COVID-19 has impacted virtually every aspect of our lives. Compliance pros may be wondering whether and how corporate compliance will ultimately be affected. Mark Delgado, Mitratech’s Managing Director of GRC, offers insights into how companies can meet compliance mandates as they emerge from COVID lockdowns.
Once the planet has passed beyond the uncertainties of this outbreak, when the business world is on surer footing, what will corporate compliance look like? Will the systems and processes behind compliance be truly and deeply transformed, or will we return to the familiar, pre-pandemic ways of pursuing compliance?
I think the answer begins with the fact the business world has changed dramatically, and it will probably never return to what was once “normal.” That normality was under threat before anyone ever heard of wet markets or pangolins; remote working in the U.S., for instance, had increased by 159 percent between 2005 and 2017, according to an analysis of census data. In that regard, the pandemic has fast-tracked a change that was already underway, though this acceleration was akin to instantaneously going from a slow walk to the speed of sound.
Processes, methodologies and previous “best practices” are no longer fit for purpose in this new scenario. One of the greatest shocks of the pandemic has been the sheer uncertainty it has generated for nearly everyone. This reminds us of a simple fact: Uncertainty and risk have always been with us, and there will be times when it’s difficult to temper them. We can only try to be ready for the inevitable unknowns by putting the right solutions in place to mitigate their pain and impact.
So, in the post-pandemic compliance environment, it’s safe to assume we’ll see more rapid adoption of new approaches and, significantly, new technologies, as companies pursue ways of ensuring “compliance continuity” during disruption. There are two key areas where that will especially manifest itself: policies and procedures management and information governance.
Policy and Procedures Management Will Be Automated
When offices were shuttered and workforces sent home to become more familiar than they had ever intended with Zoom and household disinfectants, there was an immediate need for quick changes to corporate policies and procedures. Drafting, implementing, communication and getting attestation to these is hard enough without now having the workforce turned into a largely distributed, virtual network. The uncertainty mentioned above is yet another factor to be reckoned with: It’s very, very hard to predict future developments, so policy and procedures management becomes even more difficult, but evermore essential.
Where policy management had previously been carried out using mostly hands-on systems, reliant on manually dispatched emails or, quite literally, walk-arounds, that’s clearly impossible today. Not only is this manual compliance expensive and inefficient even in the most settled times, it’s now defunct in favor of more automated solutions.
Using an automated system provides benefits for all involved.
Firstly, policy owners and compliance stakeholders can collaboratively draft and approve policies that are bespoke for employees or groups in specific roles, communicate them easily and comprehensively, employ automated follow-ups and escalations and record attestations in case of audits.
Secondly, employees get to interact with purpose-built systems with easy-to-use interfaces, ones they can trust to provide them with only the current version of the instructions they need to follow and where they will reliably receive future updates.
Finally, compliance and operational leads gain visibility, in real time, into the policy compliance of the workforce regardless of how widely it’s been scattered.
Information Governance Will Be Required – And it Will Require New Tools
Regulatory compliance will not become any less of a challenge for companies in a post-coronavirus world. That’s made clear by the fact that regulators have, a few exceptions aside, not chosen to retreat or delay implementation or enforcement of regulations around data privacy, or financial services operations, or any other codes or laws that might come to mind.
Thus, information governance becomes more urgent than ever before for organizations that now have to contend with remote white-collar workforces. In this world, data and information that’s pivotal to their operations is being accessed and manipulated and shared everywhere but inside the reassuring four walls of an office suite – or the firewalls of their corporate IT network.
There are two fundamental information governance technologies that we will see forward-thinking organizations turn to with increasing frequency, driven by lessons that are being reinforced in earnest by the current situation. Each of them will serve to support an enforced information governance framework, which will be vital to satisfying the data privacy and general confidentiality demands of regulators and customers alike at a time when so many employees work from home or other remote locations.
The first of these is a centralized digital repository for warehousing personal data and controlling and auditing access to it, as well as to other mission-critical documents or material. Enterprises already capture and generate vast swaths of data on terabyte scale, so collecting, collating, analyzing, securing and then deleting data at its mandated expiration point is beyond the viability of manual efforts.
Enterprise content and information management systems allow easy creation of comprehensive inventories of these assets. They also often also provide electronic discovery, analytics and other powerful management tools to aid compliance monitoring and enforcement.
The other cornerstone technology? A “shadow IT” management solution. Even in ordinary times, there are large numbers of spreadsheets and other data assets that are the product of end-user computing (EUC), where employees use personal systems and applications for their day-to-day work. These are outside the purview of corporate IT departments, but they are often essential to business operations. Poor data, broken formulas, links to outdated external data and many other issues typically exist in these EUC assets, resulting in dramatically increased risk and disastrous consequences for the organization.
As workers take to remote locations, it’s apparent how EUC-related risk can increase markedly. By using a tool capable of discovering, monitoring and automatically conducting risk assessments of these assets without disrupting employees’ work, even when they’re remote, the enterprise can largely mitigate these risks.
These two technologies should not be seen as disparate solutions, but as components in a truly end-to-end strategy for modernizing information risk management.
There is an even larger goal we can pursue, however: evolving the way we approach compliance continuity planning and execution so we’re not caught on the back foot again by disruptions like the one we are living through today.
The Path Toward Compliance Continuity
This thrust toward more robust and agile compliance continuity (part of an overall movement we call business continuity transformation) is much like digital transformation, which has helped organizations evolve at breakneck pace over the last several years. This transformation of compliance will extend from “the boardroom to the break room,” affecting the ability of everyone in the enterprise to quickly pivot to sustain business as usual in the face of disruptions – or, let’s not forget, opportunities.
There’s no road back to the status quo that existed for companies before the advent of COVID-19, so we should instead be intent on the road ahead. By implementing these and other related new technologies in support of a more robust model of compliance continuity, that road can be considerably smoother and more secure.