Turning GRC into a Competitive Advantage: Compliance Management
Compliance programs do not typically generate revenue but they can impact the bottom line. Sam Abadir, LockPath’s Director of Product Alliances, explained in a recent webinar how one compliance team became a critical component of its organization. This team used GRC to solve big, expensive problems and turned the burdensome task of complex compliance management into a streamlined and money-making process.
Compliance Management often seems like a necessary and costly evil thrust upon us by regulators and the like. Forward-thinking companies are mastering compliance management, making it efficient and using it to effectively manage their business. This is a case study about a financial institution that went beyond making compliance efficient and effective and turned it into a competitive advantage used to drive new business.
Problems with Manual Compliance Management
Before using a GRC platform for corporate compliance, this company performed these tasks like most companies do, using Microsoft Word, Excel, SharePoint, and email. Like most organizations, this company found the basic process of compliance management difficult and costly. Ensuring that policies accounted for every commercial and regulatory demand and for all the organization’s risks was not a trivial task.
To complicate the process, this company operated in a dozen states and had many clients. In addition to standard compliance requirements, this company had to deal with a dozen state regulations, a handful of local regulations, and the compliance demands of its customers. And it had to demonstrate compliance to these stakeholders, as well as to its internal risk team.
Managing compliance requirements manually required dedicated project managers and compliance managers to develop a series of master documents and child documents, appended by Excel documents. Each individual document and spreadsheet had different levels of privacy and had to be stored in the SharePoint compliance maze.
This was problematic for a number of reasons:
- Compliance managers needing to update documents had to search dozens of locations for files.
- When creating new documents, compliance managers had to identify the place or places they needed to exist.
- Users had to search dozens of locations for compliance documents and updates.
- Out-of-date compliance documents and spreadsheets multiplied throughout the organization.
This complex and seemingly random set of documents made sense to only a few, took many dedicated resources to manage, and required about 50 percent of key senior management’s time to ensure all the moving pieces were in place and, to the best of management’s knowledge, seemingly correct.
Auditing this process was just as complex and required just as many resources. Audit results were often packed with findings. Findings were upsetting to the compliance managers and frustrating or even detrimental to the clients who performed audits. Remediating the findings –- especially with clients — took much of key senior managers’ time away from other value-producing activities.
Overall, this financial institution wanted to rapidly and significantly improve the maturity of its policy management capabilities and operations. The current process:
- Took too many people to manage.
- Took valuable people out of the value creation process.
- Was too difficult to prove compliance with.
GRC for Corporate Compliance and Policy Management
It was apparent that processes needed to be streamlined, automated, and technically managed. In addition to being more efficient, the processes needed to be more effective. Both compliance managers and end-users needed the following:
- One tool to manage their compliance efforts
- Continuous control monitoring
- An efficient and effective way to prove compliance status
- An end-user portal showing only relevant, live documents
- An automated process for compliance, used for business advantage instead of just checking the box
GRC for Audit Management
Beyond a robust compliance management application, the company also wanted a solution that could manage the audit process. The solution was already going to contain all the history of compliance documents as well as corporate controls, incidents, incident remediation and acceptance, risk management, and technology and security compliance — so it would be a prime source of information for internal and client audits.
Ideally, the financial institution wanted a solution that could automatically generate audit work papers and gather the relevant information for those work papers. This would streamline the most laborious part of audit management — preparation and evidence gathering.
GRC in Action
The financial institution found all of the above in the Keylight GRC Platform. Within weeks of choosing Keylight, the company was able to configure a solution, with no coding necessary. The new processes with Keylight were rolled out to the rest of the organization – roughly 700 people across the United States.
Since implementing the new processes, the company has accomplished the following:
- The compliance team has cut days or weeks out of the policy management lifecycle, depending on the policy, via workflow.
- Policy management tasks are automatically sent to participants at the right time in the process. Project management overhead was cut significantly and project managers instantly became more productive, spending their newfound time managing policy lifecycle risk, instead of email.
- This company also cut the number and complexity of compliance documents required using security permissions built into Keylight.
- Keylight simplified the deployment of policies and policy changes. What previously took weeks to deploy and track using email and spreadsheets now takes minutes.
- Users have confidence they are always looking at the most up-to-date policy and set of requirements by accessing published policies in the user portal, instead of using potentially outdated policy and policy addendum documents.
- Policy audits now take policy analysts just days to complete using Keylight, instead of taking weeks with entire policy teams, including senior management. Zero-finding policy audits are now the expectation – in the past this never happened.
GRC for Competitive Advantage
The company capitalized on the following benefits by using Keylight:
- Higher compliance has lead to higher customer satisfaction and expansion of customer relationships.
- Keylight has lead to more effective and efficient compliance, drastically reducing cost. First-year annual savings is estimated to be over $500,000.
- These efficiencies allow senior management to focus on more value-creating activities. This organization now has a higher focus on business expansion activities and exactly the right focus on compliance activities.
- Zero-finding customer audits have had a surprise effect of rapidly growing business. In a competitive marketplace, customers find trust and value in having efficient and effective audits and relationships. This has been a winning and differentiating message when seeking new business.
This business has gone through a significant and somewhat unexpected compliance transformation. What started out as a cost-cutting and efficiency initiative has rapidly evolved into an ongoing strategic initiative and competitive advantage.
For more information on turning GRC into a competitive advantage, watch the full webinar here.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.