Compliance is a hot topic. Compliance is the certification or confirmation that the doer of an action (such as the writer of an audit report), or the manufacturer or supplier of a product, meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards, or the terms of a contract.
A recent survey found that the Top Five Compliance Trends globally are;
• Creating a culture of compliance
• Increased investment in compliance operations
• Keeping pace with changing regulatory landscape
• Monitoring Third Party Risk
• Encouraging whistle blowing activity
Another survey on the most important topics in compliance for SMEs found social media and compliance risks as the top priority for 45% of SMEs with cyber security and cyber crime next at 39% and close behind was creating and maintaining an ethical culture at 33%.
Social Media and Compliance Risks
There is a complex regulatory landscape regarding social media with recent regulatory rulings regarding social media in the US and UK. Many companies find it challenging to manage and comply with multiple regulatory agencies, differing interpretations of regulations, and varying degrees of guidance on regulatory compliance. One expert commented, “Make sure that you comply with extant requirements; file regulatory claims and suspicious activity reports; make sure that you get the Consumer Financial Protection Bureau involved; and make sure that your complaint process is well vetted and well thought through.” An effective social media risk compliance program should not differ significantly from other compliance risk management programs.
A compliance risk framework should include:
• Proper governance and oversight
• Policies and procedures
• Risk assessments
• Risk monitoring
• Metrics and reporting
A compliance risk framework is designed to serve as a “safety net” to identify and capture emerging risks that could negatively impact a company’s financials, reputation and systems. As an SME owner you should:
1. Consider how social media activity can expose your organization in terms of business, regulatory, legal and market risks.
2. Expand existing risk governance structures and activities to include social media activity. Define risk tolerance levels and acceptable use policies and have in place effective means for issue escalation and crisis management where necessary.
3. Establish advanced social media monitoring tools and technologies. These enable the risk organization to; collect data from various social media sources, analyze unstructured data (such as information about customer sentiment) to enhance monitoring, provide insights into the company’s overall risk situation, and measure social media risk exposure according to the institution’s risk appetite
4. Enhance existing performance management capabilities to analyze and act on the metrics delivered from monitoring activities
5. Engage in enterprise-wide change management activities to create a more risk-aware culture
Cyber Security and Cyber Crime
Cyber attacks are a tidal wave waiting to hit SMEs, partly because SMEs are unaware of the risks they face and also because cyber crime is relatively easy, and very lucrative.
One security expert recently stated that “There’s a lot of great talk, but most SMEs do nothing about cyber-security. It’s shocking.” SMEs can learn from cases such as TalkTalk and Sony which suffered reputational and financial impacts of attacks. Millions of consumers share their data with SMEs every day and most large companies work with SMEs in their supply chain. This makes them very attractive targets for criminals looking to get hold of valuable data, whether corporate or personal.
SMEs don’t tend to have the same level of security in place as their larger counterparts and threats are continually evolving. SMEs often don’t feel they can afford such investment but the truth is that there are some security measures that can be taken without significant costs. Some tools may be available for free online such as https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment-toolkit/
Even if certain regulations are aimed at large businesses and SMEs are not held accountable to them it is still better to comply. Compliance can be a painful process for SMEs, it can be time-consuming and costly. The Data Protection Act and PCI-DSS payment card regulations in particular have been criticized for exactly this. There should be no avoiding compliance, even if it does not necessarily lead to better security because what it will always do is protect relationships with larger partners. This will make your SME become less attractive to a hacker.
Creating a compliance culture
Scandals demonstrate that compliance and ethics cultures are still lacking in many organizations and without organizational commitment to compliance, policies and procedures are merely documents. Examples such as the continuing FIFA situation, demonstrate how a corrupt culture pervades an entire organization. Other incidents can be attributed to management, such as Volkswagen’s emissions cheating scandal.
If one rogue employee’s behavior can cause significant damage, a culture of compliance may seem unattainable. However, a real-life culture of compliance makes so-called “rogue employees” much less likely. In fact, one compliance expert has argued that a rogue employee is often the symptom of a poor ethics culture: “such unethical conduct is ‘predictable in organizations which allow dysfunctional, conflicting or incongruent elements of their organizational system to take hold.’” Strategies for building a culture of compliance are:
Top Down: Start with leadership. If senior management does not actively support and cultivate a culture of compliance, a company will have a paper compliance program, not an effective one.”
Align compliance with enterprise risk management: Compliance programmes should address risks that arise in each strategic area
Train and test: Companies should invest in employee training that explains corporate policies, as well as what behaviour is unacceptable. Training should be ongoing with regular policy review and employee assessment. Investing in an effective compliance programme is not cheap but may mitigate the unlimited costs of noncompliance
Incentivize ethical behaviour: Incorporate it into performance reviews. If compliance is tied to compensation, employees are much more likely to learn, adhere to and incorporate policies
Don’t ignore compliance mistakes: Mistakes that occur are often likely to occur again, so analyze the incident to help others avoid repetition. Be aware that a violation may be an indication that a policy needs to be modified. Furthermore, businesses should be willing to discipline employees who violate company policy
Put effective technology in place: Spreadsheets can only go so far in tracking compliance before the struggle with scalability and reliability takes over. Compliance technology solutions can alleviate much of the burden of creating a program that is consistent and repeatable