Image by: KingJC, ©2015 Getty Images

As I mentioned last time, the increasingly complex and evolving regulatory landscape is pressuring chief executive officers (CEOs) to increase the scrutiny on their own compliance and risk management strategies. Not to do so equates to potential high costs in lost revenue, penalties and fines, as well as critical damage to the corporate reputation.

The penalties for failing to meet regulatory standards are very real. Some of the largest settlements in recent history include Bank of America’s $16.7 billion payout in 2014, followed by Citi’s $7 billion settlement and JPMorgan Chase’s $13 billion deal in 2013. The vulnerabilities within an organization aren’t letting up either. Just this year alone, high-profile data breaches include last month’s VTech hack, Ashley Madison, Anthem, Premera BlueCross BlueShield and the IRS.

Given this hotbed, regulatory climate, attention is falling on compliance management and measurement like never before. According to Gartner Research Director Jeffrey Wheatman, “Increased focus on the policy implications of the regulatory environment, regulatory change management, controls automation, and case and incident management are now at the forefront of organizations' governance, risk and compliance (GRC) strategies.” It’s no wonder why when you look at the complexity of the regulatory environment, which certainly isn’t abating, as shown in Figure 1.


In fact, Forrester Senior Analyst Renee Murphy and Analyst Nick Hayes predict, “The next five years will see dramatic shifts in the business environment as well as the expectations for [compliance and risk management] functions. To put yourself in a position to succeed, you need to be able to respond to these new challenges by taking on greater visibility, a broader scope, and more significance in your organization.”

One of these challenges in a dynamically shifting marketplace is multi-jurisdictional requirements, especially given the growth of global commerce. The pursuit of centralized, holistic compliance strategies are only further complicated by how overall policies impact each location or regions in the world. So, how do compliance, risk and security professionals answer these challenges, protect the organization and boost business performance? This is indeed a good question, as some of the biggest barriers to effective compliance and risk programs are insufficient education and training. The battle over ownership of work rages on in many organizations at this very moment, but the reality is that your compliance policy is only as good as how often you check it.

Interested in joining information management leaders to discuss these pressing issues and more? Join your peers at the DOCUMENT Strategy Forum, May 10-12, 2016, in Chicago!

Achieving user engagement is best helped when the message is communicated from the top. Yet, on a more intuitive level, it really has to do with the corporate culture. According to Forrester, there are three dimensions that create organizational culture: artifacts, values and assumptions (see below figure).


The culture of an individual enterprise often varies greatly, even within the same industry sectors. From the risk profile, to size, to resources allocated, each of these characteristics of the organization presents different challenges in order to meet our legal and regulatory obligations. It’s the job of compliance and governance professionals to distill these highly technical obligations into a set of principles that are easily digestible and applicable to the general workforce. Perhaps 100% engagement is an overly optimistic goal, given human nature, however, achieving substantial compliance offers us the assurance that, most of the time, we’re getting it right.

In order to “get it right,” we must:
  • Understand the current legal and regulatory requirements with real implications for your organization, industry and marketplace
  • With the help of your legal counsel, formulate actual, achievable expectations of your compliance program
  • Present a clear gap analysis of current state and future state of your compliance program to executives, determining root causes for deficiencies
Beyond the development of education and training, creating risk and compliance frameworks, unique to the individual organization, is a great step to approach regulatory and legal obligations from a unified, centralized and strategic viewpoint. Offering a high-level perspective of the compliance program forces us to examine our first line of defense and what it means to have effective control, what those controls are, monitoring of that control, what an effective compliance process looks like and where it fits into the compliance framework as a whole. An example of such a framework is the unified compliance framework (UCF), as shown in the below figure.


“While building a UCF is complex and has a lot of moving parts, it sets the stage for taking a more coordinated approach, becoming more efficient and giving yourself the breathing room to be strategic about compliance,” says Joe Shepley, vice president and practice leader of Doculabs.

Without approaching compliance and risk management from a highly strategic manner, and instead, as a long check list of requirements, the danger lies in reducing information governance to a pure science, when it’s really as much art as it is science. Where an organization is most at risk for breaches, what compliance measures are needed or what translates into a specific policy or rule are partially driven by a particular line of business, jurisdiction or culture of the individual organization. It comes down to the particular application and/or practice—it comes down to people.


This article borrowed discussions from the DOCUMENT Strategy Media Information Management/Governance Focus Group. We’d like to thank these professionals for their thought leadership, time and efforts in the advancement of information management and governance. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Information Management/Governance Focus Group or their employers. Information therein is not representative of any one company, industry or product, and any similarities are strictly coincidental.

Information Management/Governance Focus Group Members are:

Tom Serven
Vice President, Enterprise Data Governance and Management
State Street

James Kennedy, CRM, IGP
Manager, Records & Information Management
Tallgrass Energy

Jason Howell
Manager, Information Governance
Washington State Department of Ecology

Courtney Stone, CRM
Manager, Records and Retention
AMOCO Federal Credit Union

Mark E. Fackler
Business Systems Coordinator, Midstream
Phillips 66

Allison Lloyd serves as the editor of DOCUMENT Strategy Media. She delivers thought leadership on strategic and plan-based solutions for managing the entire document, communication and information process. Follow her on Twitter @DOCUMENTmedia.

Most Read  

This section does not contain Content.
0