Projects and initiatives tend to focused on sales, marketing, operations or product development. Risk and compliance tend to be reactive, and undertaken only in response to something going seriously wrong.
Compliance by design is moving from reactive to proactive by committing to governance at an organisational level. This means designing products, policies, procedures and systems which comply with your obligations from the very beginning of the project.
You don’t need a big budget increase or more resources for each project to do this. Using a risk and compliance system like clrHorizon provides the framework to ensure obligations are understood and can be evaluated when determining project scope. This provides multiple opportunities for ongoing incremental and proactive improvement in risk and compliance.
What it does require is discipline in following a risk based approach to delivery, taking into account the relevance of obligations to the scope of the initiative, their associated risks and the opportunity to design and implement new or improved controls to reduce these inherent risks. By making these small iterative decisions along the delivery path, you can actually reduce the overhead of compliance management by baking it directly into the foundations of each creation.
The first step in implementing ‘compliance by design’ is understanding the obligations that you need to comply with and their associated risks. Obligations can come from multiple sources, such as:
Individual obligations have different consequences if you breach them, including reputational damage, heavy fines, loss of license and sometimes imprisonment. These are your compliance risks, if you don’t know what your obligations are you could be massively exposed both professionally and personally.
The second step of ‘compliance by design’, is analysing your obligations through a planned risk project scope, taking the time to identify simple regular actions you can implement to prove you are being compliant and reduce the overall organisational risk by implementing well designed practical / achievable controls, not just words on a paper and a signature from someone important that used to work at the company. This means making a fundamental shift from statement based to evidence based
The third and final step of ‘compliance by design’, is effective and ongoing monitoring of the performance of your controls including attestation activities, assurance reviews, regular internal audits, as well as registering incidents to their related Risk and/or associated obligation. This gives you real-time risk assessments to determine if they are within expected risk tolerance or if it is a systemic control breakdown.
Using an Integrated Risk & Compliance Management System such as clrHorizon, gives you the tools and framework you need to Plan, Implement, Monitor, Live & Breath an effective organisation wide compliance by design program.