PwC just published its 2018 State of Compliance report, and said the future of effective compliance lies in better analytics for real-time monitoring and risk management. That’s not news.
Earlier this spring, several groups also published surveys of the internal audit industry, and said the future of effective internal audit lies in better analytics for real-time monitoring and better risk management. That’s not news either.
Both professions reaching the same conclusions at the same time — that’s the news. It raises important points about how compliance, audit, and other risk management functions should craft technology strategies for the future that’s coming.
For example, the PwC study polled 825 compliance executives and flagged 17 percent as “Leaders” with strong compliance functions. Yes, those 17 percent identified themselves as leaders, but they still shared certain traits about IT usage. They were much more likely to use dedicated GRC software, dashboards, and continuous monitoring tools.
Leading audit functions (they like to call them “agile” functions) are doing the same thing: collecting lots of data; building analytics tools to find weaknesses in business processes that might undermine risk management or compliance; and then leave those analytics tools with operations executives so they can monitor those risks themselves.
Does that mean we’re heading to convergence of compliance and audit, where effectiveness hinges on your ability to develop compliance risk metrics and monitor them continuously? Not necessarily; internal audit, for example, would never develop ethics policies, and compliance would never manage the financial statement audit.
What is likely: we’ll see experiments with shared services, automation of processes (compliance processes, audit procedures, business processes — you name it), and risk metrics that can be monitored in real time.
That has a few implications for compliance and audit executives alike, if you want to push your program into those leader-like categories.
First, you’ll work even more closely with other business functions, to understand their business processes and embed compliance or risk controls into them. PwC phrased it: “In an environment with ever-changing threats, perpetually rescoping compliance focus and keeping compliance policies and activities up-to-date are paramount, and made much easier with the aid of technology.”
That point could easily apply to, say, Know Your Customer processes for anti-money laundering or trade sanctions compliance. How could you embed those controls into customer onboarding? What data would you want to collect about them? It’s always easy to say, “More analytics!” — but exactly what would you want to analyze to determine effectiveness? And could you leave that analytical tool with the directors of customer onboarding, to help them while you let them “own the risk” the way best practices say they should?
Questions like that are what compliance officers will need to be able to answer, if they want to lead strong compliance programs in the future. The answers drive not only toward how compliance departments can add value; they drive toward how strong risk management is a strategic advantage for the whole enterprise. That will only become more true in the future, because there’s only going to be more risk coming.
All these surveys, approaching from various angles, point to the same basic direction for risk management in the future. Compliance officers need to embrace that path and convince others to do the same — because, sooner or later, the future always arrives.