Process compliance ensures that the company’s policies and procedures are designed to comply with internal and external policies
Process Compliance is Critical for all Businesses
Regardless of industry, the compliance function is responsible for ensuring that the company’s policies and procedures are designed to comply with internal policies, applicable laws and regulations, and ensuring that those policies and procedures are followed. There’s a lot more that goes into compliance management of course, but that’s the essence.
Pressures On Compliance Professionals
In addition, the scope of a compliance professional’s purview continues to evolve as corporate boards and executive leadership teams are forced to deal with new threats and pressures, often looking to the compliance function to provide guidance. Meanwhile, the decisions compliance professionals make need to remain “business-friendly” with as little impact on revenue and growth as possible.
Compliance professionals today must focus on addressing a striking array of compliance issues, including:
External issues like Sarbanes-Oxley, ISO Standards, the Gramm-Leach-Bliley Act, HIPAA, SEC, FINRA, etc., which require deep knowledge and ongoing, sometimes difficult, education and re-education of employees
Internal issues like change management, training, and education, reporting, building a “compliance culture,” monitoring and auditing, etc.
Industry changes that seem to cause constant policy amendments and additional risk for the organization.
Using consultants to help compliance professionals address many of these issues, organizations will often engage consultants or internal subject matter teams to interpret legislation, devise risk mitigation strategies and create best practices. The typical outcome of these engagements is a comprehensive, and sometimes formidable, framework to implement.
But what happens after the project or consulting engagement is over? In many cases, these same organizations, with or without the assistance of a contracted consulting firm, will attempt to implement the framework for the organization’s employees to embrace. If successful, new processes are implemented, checklists distributed and escalation procedures published. After the roll-out of the new, compliant processes, how do you:
- Monitor the controls that have been put in place to mitigate compliance risk?
- Ensure employees are accurately initiating the correct processes, following the checklists, and making the right decisions?
- Demonstrate the performance and impact of the new processes to the board or executive team?
Automating Process Compliance
Since many of these new processes rely on limited but entrenched tools like email, static process maps and spreadsheets, it is hard to know if what should have happened, actually happened. The key to eliminating guesswork is to embrace workflow automation to enforce process level compliance.
By leveraging workflow automation, compliance professionals can not only lower the risk of non-compliant behavior but optimize the expected return on an organization’s compliance strategy, planning and training investment. In the following pages, we will review the elements of automating your compliance process infrastructure.
To properly automate process compliance, four elements must be present:
- Structured Information Collection
- Rule-Based Routing & Notifications
- Process Transparency
- Self-Generating Audit Trails
Structured Information Collection
What information do you need to start the process?
When an organization depends on a loosely structured format like email or spreadsheets to collect information it runs the risk of the employee self-editing out valuable information. The lack of structure in gathering information typically results in costly rework or critical decisions made on incomplete information.
By automating the collection of information in an interactive form, the employee completes a list of structured questions that captures the exact information needed to evaluate the event.
By using standardized, consistent online forms to gather information, process owners ensure:
In Gartner's definition of BPM, they mention that "Complete information is provided before and during a process lifecycle." Required fields prevent employees from skipping critical data points.
Standard, actionable data is provided. Using dropdown lists, radio buttons, field-level validations, etc., process owners can ensure the data is standardized and can be acted and reported upon.
Exceptions need to be recognized and handled appropriately. By routing tasks and information (see next section) based on data provided in forms, the information does not fall through the cracks because of exceptions.
No one likes filling out forms, but if the forms are straightforward and smart, including things like skip logic and data lookups, users don’t have to think as much and come away feeling like their request will be well-handled.
Rule-Based Routing & Notifications
Process Routing — Who needs to be involved?
Depending upon the goal/purpose of a process, several people may be involved at some point in the related workflow. Handling the flow of information via emails, phone calls, shared documents, messaging, etc. can greatly increase the time a process takes as well as the potential for missed hand-offs, improper routing, and confusion.
Once a process begins, hand-offs should be automated based on pre-set organizational rules that ensure compliance. Some typical reasons for hand-offs include:
A request must be approved to continue on in the process. Depending on the nature of the process single, multi-tiered or parallel approvals may be required. These approvals may allow the process to continue down a specific path or loop back to an earlier part of the process (e.g. “More information is required.”).
