Best Practices for Building Sustainable Compliance

Compliance issues have moved to the top of every business’ priority list, as homeland security, privacy information protection, and corporate governance issues have moved to national prominence. Each and every one of the companies we work with face challenges associated with understanding requirements, drafting policies, documenting internal controls, and enforcing procedures.

In this month’s issue of Focus Forward, our key theme is what we call sustainable compliance—an approach that encompasses these key topics:

• Costs of Compliance
• Keeping Pace with Compliance
• Documenting Compliance

For New Subscribers

Welcome to Focus Forward, the monthly newsletter of Tim Rosa Associates. If you like what you’re reading, stay with us. You can also forward this newsletter to a colleague by clicking the Forward email link at the bottom of this newsletter. If you don’t like what you see, go to the same location and click SafeUnSubscribe™.

Each issue of Focus Forward features a viewpoint on a critical customer topic. We’ll focus on what’s happening and what’s coming down the line. These are issues that you’ve told us keep you up at night. Though we work with clients in the technology, healthcare, and financial services industries, we hope the newsletter will be informative to all.

Costs of Compliance

AMR Research released a study that predicts the cost of compliance over the next five years will reach the $80 billion mark. Specifically, the firm estimates that organizations will spend close to $15.5 billion on compliance-related activities in 2005. [1] Regulatory compliance—whether for Sarbanes-Oxley (corporate governance and financial reporting), HIPAA and 21 CFR Part 11 (healthcare), Graham-Leach-Bliley (financial privacy), and other regulations—must be done. Additional federal legislation, more complex regulatory requirements, and more experienced enforcers will only increase the pressure on companies to ensure sustainable compliance. While some companies have found ways to rely on "borrowed" compliance resources, this is not a long-term strategy. Compliance managers, C-level officers, Boards of Directors, and auditing committees must get back to normal business—without incurring new compliance risk.

Keeping Pace with Compliance

Building sustainable compliance practices isn’t easy, but the rewards are great. According to the IT Compliance Institute, companies that need to find ways to reduce overall compliance burdens, expand the benefits realized during previous compliance activities, and decrease the risks of regulatory infraction, can learn from the following best practices.

1. Set the ground rules for the executive team. A steering committee should represent the senior executives who are ultimately liable for compliance. The committee defines the scope of compliance activities according to their interpretation of the regulations, risk tolerance, and risk-response evaluation.
   
   
2. Formalize compliance roles. If you value the experienced compliance staff that got you through a compliance push, demonstrate your commitment to them. The dynamic job descriptions for many compliance officers should be formalized to include functional descriptions, performance goals and incentives that align with your company’s business objectives.
   
   
3. Define efficiency "sweet spots". Overlaps in specific processes are often fertile ground for new efficiencies. Define and compare goals across functional areas in your business and technology processes. Seek to eliminate redundant systems, align incompatible processes, or implement new processes, especially where they affect multiple systems.
   
   
4. Simplify, simplify, simplify. Complexity is the devil of compliance. Confused data architectures and IT infrastructures hinder the development of reliable, repeatable, and scaleable compliance practices; they also require more effort and expense every step of the way. Compliance and IT management should pursue every opportunity to standardize, centralize, and simplify complex technology environments.
   
   
5. Make compliance an integral part of your business. In the rush to meet specific regulatory deadlines, compliance has often been treated as a series of discrete projects. To remain effective, however, compliance must become an integral part of business processes across the enterprise. Training is essential. According to a recent report by the Masie Center, organizations are reporting increases from 10% to 48% in the amount of training that is being delivered due to compliance requirements. [2]
   
   
6. Automate processes. Industry analyst Gartner, Inc. expects companies to spend almost $7 billion on corporate-governance software in 2006, more than twice the outlay in 2004. [3] Manual processes made sense while companies were defining internal controls and financial reporting processes. However, a new wave of change management, documentation management, and information security solutions promises to reduce the costs of defined compliance processes and allow internal resources to return to their regularly scheduled programs.
   
   
7. Plan ahead. The winds of change are always blowing through business. Adhering to governance frameworks and standards, simplifying architectures, and investing in flexible automated solutions help companies absorb change with ease. At the first sign of new regulations, initiatives, process and technology changes, and major business events, compliance managers should also incorporate compliance requirements into the planning process.
   
   
8. Perform self-assessments. Internal auditing groups must continually help to develop, evaluate, and remediate internal controls to sustain compliance practices. Auditors and compliance managers must play key roles in choosing financial control automation and documentation software.
   
   
9. Communicate. Communication might be one of the stickiest challenges in building sustainable compliance practices. Collaboration among newly formed groups on unfamiliar topics, the need for ongoing training, and even a shift in the way process owners think about their jobs in relation to compliance, are all potential areas for miscommunication. Everyone involved in the compliance effort must strive to communicate effectively about governance expectations, processes, and responsibilities. Technology will not overcome every communication challenge, though collaborative project management software, formalized collaboration processes, e-mail, and instant messaging can help. Where practical and necessary, face-to-face meetings can work wonders too.
   
   
10. Measure and monitor: One of the most surprising trends in compliance is the failure of companies to measure the value of their compliance investments—even through dedicated compliance budgeting. This is not a sustainable practice. As the old adage goes, “You can’t be accountable for what you don’t measure.”

Documenting Compliance

If you’re reading this, your company is probably facing stringent state, federal, and global regulatory compliance requirements. At Tim Rosa Associates, we have the insight and experience to help pharmaceutical, biotechnology, life sciences, financial services and technology companies satisfy the compliance documentation requirements of the U.S. Food and Drug Administration (FDA), other global regulatory agencies in Canada, Europe, and Japan, and the U.S. Securities and Exchange Commission (SEC).

Our compliance specialists work with you to understand the regulations in the context of your business—the people, process, computer software, and hardware. We work with members of your compliance team to:

• Analyze and improve current business processes.
• Develop new, more efficient processes.
• Standardize documentation development.
• Document internal procedures.
• Create systems to facilitate document review and collaboration.

Summary

Many companies have successfully met early milestones for compliance requirements, largely driven by the realities of federal enforcement, penalties, and sanctions against those who do not comply. The challenge now for these companies is to build upon these initial successes and find ways to sustain compliance for the long haul. Without a long-term compliance strategy, companies will not be able to afford the cost of compliance which poses the greatest risk of all—the survival of the business.

Notes

1. http://www.amrresearch.com/Content/View.asp?pmillid=18086&docid=12373.
2. Masie, Elliott. Learning TRENDS #304, Feb 15, 2005.
3. Corporate Governance Spending Disrupts Software Purchases, November 2004, http://www.gartner.com/.

Resources

• AMR Research—research on business processes issues and their technology solutions
• IT Compliance Institute—source for IT compliance information and alerts
• The Masie Center—source of training and learning research
• Gartner—provider of research and analysis on the global IT industry

Learn More

Tim Rosa Associates specializes in helping technology, healthcare, and financial services companies meet rigorous compliance requirements. From Sarbanes-Oxley to ISO 9001:2000 to 21 CFR Part 11, we have the expertise you need to address critical compliance requirements. You can learn more about our capabilities at www.timrosaassociates.com/L1_services.html. As you look for ways to sustain your compliance efforts, let us help you review the best practices and see which ones can support your business.

Thanks for reading,



Tim Rosa
Founder

Copyright © 2005 Tim Rosa Associates, LLC. All rights reserved.