Managing Enterprise Compliance: A Comprehensive Guide to Navigating Regulations, Avoiding Fines, and Emerging Challenges
What is Enterprise Compliance and Why is it Important?
Enterprise compliance is an integrated approach to ensure that an organization adheres to all laws, regulations, and internal policies across business departments and geographies.
It is a critical function for an organization. As Ernst & Young state, enterprise compliance “protects the company and its managers from criminal sanctions, financial losses, or even loss of image or credibility among clients or contractors.”
Enterprises that don’t get compliance right, pay – whatever industry they operate in.
In December 2023, Ladbrokes and Coral had to pay UK tax authority £585 million over bribery allegations, as a result of failing to have adequate anti-bribery policies and procedures in place.
In short, while the regulations enterprises have to adhere to vary according to the industry and geography they operate in, getting enterprise compliance right is critical.
Who’s Responsible for Enterprise Compliance?
The phrase “everybody’s responsible for compliance” is often heard in organizations.
But as Deloitte notes in its ‘Enterprise Compliance: the Risk Intelligent Approach’ report, “If management believes everyone is responsible, there’s a chance that in reality, nobody’s at the wheel.”
Undoubtedly, compliance is and should be a company-wide endeavor, but the person who is most likely to be ultimately accountable is the Chief Compliance Officer.
There should also be embedded compliance officers that own specific compliance areas.
For example, you may have a compliance officer who sits within the manufacturing division that looks after health and safety. And another that sits within the data and security team that handles GDPR.
Each compliance officer creates policies, conducts audits, and sets up employee training for their specific focus area – to avoid the hefty fines and lengthy legal battles we touch on in the introduction.
However, how many individual compliance officers there are, and how compliance is structured, depends on the size and regulatory complexity of the organization, industry, and geography.
What role they play can also change depending on the strategy of the compliance function.
Compliance Beyond the Compliance Function
It’s not just compliance officers who are responsible for compliance, however. Board members, senior leadership teams, and managers are also responsible. Employees, too.
But to ensure that compliance isn’t isolated, and everyone within an organization has a compliance-first mindset, there needs to be compliance integration and employee enablement.
It’s not just a nice-to-have. In the US, the DOJ Criminal Division’s Evaluation Guidance that assists federal prosecutors requires that there is “commitment by senior management and middle management”, and “autonomy and resources” in an enterprise’s compliance program.
It also requires that enterprises have “adequate training and communications.”
Beyond its mere existence, the Evaluation Guidance assesses the interplay of compliance elements and their seamless integration into the company’s operations. It goes beyond the presence of comprehensive policies and procedures to investigate how they are reinforced through robust internal control systems.
While regular, tested training might be the most apparent way to help organizations live up to these expectations, it’s ultimately not enough.
The hard truth is most employees have very little recall of compliance training, even in the most basic compliance areas.
According to Gartner’s Legal Technology Predictions Through 2025, 42% of employees don’t recall their company’s gift and hospitality policy and 27% don’t remember completing finance compliance training.
So, what’s the solution?
With the advent of compliance-specific AI tools like BRYTER’s Policy AI solution, there is now a better way to ensure seamless integration, adequate resources, and robust internal control systems.
Internal and External Enterprise Compliance: What’s the Difference?
External compliance and internal compliance are two approaches to ensuring that an organization complies with laws, regulations, and other standards.
External compliance refers to an organization’s adherence to laws, regulations, and other standards imposed by external parties, such as government agencies, regulatory bodies, industry associations, and customers. It is focused on meeting the requirements set by these external parties to avoid legal penalties, fines, and other sanctions.
Internal compliance refers to an organization’s adherence to its internal policies, procedures, and codes of conduct. It is focused on creating and maintaining a culture of ethical behavior and risk management within the organization. This can help to prevent legal problems, protect the organization’s reputation, and improve its overall performance.
What Regulations Impact Enterprise Compliance?
Though regulations differ depending on which industry and geography your organization operates in – for example, HIPAA in US Healthcare, and DORA in EU Finance – some are near-universal.
Here are some notable ones.
Most enterprises, even if they’re based in the US or elsewhere, will need to comply with EU data protection legislation.
The GDPR is a legal framework that sets out strict requirements for how organizations collect, process, and protect the personal data of individuals within the EU and EEA. Though it is an EU framework, it applies to any company that processes the data of EU citizens.
Non-compliance with GDPR legislation can be costly. As well as the record-breaking Meta fine mentioned in the introduction, Amazon (€746 million), TikTok (€345 million), and H&M (€35.25 million) have all found themselves paying huge fines for not meeting GDPR requirements.
Employment and Labor Laws
Every enterprise organization will have to adhere to employment and labor laws, no matter where they operate.
These laws set out minimum standards for working conditions. Examples of these include the UK’s Employment Rights Act 1996, the US Fair Labor Standards Act (FLSA), and Germany’s General Employment Act (Allgemeines Arbeitsrecht).
Fines for non-compliance with employment and labor laws can be costly.
Spain’s labor ministry fined delivery app Glovo €57 million for breaching local labour laws by falsely classifying over 7,800 of its delivery couriers in Madrid as self-employed.
As well as being economically costly, non-compliance with employment and labor laws can also have a significant impact on an enterprise’s reputation with consumers.
Environmental legislation has become increasingly top-of-mind for compliance professionals over the past few years. Especially since the UN’s Paris Agreement Accords came into force in 2016. Even more so with the new CSRD and CSDDD legislation set to come into force next year.
But despite being top-of-mind today, environmental legislation is nothing new. It has been something that almost all enterprises have had to comply with for decades.
