Regulatory risk is a top concern for business owners today. The federal government and other governing bodies have become more active in setting up and determining policies for businesses since the financial crisis. And it’s not just those in the financial sector that are affected.
The sheer volume and complexity of some of these rules is daunting. Plus, they can change quickly.
Laurence Talley, CPA, CIA, senior director of Risk Advisory Services at BDO USA, LLP, says that these regulations to enforce risk management and mandate controls are an effort to better protect consumers.
“But there’s a constant battle between being efficient and complying with what’s required,” Talley says.
Smart Business spoke with Talley about compliance risk and how to manage it with internal controls and other tools.
What exactly is compliance risk?
There are four basic types of risk — financial, operational, compliance and strategic — all of which are mitigated by internal controls. Compliance risk is an organization’s ability to adhere to rules, regulations, policies, procedures, laws and mandates. Some industries are more highly regulated, and as a result face greater external compliance risk. All companies also face internal compliance risk, which means complying with their own internal policies and procedures. The key to managing these risks is installing controls that confirm the organization is complying with its internal and external requirements on a consistent and regular basis.
What are some best practices for managing internal compliance risk?
You want to have well defined and well-documented policies and procedures. Then ongoing training from the top down is key. Make sure everybody knows what he or she is required to adhere to from a policy and procedure standpoint.
On the back end, you need to monitor — do periodic check-ins on certain activities to confirm that people are following the rules, while looking for trends. Are there trends and activities that demonstrate a lack of compliance? If so, challenge the root cause behind that. Do people need more training? Are people circumventing the rules, regulations, policies and procedures, and what is the intent when they deviate? Or, is there a breakdown in the way the process is being managed?
How do you recommend organizations adhere to what’s mandated externally?
There’s a general understanding of why certain rules are in place — to protect consumers or to protect other organizations. But a lot of organizations struggle because they don’t have the money and/or enough resources to do the compliance work that’s necessary to manage this type of risk. They wrestle with concerns like the cost versus the benefit and how long they can sustain it.
Some business leaders understand that it’s the cost of doing business, and they execute on it and look for ways to do it efficiently. Others take more aggressive steps like protesting to government leaders in an attempt to make the requirements, laws and regulations less impactful.
One efficient approach to managing this risk is leveraging experienced third-party organizations. You can bring people in on a short-term basis, leveraging a variable cost instead of a fix cost model, to help navigate through the compliance requirements.
This also is an instance where technology has been very helpful at driving efficiencies. Compliance tools can extract data from your systems, run that data through a series of tests, and tell you whether or not something is deviating from what’s required, per the law or your policies and procedures. So, don’t be afraid to explore the cost-benefit of leveraging technology.
Also, don’t be intimated by your perception of the cost, because if you don’t manage the risk and leverage the availability of outside resources and technology, what’s the impact of the risk coming to fruition? Ignoring risk is a big mistake — that it-won’t-happen-to-me mentality.
You need to identify and understand your risk, and then proactively and deliberately mitigate that risk through internal controls. But this is something a lot of smaller organizations don’t do — and they should, because it’s those smaller organizations that really aren’t in a position to absorb the risk if something significant does go wrong.
Insights Accounting & Consulting is brought to you by BDO USA, LLP