Effective compliance management is forward-looking. Identifying and mitigating risks well before they materialize into incidents is good both for compliance practices and for the business. One of the best ways to make compliance management proactive is to take an enterprise-level view, implementing a broad enterprise risk management (ERM) program rather than deploying a new software solution to accommodate each new regulation.

The Problem with Compliance Software

Dodd-Frank is one of the most significant financial regulations in the history of the United States, and its prospective rollback under the Trump administration highlights one of the weaknesses of most compliance software solutions.

President Trump's initial executive order directed at Dodd-Frank is "vague in its wording and expansive in its reach. It never mentions the law by name, instead laying out 'core principles' for regulations that include empowering American investors and enhancing the competitiveness of American companies," according to The New York Times. Dodd-Frank is not the only regulation that could be affected by these ambiguous "core principles." So companies must ask themselves which other regulations might be altered considerably in the near future, or perhaps rescinded completely. And even though the Trump administration has emphasized deregulation, corporate leaders are wondering what sorts of new requirements might arise that would force organizations to adapt.

If an organization adopts a point solution every time it has to comply with a particular regulation, then volatility in the regulatory environment becomes a potentially enormous problem. Consider the current atmosphere of uncertainty resulting from Dodd-Frank's ambiguous future and President Trump's stated deregulation initiatives. Does it still make sense to purchase or renew compliance software that focuses on a certain area? It doesn't, for two reasons.

First, the most obvious problem is that compliance solutions require a fixed investment to address a situation with an unknown life span. Boards are growing (justifiably) more and more hesitant to sink resources into a specialized compliance solution when regulations are prone to change. If an organization does purchase a solution to achieve Dodd-Frank compliance, that investment will be a sunk cost if the regulation is rolled back.

And second, such solutions inherently treat compliance as the end goal. They help a company manage the exact steps that it needs to take to pass a regulator's scrutiny. Once that happens, the solution has accomplished its objective, and it's not designed to do anything else. This means the maximum return on investment for that solution is dictated specifically by the regulatory penalty it helps a customer avoid.

The Goal: Compliance Agility

The current atmosphere of uncertainty is not anything new. Companies have always had to adapt to shifting business environments, and changes in political leadership have always been a driver of those shifts. The companies that are best able to pivot and thrive despite uncertainty are those for which compliance is not the end goal.

Compliance is mandatory, but best practices in governance, risk management, and compliance do not end with a regulator's stamp of approval. Rather, efficient and ongoing regulatory approval is a natural result of good governance companywide. Businesses that achieve sustainable, effective, and compliant operations fit two criteria:

• They treat compliance as the minimum operating standard.  Just because a regulator gives an organization a stamp of approval doesn't mean that organization is running its operations effectively or sustainably. Successful companies don't view regulatory compliance as a goal, but as a byproduct or side effect of strong, enterprisewide governance.
• They proactively identify, assess, and mitigate root-cause risks, regardless of regulatory (and other) uncertainties.  This means that a new regulation focused on reporting practices, for example, shouldn't cause alarm. Organizations consistently focused on mitigating operational risks, such as those associated with poor reporting (e.g., an inability to understand the effectiveness of controls), will likely be able to satisfy a new reporting requirement with little to no adjustment in their processes.

ERM Can Prevent Surprises

The common denominator among all governance and compliance activities is risk. Enterprise risk management is the best way to build an agile compliance function.

The first step is to develop a centralized taxonomy of risk-related terms and requirements. Sharing a common taxonomy enables divisions throughout the organization to understand systemic concerns and potential loss events across silos and business processes. A shared risk taxonomy enables the company to aggregate information on corporate standards so that it can avoid subjective, incomplete, redundant, or flawed compliance management. Business units that use the taxonomy will adopt common terms and structures for identifying and classifying risk, which means individual business units will be comparing their different types of risks against a set of shared standards. It also means the business units are likely to uncover dependencies among different types of risks, which can provide insight into vulnerabilities in compliance processes. A risk-based taxonomy will identify root causes—the drivers of risk, as opposed to its symptoms—and is the best way to achieve and maintain transparency across all parts of the organization.

A fully implemented ERM program can further enhance not only the effectiveness, but also the efficiency of corporate compliance management activities. Consider two defining characteristics of the period leading up to the enforcement of a new regulation.

