Compliance And It: Collaborating For Mutual Success

The Compliance and Information Technology functions in an organization have more in common than one may think. Both are often misunderstood and under-appreciated. Far from simply setting up printers and resetting passwords, IT serves a vital role in protecting the organization from threats, both internal and external. Cybersecurity has become an executive-level priority as cyber-attacks spread to all sectors. Compliance is often viewed as an automatic “no” - strict rules that hinder business; but a good Compliance department actually facilitates business by protecting the organization and its reputation. Compliance and IT are uniquely suited to supporting each other and collaborating to better protect the organization from the myriad threats that multinational companies face today.

Like any relationship, a great relationship between these two functions starts with respect. Both departments are staffed with technical experts who have degrees, certifications, and experience in their respective fields, and each function should recognize and respect the other’s knowledge. While IT may want to re-examine a proposed technology solution to a compliance issue, it should refrain from challenging the regulatory basis for the issue itself. Don’t Google “OFAC” to argue about denied party screening - just as compliance shouldn’t search for “ERP system” to tell IT what theirs can or can’t do.

In some organizations, IT will designate business liaisons that work closely with specific functions or lines of business. Having an IT liaison for compliance is a best practice that enhances collaboration through the opportunity for one-on-one communication and cross-training. The IT liaison can learn more about compliance and its business requirements, helping to better translate those into technical specifications, while educating the compliance team about IT systems and processes.

Whether or not an IT liaison is available, compliance should make an effort to understand how IT manages work and projects. If the organization uses an agile method, it is important for compliance to review its project requests with an eye toward sprints. If IT is using a scoring method to prioritize, it can be difficult for compliance to put a business value on its projects; in those cases, it may be helpful to look at the way legal requests are scored to determine how to value risk mitigation.

When looking at how to open the lines of communication, consider how each function communicates within itself and with other parts of the organization. If there is a regular intra-department meeting, invite the other department to give a short talk or presentation. A lunch and learn to treat the other department is a great way to start. Compliance may already have recurring calls with the lines of business to provide regulatory updates; extend the invitation to key IT personnel. Regular IT department meetings may yield valuable updates for compliance, such as vendor changes, new software, and new facilities

Compliance should also be open to alternative technical solutions proposed by IT - if it ultimately meets the goal or resolves the issue, don’t let perfect be the enemy of good. One example of this is the Bill of Lading document generated by ERP systems. It is common for multiple departments to request specific language or data elements be included on the BOL, but there is only so much room on the page. Rather than doubling down on the exact language being on the BOL, consider if the language could be shortened, if a reference to a full policy could be used instead, or if there is another shipping document where the language could be included (the commercial invoice, packing list, etc.)

While IT certainly has greater expertise in technology overall, compliance may have more direct knowledge and experience with technology specific to their field, such as Global Trade Management (GTM) software. Most ERP systems are not designed to handle international trade. Some organizations manage this by creating custom transactions and documents in the standard ERP, some rely on manual processes with spreadsheets, but more and more organizations are turning to GTM solutions. If the organization is considering creating custom code to meet trade compliance requirements, it is worth evaluating GTM options. Compliance likely is more familiar with the current landscape of GTM providers to look at, but it is critical for both IT and Compliance to be involved in the selection process. Compliance will be able to evaluate how well the solution meets their regulatory and process needs, while IT can review how well the solution will interface with existing systems and make a realistic estimate of the time and cost involved in implementation.

In multinational organizations, IT may frequently be asked to provide hardware and software to company locations in other countries. Proactively working with compliance can prevent shipping delays and added costs. Some countries require import permits for certain items; shipping the goods without the required permits often results in seizure and forfeiture of the items. Compliance can review the import and export restrictions in advance to ensure the goods arrive successfully.

Compliance can also help IT with training and cybersecurity. Because training is often required under various regulations, compliance typically has a formal training program with tailored content for the organization. With the rising need for cybersecurity programs and certifications, compliance can assist IT with creating and delivering cybersecurity training; this may even be a compliance requirement as well, if the department handles data privacy, transportation security, or government contracts compliance.

As two critical departments with expert technical knowledge, Compliance and IT provide value to the organization by protecting its assets and reputation while facilitating business. IT can help further the Compliance department’s goals through systems solutions for automation, standardization, and monitoring. Compliance can be a trusted partner to IT by assisting with training, cybersecurity, and inter-company hardware and software shipments. By respecting each other’s expertise and communicating openly and regularly, Compliance and IT can find creative solutions to today’s most pressing business risks