Regulatory compliance obligations are challenging for any organisation to upkeep – even more so for those operating in multiple locations and with thousands of staff. However, there are some key strategies to help organisations minimise the risks of a costly breach.
Regulation of organisations has been on the rise, requiring companies to be one step ahead of constant changes, or risk an expensive, damaging compliance breach. The challenge of managing this is amplified for those with operations in multiple locations, whether it be across one country, or many.
"Examples are banks, retailers, distributors, franchises and insurance branches," says Carly Richards, Director, Internal Audit, Risk & Compliance, KPMG. "Retailers are covered by hundreds of different regulations that are constantly changing. They could have 20,000 team members, multiple locations, and they need to know what is coming."
Edwin Davis, Partner, Internal Audit, Risk & Compliance, KPMG, says an organisation could be dealing with changes ranging from privacy, safety, visa regulations, trading conditions, climate sustainability and energy measures. He says the competitive pressure to offer service without delay can increase the potential for a breach.
"Customer expectation is driving organisations to deliver a 'real-time’ service, making a sale 'there and then'," he says. "When there is so much more compliance and regulation to consider, it creates a challenge to balance the customer experience with meeting the compliance obligations.”
When a business has multiple locations, there is increased risk of varied interpretations of regulatory requirements, and in turn non-compliance.
"There can be inconsistencies in interpretation of compliance, and local practices can create very different customer experiences and compliance outcomes, which creates a challenge for organisations to know what is going on in its distribution networks," Davis says.
As legislative changes often come thick and fast and can be complicated, it can be hard to effectively manage internal and external obligations.
"You need to make it understandable for teams so they can focus on the customer experience, rather than thinking, 'I have hundreds of different things to learn about a product’," he says.
This involves risk profiling, tailored questions, training and industry expertise.
“You must assess the legislation that is important to your business," Richards says. "It will be different for insurance or financial services than for retail."
Key questions for a risk assessment could include, 'How does the environment currently work?', or 'What new legislations are coming?',” Richards says.
A gap in policies and procedures could show up the need for training, or the requirement to engage subject matter experts.
“Focus is often broader than regulatory; organisations use this process to gauge a site’s performance against operational, financial and service measures. This gives a complete end-to-end view of the opportunities and risks that exist on a local level,” she says.
This involves embracing innovative technology and processes for a cross-network audit of compliance. Scheduling audit execution is key. Richards explains it is about building a model that satisfies an organisation's budget, size and history of compliance.
"One way is to audit all sites. A second way is a risk approach, where you may only audit 10 percent of locations, but do the least-performing 10 percent," Richards says.
Some sites may have their own audit team, so asking the right questions and ensuring they are correctly trained is vital. Richards adds that it can be helpful to engage a subject matter expert to execute an audit.
"An issue might be safety, so you want to make sure a safety expert is involved. It can also be a key opportunity to coach people," she says.
Here it is important to delve deep into the findings for insights that can lead to better compliance management. This could be facilitated with tailored dashboard reporting, real-time analytics or App-enabled monitoring on the run. Richards says to look for spikes in activity by region, or spikes in sales by site or product category.
"Ask, 'What are the key risks, where do they sit, why there are risks, and what is causing them?'" Richards says.
Embracing continuous improvement can make the difference between risk and success, and each piece of information should fuel change for the better.
Richards says industry benchmarking can help, as can access to subject matter experts for guidance and advice. Risks identified in the audit process can and should inform the broader assurance program.
As mentioned in 'Execute', technology can help organisations maintain cross-network compliance. Davis says regulatory technology (RegTech) can act as the 'eyes and ears' of an organisation, while cognitive computing will increasingly have a role to play to highlight risk areas and opportunities to better serve the customer.
"It's also important to monitor social media to understand what customers are saying, and any emerging issues and trends, as this often provides early indicators of wider issues,” he says.
Davis says many industries are designing products and services with in-built compliance, for real-time assurance. For a food retailer, this could be technology that monitors the conditions of food safety from production through to the point of sale.
"Technology can help match products to customers and combined with near real-time and regular monitoring of performance in the store or branch network, you can gain competitive advantage," he says.
Davis has observed that compliant organisations have better long-term results.
“We see a high correlation between compliance and performance. The opposite is that poor compliance often goes with poor customer experience and under-performance,” he says.
Educating managers of each site to understand this connection and the impact of non-compliance on their ability to deliver can help them resist pressures to succumb to non-compliant practices.
“If a customer isn’t happy with a product they have purchased; particularly if it hasn’t been fully explained to them, they will opt out and are unlikely to talk about the experience positively to their friends and family,” he says.
“Organisations that don’t have a strategy to ensure compliance across their network could easily be non-compliant without realising,” Richards says.
One non-compliant site could put the entire organisation at reputational risk, financial risk, and people risk.
"You could be making the assumption that your network is doing the right thing without having anyone to verify that. It is about keeping with the times, and how you are protecting customers, team members and your brand," she says.
The reasons for new compliance and the implications of failing to meet obligations are vast. Explore more in: Regulatory compliance – staying ahead of change.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.