1. The regulation brings with it a known, black-and-white outcome.  Any organizations affected by upcoming regulatory requirements have advance notice of what is expected of them. Regulators publish acts before companies are legally required to adjust their operations. This means that teams have time to evaluate their current operations and determine which processes need to change.

2. Regulators give companies a predefined amount of time to become compliant.  As a result, there is little uncertainty as to when actions must be taken.

When a regulatory agency has defined the concrete parts of compliance—the "what" and the "when"—then the only question that remains is the "how." And in determining how to comply with a specific regulatory requirement, a company's priorities are going to be the same as always: to achieve maximum performance, to innovate, and to expand the business. It's possible to simultaneously deliver a healthy ROI and ensure compliance, as ERM can be a gateway to achieving both goals.

Enterprise risk management is a tool for bridging the silos that frequently crop up in a company's governance, risk management, and compliance activities. And an ERM program helps an organization determine what actions or initiatives are best for its business overall. When governance and compliance activities are siloed, and each department is left to its own devices, the right people are highly unlikely to get all the right information at the right time. The vast majority of loss events are caused by risks that are known to someone in the organization; however, if that information doesn't get to the right party, the organization is going to be blindsided without appropriate controls. In contrast, if a company bridges departmental silos, it can make use of all the resources at its disposal.

Different processes, people, and technology assets play different roles in the management of risk. An ERM program, supported by a shared risk taxonomy, can help ensure that all the moving parts in compliance and risk management are moving in sync. Moreover, a holistic approach to compliance enables corporate management to objectively prioritize and address regulatory changes. And an ERM methodology can help a company make decisions around how to most efficiently and effectively address compliance requirements.

Consider a bank or other financial institution. The Federal Financial Institutions Examination Council (FFIEC) has passed strict due diligence requirements for managing vendors, service providers, and other third parties. Before interacting with a third party, a bank must assess and evaluate that party's ability to provide a service without introducing risk. The bank should verify the organization's financial status by reviewing audited statements, confirm that business continuity procedures match minimum standards, and ensure technology systems are properly backed up and protected by strong cybersecurity practices. A basic principle for contracting with third parties is: A process can be outsourced, but the risk associated with that process cannot. Banks should therefore hold outsourced processes to the same risk management standards they use for in-house processes.

A bank that maintains an effective ERM program already has robust contracts and vendor due diligence procedures in place, so it has already taken care of the core FFIEC requirements. Compliance with the FFIEC rules is not a significant burden, but just requires an additional report on how the company's operations are meeting performance requirements.

For businesses in any industry, an ERM program can minimize the fear associated with regulatory uncertainty. If a regulation does change significantly, organizations with ERM should already have in place most of the procedures that compliance will require. And they needn't worry about their compliance solution becoming obsolete as the regulatory environment evolves.

A company that bases its governance, risk, and compliance activities on a risk-based taxonomy and an overarching ERM framework is more agile when confronting reorganizations, changes in regulations, customer demands, new technologies, and competition.

ERM Due Diligence

If an ERM software solution is part of your company's approach to compliance management, consider asking potential ERM software vendors some specific investigative questions when deciding how to structure your governance, risk management, and compliance program.

First, find out how (specifically) the software will help you aggregate information across silos. When providing reports to regulators—or to the board—you should be able to easily demonstrate compliance. Use information collected by different departments to create a holistic picture of how each part of the organization contributes to a particular process.

Second, ask how the software will actually integrate with your other risk management efforts, including vendor management, business continuity, security, and more. Just as compliance-specific software has a limited ROI, so does software that specializes in another solution category. Your software provider must be able to standardize all governance functions.

Finally, ask how the vendor will help you meet organizational goals and improve performance. In other words, what will the vendor provide besides the software itself? Your risk program should be operational as soon as possible. Look at whether the vendor charges additional fees for customizing reports and other professional services. You'll want to partner with a vendor that prioritizes your organization's success.

Steven Minsky is CEO of LogicManager, Inc., a leading provider of ERM software solutions, and a recognized thought leader in ERM. He is the author of the RIMS Risk Maturity Model (RMM) and corresponding 2008 and 2015 State of ERM Reports. Steven is also a patent author in risk and process management technology and an instructor on many ERM and GRC topics.