For many years, corporate compliance officers have followed a certain natural process. First, regulators adopt a new rule, then you decipher how the arrival of that new rule might require changes to your policies, procedures and other internal controls.
Now the new trend of deregulation brings an interesting question: how do compliance officers manage that process when regulators are rescinding rules?
The truth is that organizations still need all those same compliance capabilities – risk assessment, policy management, internal controls, training and communication, documentation – even when the regulatory environment seems to be running backwards.
How so? Let’s consider five questions you should ask about your compliance program in a deregulating world.
How are you managing regulatory change?
The Trump Administration, the European Union and various political fractions in its 27 member states, other governments around the world; they’re all embracing deregulation, and soon enough some number of those rules and requirements will be adjusted. So how are you going to learn about those changes?
Presumably you’ll hear about vanishing rules the same way you’ve heard about new rules – but that just proves our point: organizations need some method to (a) identify no-longer-active, or amended rules; and (b) determine whether that deregulatory move applies to your business. The ideal would be a tool, perhaps driven by artificial intelligence, that can monitor regulatory change announcements and automatically alert you to both the change itself and how the change might affect your policies and procedures.
How are you squaring that retired rule with your policies and procedures?
You probably have lots of policies and procedures that originally were created to satisfy some new regulatory requirement. So, if that regulation goes away, can you discard all those policies and procedures along with it?
Quite possibly, no you can’t. Some of those policies and procedures might also serve other purposes, where you’d want them to remain in place. After all, we’ve written for years that the ideal is to have fewer policies and controls that satisfy multiple regulatory demands. While that principle still holds true in the deregulatory era, it means you might end up retaining certain policies and procedures anyway because they still serve other purposes.
This means you’ll need strong policy management and control mapping capabilities, to see which policies and controls serve what regulatory ends. That will allow you to identify which policies you can eliminate along with their terminated rule, and which ones you can’t.
Along similar lines, most large companies have a “ policy about policies” that specifies who can adopt a new policy. That master directive should also be clear about who within your company has authority to de-commission a policy for a rule that no longer exists. You don’t want some random executive, even acting with good intentions, canceling a policy unilaterally and creating gaps you don’t know about.
Will you need to redesign your controls?
As you retire certain policies and procedures, that could have implications for internal controls you had in place to fulfill that original, now-rescinded regulatory requirement. You might want to consult with First Line business units in charge of those controls, as well as with any internal audit team you might have, to consider whether the controls should be changed.
For example, you might have a two-person approval process as part of a policy that’s no longer necessary. Could you then discontinue that control, rather than compel those two managers to keep doing something that no longer serves a purpose? Could you simplify it down to one person? Could that oversight duty be assigned to someone else executing a similar control for some other rule that still exists?
It’s also possible that you might not change your controls at all. Our point here is that responding rashly to deregulation – “Yippee, let’s get rid of everything!” – invites unintended consequences. Nobody wants those, least of all senior management. Pruning back your controls may be fine, but proceed with caution.
What are you telling your employees?
Employees read the news. They know deregulation is the buzzword these days. They know that diversity, equity and inclusion programs are no longer in vogue at many companies, and that various longstanding enforcement measures (such as the Foreign Corrupt Practices Act) are currently not being enforced.
So, what training and communications will you give them to explain any policy or procedure changes the company might be adopting? Or if you’re not changing policy, how are you explaining that rationale and reminding employees about their expected conduct?
For example, yes, enforcement of the FCPA is now on pause – but as we’ve discussed before, that does not mean companies can adopt a “pro-bribery” stance. You might want to explain that to employees and third parties, emphasizing your organization’s commitment to integrity. Or you might be rescinding some DEI efforts, but that does not give employees a license to discriminate. Your policies, training, and executive messaging all need to make such points clear, so that employees always continue to act in accordance with policy and the company’s ethical values.
Are you considering new misconduct risks that might emerge?
Regulations and corporate policies exist to guide employees toward certain standards of conduct. When those regulations and policies go away, it could give employees more freedom to act as they think best.
In many ways that can be great. Less regulation can spur more innovation, growth, and other positive outcomes that businesses want. But giving employees more discretion to act as they think best also opens the door to them doing something wrong – either an outright malicious act that previous policies and controls prevented, or just an innocent mistake whose consequences could prove costly.
So, you’ll still need strong risk assessment capabilities as always, to anticipate new types of misconduct that could lead to bad headlines, costly repairs, civil lawsuits, an employee exodus, or other problems.
Proceed with caution
In other words, deregulation can be a gift for corporations, but it’s a gift that must be opened carefully and thoughtfully. While deregulation might relax many burdens on your organization, it could create others. So, in the same way you needed strong compliance capabilities when regulations were on their way up, those capabilities will be just as valuable with regulations on the way down.
Some things never change. The usefulness of a strong compliance and risk management program is one of them.
If you’re looking for solutions to build or grow a risk and compliance program that can withstand the challenging regulatory environment, NAVEX has you covered. For more information on how the NAVEX One platform works, get a demo now.