Information needs to be routed automatically based on information supplied using “if/then” logic. For instance, a condition is met by a field selection or combination of selections within a form and routes accordingly (e.g., an entered dollar amount is greater than X or the selected location is X, etc.)
The original information provided must be enriched by someone else to provide further clarification or additional, actionable information.
A human decision is required. Rather than automating a decision based on supplied data, a judgment call must be made by a key employee. The process continues based on their selection. For instance, “Who should a task be assigned to based on availability?”
Leveraging built-in conditional rules to address routing ensures the proper people are always informed and escalations occur automatically. It will also later be critical in showing an audit trail of what was supposed to happen vs. what actually happened.
Alerts & Notifications
During the execution of a process, compliance notifications provide an impetus for action. Notifications are a critical part of ensuring a process continues as expected when human action is required. This is done by triggering notifications at key points in the process to stakeholders who must either take action or be informed of current status. Automated notifications allow process owners to have confidence in a process operating as expected, knowing that workflow safeguards are in place.
Notifications can be event-based or time-based. For instance, a form submission can immediately trigger an email notification to the person who has to approve a request. The notification can be repeated at set intervals (or escalating intervals) until the approval is supplied or rejection is issued. In some cases, if a process is stalled beyond a pre-determined threshold, additional triggers can be activated, for instance notifying an alternate approver and the process originator.
Rule-based routing and notifications are extremely useful when it comes to handling tasks like reviewing and approving exceptions to an organization’s code of ethics, reviewing marketing materials, handling pre-trade clearance when required for investment advisers, and more.
Where are we in the process? What’s next?
Because a process can operate across various business units/departments with multiple hand-offs and stakeholders, typically no one individual will have the responsibility for tracking the event through its lifecycle. Due to this lack of clear ownership, the probability of information being lost or held up somewhere in the process grows significantly.
The possibility of losing information or hitting bottlenecks increases even more in large, geographically-dispersed organizations. Step one is usually publishing the process flow publicly for all staff. Usually this means providing static documentation and flowcharts that show an entire process from beginning to end.
However, providing centralized, real-time visibility within an active process allows the individuals vested in the outcome of a process to quickly ascertain the current status of a project in real-time and act accordingly.
Perhaps just as important as seeing where things are currently is seeing what’s coming next. Especially in a complex process, process stakeholders want to know what yet needs to happen and who is involved for a process to complete. For instance, someone who has submitted a capital expenditure request for a new plant construction may need an estimate on final approval so they can provide a vendor with likely construction start dates. If they have a good idea of what internal approvals are yet to come, they can provide a more accurate estimate.
In addition, a transparent process and status give employees the confidence that their needs are going to be met and they can focus on value-added work rather than checking in and requesting updates.
In today’s corporate environment the need to know the outcome of any given event will typically exceed the actual life of the event by many years. Asking people to recall exactly what actions were taken, and by whom, even weeks or months after they occurred can lead to inaccurate information. In addition, depending on who the audit request is coming from (a government agency, the board of directors, legal counsel, etc.), hearsay may simply not be sufficient.
Planning & Executing a Compliance Process Improvement Project
The Importance of Documenting Compliance Process Steps
Whether it is a need to prove proper due diligence was followed to assist with an investigation or to determine if an inquiry was handled appropriately for internal quality review, the need to maintain complete audit trails of events and activities has become an essential part of day-to-day business.
When a workflow application automatically self-documents the process steps an event follows it eliminates the need for:
- Is there someone to manually maintain a spreadsheet of events and activities?
- The retrieval and organization of old documents from disparate applications?
- Post-mortem interviews to obtain specific time and dates. (Note: Post-mortem interviews are still valuable for more subjective information)
- Digging through old emails from multiple inboxes and individuals.
- Sorting out conflicting accounts of events from stakeholders
Being able to turn over an automatically-generated process audit trail has saved organizations a great deal of time and money in addition to fostering goodwill among auditing agencies.
As today’s business leaders address the need for internal process compliance and best practices, many will look to external consultants or internal subject matter experts to define them and will depend on workflow management and process automation applications to enact them.
The benefits of using an automated system to ensure compliance are numerous. To meet your requirement to have a compliance program that is reasonably designed to achieve compliance with applicable laws and regulations, be sure your system is built around the following elements.
Interested in Automating Your Compliance Process?
We have a variety of resources to help you on your journey to business process compliance: