Managing your company’s regulatory compliance burden is a challenge for any compliance professional, no matter your company’s size or industry. The task requires attention to an enormous number of details, with potentially severe consequences — for both the company and the compliance officer — if one of those details goes overlooked.
So it’s no surprise that just about every compliance officer relies on a vendor (and often multiple vendors) to help with those compliance needs. In this post let’s consider how you should select a vendor for regulatory compliance services, and how to be sure that your choice leads to a long, productive relationship.
What are compliance management services?
“Compliance management services” is a bit of a catch-all phrase; it broadly refers to the tools, activities, and strategies a company uses to meet its compliance obligations. Some businesses (financial services firms, for example) can outsource significant parts of their compliance operations; many others keep direct control of the compliance function in-house, but rely on one or more vendors to execute those compliance processes.
The processes themselves are all the ones a compliance officer would typically expect to see:
- Regulatory monitoring, to track new rules or legislation that might affect your organization.
- Internal reporting hotlines, so that compliance teams can easily receive allegations of misconduct.
- Third-party risk management, such as due diligence or monitoring of vendors and suppliers.
- Training of employees (and, where necessary, third parties) so they know what to do.
- Risk assessments to identify and monitor the risks that might lead to compliance violations at your business.
- Testing or auditing to be sure internal controls and procedures perform as expected.
- Policy management so that all parts of the enterprise understand which policies apply to them, and that all policies are consistent in structure, tone, and reach.
- Compliance reporting, which allows the compliance officer to see how the entire program is performing at any given moment and then present those findings to the board, regulators, or other stakeholders as necessary.
Sure, compliance officers could try to manage all of those tasks through manual procedures and standard desktop software — but in practice, that approach is no longer scalable for the modern enterprise. You need dedicated compliance management services to fulfill your company’s compliance obligations.
How to choose the right compliance management software
Choosing the right compliance management software for your business requires careful consideration. Above all, you need to understand what capabilities will matter most for your business to develop efficient processes for regulatory compliance — because that answer will always vary from one company to the next. Choosing the best vendor depends on knowing your own company as much as it depends on knowing the vendor.
That said, compliance officers should also consider the following issues.
Understand the scope of your regulations
First, take the time to understand your company’s business operations and the scope of regulations likely to apply to you. Some regulations apply to all companies, such as the Foreign Corrupt Practices Act and other anti-corruption statutes. Others apply to certain industries, such as the Anti-Kickback Statute applying only to healthcare. Still more apply to certain actions you might undertake, such as data privacy laws (which only apply to companies that collect personal data).
Once you have a sense of the laws and regulations that affect your business, you can start narrowing your search to vendors that work with those subjects.
Consider the capabilities you need
You’ll also need to look inward at your own operations, to understand where your current compliance efforts are weak and the capabilities you’ll need to bring your program where you want it to be.
For example, if your company is expanding overseas and currently relies on manual processes for due diligence, you’ll need software that can automate due diligence. If you already have a strong speak-up culture (congratulations), you may need an internal reporting system that can categorize complaints and route them to the proper people for follow-up on an automated basis. If you operate globally in a highly regulated industry, you’ll need strong data analytics and reporting capabilities.
Put candidate vendors through their paces
Don’t be afraid to push compliance management vendors on how they can help you. Publish a request for proposals and see how they reply. Ask for references from current customers. Consult your own compliance colleagues who are current (and former) customers. Ask for product demonstrations or trial periods. Where appropriate (such as a vendor that might handle large amounts of personal data), review the vendor’s cybersecurity policies or ask for a SOC 2 audit report.
In short, assess the vendor in every way that’s necessary for you. No reputable vendor should be afraid of these demands.
Think about the long-term relationship with your vendor
Beyond the straightforward question of whether a vendor’s software has the capabilities you need, think about how that vendor will fit into your larger compliance program. For example, how will the software implementation process work? What technical support will the vendor provide? How well will the vendor work with your own technology team, if necessary? What about ongoing maintenance, software upgrades, and the like?
In the ideal world, your compliance management vendor will be a long-term partner with you and your compliance operation. (Just consider the converse, where you choose the wrong vendor and tell senior management you need to make a change.) That means you also need to consider how the vendor can keep pace with your business as it grows, and your compliance needs evolve.
Conclusion
Compliance management software can help companies in all manner of ways: automating tedious tasks, generating better data for better reports, helping you to identify risks more accurately and precisely, and lots more. More than anything else (and as the very name implies), it simply helps you to manage all the work that goes into running a corporate ethics and compliance program.
Still, choosing the wrong compliance management vendor does you no favors. Compliance officers need to look internally and assess their own needs first; and then put candidate vendors through their paces to be sure what they can deliver is what you need.
More than specific features and capabilities, however, consider whether your proposed vendor can be a good partner — an extension of your compliance program, really, that can change with you as your program and compliance needs change. That will always be the most crucial factor for success.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.