Compliance management services
Choosing a compliance technology suite
While some companies choose to build their own compliance technology solutions, many choose to save time by purchasing from an external vendor. When undertaking a vendor selection process there are a large number of issues to consider, many of which may fall outside the standard skillset of a compliance team.
In order to successfully purchase and implement a solution in the most efficient manner, here are ten things to think about when selecting a compliance technology suite.
1. Why do you require the technology?
The first (and probably most important) item is to be clear about what you and your organisation want out of a compliance system. It is vital that you are able to articulate how it will support or improve the business as these will be the first questions you are asked when you seek budget and buy-in from your key stakeholders.
You must to be clear on who is going to use the technology. There are often many other business units who require or already have similar systems (such as supply chain management or partner management). In those cases it is important to decide whether the other units should be included in the programme. If the other business units are included you may be able to split the costs; however, you may decide it is cannier to determine your own needs first and allow others to share the benefits later rather than giving them a seat at the decision-making stage.
However you decide to manage the process, it is vital to remember that there will be many stakeholders in a technology project (including IT) and each stakeholder needs to be managed for the project to be successful.
2. Which functions do you need?
Once you have established your reasons for the technology the next step is to determine which functions will allow you to achieve those aims.
This analysis needs to go beyond the obvious “I need a system to manage my gifts and entertainment policy”. You will need to consider the complexity of your overall processes and determine where the technology-based compliance system will start and stop.
It is often the case that you will be looking for a solution to whatever issue is currently most pressing. When selecting a technology solution, however, it is wise to consider the functions you may need in the future as well as those you need today, either in terms of new compliance programmes or building out the current programme. The worst solution is to have a number of independent systems managing different aspects of what should be a single compliance programme.
3. What are your security needs?
Security is always going to be a key issue in any decision to purchase a technology suite, both in terms of securing the information against the outside world and also controlling access internally. Check your company’s security policy to understand what your IT department has determined as a minimum standard.
To help with this decision it is important to consider what information you will be storing (both now and in the future). Some information will be personal (for example information about your or your partners’ employees) and may be subject to privacy legislation which will mandate a certain level of security. Other information may be of a confidential nature; something that you want to keep secure for commercial reasons or information a partner has stipulated security requirements for in a contract.
4. How will you host the system?
The review of your security requirements will lead to the decision about where to host the system. There are a number of decisions to be made with hosting:
- Should you manage the system yourself or let the vendor manage it? Self-management may be cheaper, but the vendor knows the system better so will be able to provide a higher level of support.
- Should you host the system yourself in your own data centre or let the vendor host it? Internal hosting may seem more secure (and is certainly within your control), but its quality depends on your IT budget. It may end up costing more overall as you don’t gain the benefits of low-cost data centres.
- If your vendor is hosting the system, how much of it can be shared with other clients? While many IT infrastructure elements will be shared (networks, firewalls etc.), certain other elements can be dedicated to you if you require (servers, virtual machines, databases etc.). As always, this comes at a cost.
- Where a vendor is hosting the system, can you allow your data to be stored “in the cloud”, where a hosting company (such as AWS or Azure) determines the location without any say from you or the vendor, or should it be a hosted solution in a fixed location which merely makes use of shared resources?
- If you have a choice of location, where should you put your data? Data hosted in Europe will provide the benefits (and obligations) of European Union data protection legislation, and data hosted in the United States may be subject to government surveillance; however, data hosted outside these two areas might raise suspicions amongst your partners about the quality of the protection.
5. How much support will you need?
Whilst every vendor would like their system to be available 100 percent of the time, the reality is that things break. Many problems can be overcome by sensible architecture (including backup components and reducing single points of failure) and appropriately sizing the capacity required, but again, this adds to cost.
Most vendors will provide some form of after-sales support for the systems they sell. There will generally be a cost to this service, determined by the level of support you require. It’s easy to say that your system is mission critical and requires 24-hour, 7-day support and 99.9% uptime, but how much are you willing to pay for that?
When considering support it is important to understand the different types that are available:
- infrastructure support – fixing servers and network equipment (but not the internet) and the underlying software (operating systems, web servers etc.)
- software support – maintaining the software that you have purchased
- usage support – assisting with the day-to-day use of the system, ranging from password reset requests through to “how to” questions
- data support – ensuring and maintaining data quality if data has been entered incorrectly
- process support – making sure that people follow the processes that you have determined.
Some vendors will support the infrastructure and software but will leave you to manage everything else yourself. It is also worth considering how much of the support you can manage internally through your existing support desk function.
6. How should the system be maintained?
It is easy to focus on getting your system purchased and implemented and neglect to consider the changes that may occur over its lifetime. Changes that you should consider include:
- amendments to your compliance programmes after reviews or changes to legislation
- changes to your business with internal restructuring and mergers or demergers
- the workflows and processes within the programmes changing when people join or move around the business or when defects and inefficiencies are removed
- updates and improvements that the vendor provides for the system
- changes to data retention and archiving requirements.