For example, the US Clean Air Act (CAA) came into being in 1963, and Germany’s Federal Immission Protection Act (Bundes-Immissionsschutzgesetz, BImSchG) in the early 1970s.
Like GDPR, the impact of non-compliance with environmental legislation can be costly.
The headline case of Volkswagen suffering a $18.2 billion hit after violating the US CAA in 2015 is a case in point.
Enterprise Compliance Best Practices
Navigating the complexities of enterprise compliance requires a comprehensive approach that encompasses policy management, risk assessment, employee training, compliance culture, regulator engagement, and the utilization of innovative technologies.
Maintaining a comprehensive and up-to-date set of policies and procedures is crucial for ensuring compliance across all aspects of business operations.
However, organizations struggle to keep their policies current. This can lead to gaps in compliance and expose the organization to legal and financial risks.
To address this challenge, organizations should establish a robust policy management system that facilitates timely updates, centralized storage, and easy accessibility for employees.
Effective risk management is an essential element of enterprise compliance. Organizations need to identify, assess, and prioritize potential risks to ensure that they are taking appropriate mitigation measures.
A 2022 study by Forrester found that 41% of organizations experienced three or more critical risk events in the past 12 months. This highlights the importance of proactive risk management to minimize the likelihood of incidents and their associated consequences.
Organizations should establish a formal risk management process that involves regular risk assessments, ongoing monitoring, and the development of risk mitigation strategies. This process should be integrated with the overall compliance framework to ensure that risk management is a top priority across the organization.
Education, Training, and Employee Enablement
Ensuring that employees are well-versed in compliance requirements is essential for upholding ethical business conduct and preventing non-compliance incidents.
However, according to a study by EY, while 60% of board members report frequently communicating about integrity, only 30% of employees remember these messages.
To address this gap, organizations should implement comprehensive employee training programs, and enhance them through the use of technologies like BRYTER’s Policy AI. These programs should be tailored to the specific roles and responsibilities of different employees and should be updated regularly to reflect changes in compliance regulations.
In addition to formal training, organizations should foster a culture of compliance by regularly communicating the importance of ethical conduct and providing employees with easy access to compliance resources.
This includes readily accessible policies, clear reporting channels, and training materials that are easily digestible and relevant to employees’ daily activities. Again, a tool like Policy AI will help enhance, enforce and simplify standard approaches to compliance training.
A Culture of Compliance
A strong culture of compliance is the foundation for an organization that operates ethically and adheres to all applicable regulations.
Accenture’s 2022 Compliance Risk Study found that 95% of respondents are either building or working on building a culture of compliance throughout their organizations.
Creating a strong compliance culture requires consistent leadership commitment, clear communication of compliance expectations, and regular reinforcement of ethical values.
Organizations should also encourage open dialogue and provide employees with a safe space to report suspected non-compliance without fear of retaliation.
They should also make it easier for employees to get information about relevant policies, too.
Managing relationships with regulators is an important aspect of enterprise compliance.
Organizations need to be proactive in communicating with regulators, responding to inquiries promptly, and demonstrating their commitment to compliance.
This highlights the need for organizations to establish clear protocols for interacting with regulators and to ensure that employees are aware of the importance of ethical conduct and compliance transparency.
Organizations should also develop a proactive approach to regulatory engagement, actively seeking feedback from regulators and seeking opportunities to collaborate on improving compliance practices within their industry.
Innovation and Technology
Emerging technologies, such as artificial intelligence (AI) and automation, can play a valuable role in enhancing enterprise compliance.
AI-powered tools can automate tasks such as answering routine compliance questions and stress-testing policies against official legislation to spot policy gaps, like BRYTER’s Policy AI solution.
Organizations should explore how these technologies can be integrated into their compliance frameworks to improve efficiency, identify potential compliance gaps, and provide real-time insights into compliance risks.
Managing Compliance through Growth
As organizations grow, they may encounter new compliance challenges, such as mergers and acquisitions, geographic expansion, or the introduction of new products or services.
It is crucial to proactively address these challenges to ensure that compliance practices remain robust and aligned with the organization’s evolving needs.
Organizations should incorporate compliance considerations into their growth strategies, conduct thorough due diligence on acquired entities, and establish clear compliance protocols for new business ventures. In addition, organizations should have a plan for managing compliance risks during periods of rapid growth and expansion.
By adopting these enterprise compliance best practices, organizations can effectively manage their compliance obligations, uphold ethical business conduct, and protect their reputation and financial standing.
Emerging Issues in Enterprise Compliance
Compliance never stands still. Every year there are new compliance trends to tackle.
At BRYTER, we speak to hundreds of enterprise compliance executives every year. The issues that are emerging in the year ahead ultimately boil down to three core areas: AI legislation, the Corporate Sustainability Reporting Directive (CSRD), and increasing cybersecurity threats.
AI legislation: As AI becomes more sophisticated, governments around the world are introducing new regulations to ensure that AI is used responsibly and ethically. An example is the EU’s AI Act which impacts any organization that has a presence in the EU. Compliance professionals need to stay up-to-date with these regulations and ensure that their organizations are compliant.
CSRD: This new EU directive will require companies to report on their sustainability performance. This will be a major change for many companies, and compliance professionals will need to develop new processes and procedures to ensure that their organizations are compliant.
Increasing cybersecurity threats: Cybersecurity is a growing concern for businesses of all sizes. As cyberattacks become more sophisticated, compliance professionals need to ensure that their organizations have strong cybersecurity measures in place.
The ultimate message is you need to be one step ahead of the game. Research for the future. Integrate compliance within organizational growth plans. Identity, monitor, and stress test your policies against emerging compliance risks + requirements.