The fundamentals of good compliance require the ability for compliance professionals to intercede, either prospectively or retrospectively, at key control points. Whether these are activity, contract, payment or document controls, an inability to apply these controls reflects an inability for the compliance professional to manage enterprise risk.
Historically, many business processes have evolved from manual, diffuse business activities with no ability to intercede prospectively and a limited ability to intercede retrospectively. As technology has enabled various business functions, the compliance professional has become more empowered to intercede, apply controls and manage risk.
The integration of data across and within businesses is also enabling compliance professionals to manage risk more actively. While reporting and analytics provide deeper insight and more comparative analysis, this type of integration still forces a retrospective view of the data along with the associated risks that data represents.
In order for technology to be compliance enabled, it needs to integrate the compliance viewpoint into the fabric of the business process. This does not mean stopping at each step and asking if the risk is acceptable but making the acknowledgement of risk integrated into the workflow and thinking about the process.
Below are examples of how a business process may be compliance enabled. These processes allow for the prospective management of the business risk associated with these activities.
- An event that is outside of policy should be automatically routed for exception processing as part of an approval process
- A provider or consultant that is being utilized significantly above norms should have alerts sent to the appropriate risk managers
- Contracts should have data driven parameters that allow for the validation of policy as well as legal language
- Sales reps should be risk scored based on their history of interactions and the auditing of their work should be automated
Regulating and enforcement bodies are aggressively changing their tune with regard to culpability for enterprise activities. Where “I didn’t know” was once accepted, the measure is becoming “you should have known”. This is driving C-level executives to become more attuned to the need for proactive risk management, and it is increasing the demand for compliance-enabled technologies. As these become more prevalent, and as they cover a broader spectrum of the organization, so too does the compliance professional become more enabled to manage the risk profile in an organization.