All businesses, regardless of their size, industry, or geographical location, have one thing in common—the increasing number of regulatory requirements they abide by.
Why Such an Increase in Regulatory Pressure?
There are multiple reasons for this regulatory superinflation, with the official and most commendable reason being, of course, the protection of the end customer. Protection of the customer’s health for EH&S regulations, protection of its proceeds for financial regulations, protection of its private and personal information for privacy regulations, and so on.
Nevertheless, it seems that creating a regulation is also a very simple response from government to public pressure. There is a clear correlation between public scandals or distrusts campaigns and new regulatory bodies being created to investigate, regulate, and organize the life of economic actors.
From their own confession, this is also perceived by many political leaders as an easy option—investment is rather minimal (creation of a bill and organization of a regulatory body) for an usually positive return. Indeed, whenever a new regulation is published and applied, fines are most often applied. And most importantly, the public’s reaction is frequently quite positive since it shows leaders are finding solutions and, if companies don’t comply, they’re the ones who will be blamed.
I won’t get into a debate in this post on whether this type of deflection tactic is successful or not—although I’ll just say that someone at the end must pay for the application of all the regulatory requirements by the businesses. (This is why product and service fees regularly increase—to take this into account.) But today, I’d rather focus on trying to propose a few options for companies to reduce this burden on their organizations.
Map, Rationalize, and Automate
Interestingly, many new regulations have requirements that are similar to previous ones or to legislations in other countries in which the organization might operate as well. Unfortunately, in the sheer pressure of ensuring complete compliance, the faster option always seems to create a set of controls and roll them out to the business.
But not only does this have a direct cost, including documentation of the control, assessment of its effectiveness, review by second or third lines of defense, and more. It also has an indirect cost—compliance fatigue. If the first line of defense is asked the same (or very similar) question many times, then there is a high chance that they’ll either stop responding or simply copy previous responses without reviewing the context.
Before documenting new controls, I really think that it’s worth the investment to review the existing controls—centrally but also locally—and see if some can be reused or enhanced to cater for the new requirements.
Also, it’s always valuable to spend some time assessing which ones can be automated. This way, the pressure is removed from the first line and put on an automated system that can handle it.
Turn It into a Competitive Advantage
Whenever a company is fined for noncompliance, its name is mentioned in the newspaper. As a result, there doesn’t really seem to be a winning strategy for companies. But what if they turned this into marketing positioning? The fact that a company is compliant with regulation A or B is typically only mentioned in the annual report—that end, customers rarely read. Regulated companies take it for a given that customers don’t care much about compliance, but I’ve seen many examples demonstrating the exact opposite.
Customers today are very much aware of regulations and do take this into account when giving their business to a company. I personally believe that companies can turn the sheer number of regulations they have to comply with into a positive aspect. Financial results are not the only criteria showing that a company is sustainable. The fact that it complies with so many regulations in itself shows how organized and sound it is.
Whether we like it or not, regulatory inflation is the new normal. New regulatory bodies are regularly set up and, to be credible, have to audit organizations thoroughly.
To ensure a win-win situation, I have one last thought: What if both regulatory bodies and organizations worked together on the explanation of the regulations and what is done about it?
The public is eager to ask for protection, but is also able to understand (and sometimes maybe even challenge via the electoral process) decisions to enforce new laws that durably impact the economy.
Do you have any other suggestions on how compliance efforts can be turned into a positive factor?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
For more on GRC-related topics, be sure to follow and read the GRC Tuesday series.