Whilst the future is generally unknowable, it is important to have these changes in mind as part of your overall vendor selection.
7. How will the system be implemented?
It should never be forgotten that a software solution is not a business solution. Prior to any launch there is likely to be a large amount of work to be done to configure the suite to meet your requirements and workflow.
You therefore need to decide what resources are available to perform this work, who will manage the project, and whether the vendor has any resources or skills to support your implementation.
In addition to building and implementing the suite it is vital to train your staff on how to use the system and how the processes within have been designed. Deciding who needs to be trained and how to go about training is another key decision to make.
8. How will the system connect to your other systems?
It is rare that a full suite of compliance tools will run without any interaction with your existing systems. Regardless of where the system is hosted, you should consider whether you could benefit from integration with:
- human resources systems to ensure new users are added and old ones removed
- authentication systems which allow single sign on to simplify the log-on process for users
- enterprise resource planning (ERP) systems to manage new partner on-boarding
- travel and expense systems to support gifts and entertainment tools
- learning management systems (LMS) to support central recording of training.
Once you have determined the type of data to integrate you should then consider the level of integration. This can often have a significant cost implication.
Types of integration include:
- manual uploads using a defined template
- manual file transfers using a secure protocol
- automated transfers at regular intervals over the internet
- automated transfers on demand (i.e. when a new user starts or a new partner is entered).
Decisions on the automation and level of integration require a cost-benefit type review to weigh the time and resources of a manual process versus the cost of building and maintaining an automated process. Vendors should be reviewed not only on the integration options they provide, but also on their flexibility in allowing integration to grow as you better understand your processes.
9. Which vendor will you use?
Once you have answers to the preceding items you will have a fairly clear and detailed specification to use in a vendor selection process. In cases where no single vendor provides the total package it becomes important to weigh up the various aspects to find the best overall solution.
It should be remembered that, like any other large-scale technology, a compliance system requires a long-term relationship. So what else should you look for in a vendor?
If you were to look at venders in the same manner as you do your third party compliance programme you would probably ask questions about their reputation and the way they do business. Can you trust them with the confidential and private information that will likely be stored on the system? Do they understand your business? Do they understand what compliance is about? How you will be using their system to further your compliance objectives?
10. How often will you review the system?
A final consideration is when to review the choice of system as a whole. Given the time and effort which goes into selecting and implementing the suite of tools this is not a review that will be undertaken more than once every few years. It should not, however, be forgotten. Thinking about the criteria which will guide any future review prior to vendor selection can often help to highlight the relative importance of the original selection criteria.
In the event that you do decide to change systems, you must consider your contractual rights and how you retrieve your data from the incumbent vendor.
There are a lot of factors to consider when deciding on a compliance technology suite. The most important rule to remember is that the technology should always be adapted to your needs rather than you being led by a vendor. Understanding and clearly articulating your requirements is the first step towards that goal.
This document has been edited with the instant web content composer. The online instant HTML editor tools make a great resource that will help you a lot in your work. Save this link or add it to your bookmarks.
COMPLIANCE MANAGEMENT SERVICES
What are compliance management services?
Compliance and legal teams are managing larger and more complex tasks beyond their traditional responsibilities. This is partly because of the changing landscape of the compliance industry as well as the introduction of new legislation, new risks, changes to their businesses and increased enforcement actions by regulators. It is not news that the compliance and legal teams are looking to do more with less.
Despite these ever increasing roles, the risks at a company need to be properly managed. Thus, compliance professionals are increasingly outsourcing some of their tasks to independent risks managers to help ease their burdens so they can focus on business goals.
What is the value and benefit of compliance management services?
For a minimal fee, compliance professionals can outsource their third party processing, managed database screening and operational compliance projects to compliance managed services.
The value is that compliance management services free up valuable time and resources so compliance teams can focus on high-end, strategic initiatives and gain additional support for time-consuming, resource-intensive parts of their compliance programme.
Compliance management services are all done for a fraction of the cost of doing it in-house and it makes the best use of the companies’ time and resources.
Compliance management services are highly advisable because there is no vested interest and less criticism from outcome of an audit, risk assessment or due diligence.
What can compliance management services do?
As the name suggest, compliance management services enable companies of any size and from any industry to outsource part of their compliance requirements to independent vendor. Different vendors offer different compliance services including but not limited to; due diligence reports, database screening, third party management, compliance audits and compliance risk assessments among many other services.
The work of compliance management services is performed by experienced compliance professional, legal practitioners, business analysts, tax advisors, auditors and risk management consultants. This is to ensure maximum quality, value and industry standard.