things, 6.4 says that the high churn rate of key resources creates an ongoing challenge for ensuring a consistency of delivery across the organisation, and 6.5 says that the Complexity of regulations places a dependency on a level of expertise in-house that is difficult and expensive to maintain, resulting in a level of proficiency in compliance that is constantly on the thin edge of the wedge.

To tackle these three issues the standard has an objective of creating an expert system within the solution that helps companies move away from a dependency on subject matter experts to physically be engaged in the compliance effort.

It also covers the need for creating what is called Automated Standard Compliance Procedures, or ASCPs, that incorporate preventative maintenance routines, for all tasks that are part of the compliance monitoring programme for every entity in the company.

This makes it easier for key resources, and any other users for that matter, who are able to rely on the system through the use of a desktop feature called MY COMPLY to keep them on top of their obligations.

7. ACCOUNTABILITY FOR OUTCOMES

7.1 Poor carity and ownership of governance

7.2 Ineffective performance management

7.3 Myopic mindset of leaders

The last main heading is about ACCOUNTABILITY FOR OUTCOMES. All three issues under this heading deal with governance and are the responsibility of the board and executive team.

The first issue says Clarity and ownership of governance is lacking at the level of each regulatory risk within the organisation – from specific policy details and standard operating procedures down to risk prevention activities and training for each accountable party across the Three Lines of Assurance.

The second issue says Performance management of rewards for results is ineffective due to the lack of clarity and ownership at a granular-enough level of the outcomes expected within the Three Lines of Assurance model.

To deal with these two issues, the solution covers three main areas here – the first is about setting up a governance structure with governance controllers at the right level of detailed accountability within the Three Lines of Assurance. The second area covers the training that must be created at this level of detail to support the governance controllers, and the third area deals with a rewards for performance system of attestations, reviews and recognition.

The third issue is the most important of all 17 covered in this introduction. It says Managing change to overcome ongoing business disruptors is the responsibility of the board and executive team and requires a different governance paradigm, culture and values, where greater short term investment and sacrifices to the bottom line are championed to drive longer term more permanent solutions that embed a new governance paradigm to drive critical reductions in cost, complexity and risk to business.

If companies don’t embrace change by getting really good at dealing with all the challenges that change brings emotionally and physically, then they are at risk of being left behind like the thousands of high street shops closing down that never saw the disruption coming that the internet and online purchasing would bring about.

This introduction focusses on the risk and compliance monitoring aspect of governance but fits into the broader issue that deals with a change management approach for navigating the many challenges that are part of moving to the new governance paradigm. It is a top-down model and applies the many learnings over years of dealing with enterprise-wide change initiatives.

1. Enterprise Approach

3. Harnessin Legal Value

4. Standard of Delivery

5. Processing Regulatory Infomation

6. Control of Regulatory Risk

7. Accountability for Outcomes

Underlying Premise

2. Control of Business Operating Models

Contents