Deploying Komrisk – learnings and mitigations
Being and staying compliant is a constant challenge which corporates face across the world. Today, with the arrival of legaltech and a market mushrooming with vendors, providing anything from simple checklists to AI powered software solutions and everything in between, more and more options are being made available for corporates to achieve their compliance goals.
Today, most software driven compliance systems (regardless the seller) are set-up and deployed in a similar manner. We have thus learnt the hard way, that committing to procure a compliance management system and running the complex rigmarole of selecting and shortlisting a vendor is perhaps the simpler part of the process. Effectively deploying is the longer end of the stick. Using Komrisk (our proprietary compliance management solution) as the benchmark, in this post we want to walk you through the broad steps involved in deploying, highlight some of the commonly encountered challenges, and suggest ways to ease the process and overcome the challenges.
The 6 steps to Komrisk deployment
- Regulatory assessment of target entities through customized questionnaire.
- Identify the applicable laws for each of the operating units/locations of the target entities.
- Creation of cross-functional, multi modular compliance checklist which lists actionables for specified departments of the target entity.
- Online work space creation.
- Allocating tasks to designated users and publishing compliance checklist.
- User training and Go-live.
The above may appear to be 6 simple steps but having deployed Komrisk at over 80 corporations from all sectors and in all sizes and shapes, we have come to learn, it is a very crucial and precise setup where even the smallest degree of error can end up jeopardizing the entire project. As intense as it might be, every deployment always brings to the table several legal nuances and industry specific requirements and the specific challenges compliance professionals face in their quest to be compliant.
Perhaps the most crucial step for any deployment as well as the most time consuming one. The target entity is required to answer a distinct preliminary questionnaire for every entity and operating unit. Questions focus on every aspect of the business and can range from gender ratio of employees to manner of disposal of waste at premises to storage of batteries or petroleum products.
The common challenge faced here is the lack of a knowledgeable, single-point clarification.
Appointing a single point of contact/team, who is/are aware of the organizational, structure, personnel and operations so that they can reach out to the relevant internal stakeholders for accurate, updated and comprehensive information. This SPOC should be responsible for information dissemination at the beginning and collation towards the end. This SPOC can also carry out a preliminary validation of the responses to ensure accuracy and completeness.
Identification and creation of role-based users
After the analysis of the responses to the preliminary questionnaire, the list of applicable laws is determined. From that a checklist of compliance tasks is prepared and validated with target entity. Thereafter, the relevant compliances are published in the work space and mapped to the respective users.
The common challenge faced here is identifying the compliance owners and defining the hierarchy. We’ve noticed on several occasions that a payroll-related compliance involved personnel from HR and Accounts department but was not documented as part of a process and hence led to incomplete mapping in the solution.
During the procurement or immediately after it, the target entity should start identifying the stakeholders, performers and compliance owners at their end. The senior management should drive this process to ensure it is carried out quickly and accurately.
Incorrect Allocation of Compliance Tasks Internally
Determining compliance owners, reviewers and escalation points is a crucial step in any deployment. Other important aspects, are alert trigger dates, reminder frequencies target entities should ensure that task allocation and mapping is done by people who have (a) the knowledge and (b) the authority to determine such allocation.
The common challenge faced here is incorrect mapping of compliance tasks which leads to panic, unnecessary escalations and aversion to using the solution.
- Involving senior management for determining allocation
- Proper communication and intimation to all concerned and identified personnel
- User trainings and refresher trainings
- Dedicated project / relationship manager
Allocating all applicable compliance in “one-go” at the time of deployment
Compliance checklists are long, repetitive and confusing when viewed in isolation. In their haste to reach “100% compliant” status, corporates often tend to allocate and map the entire checklist from the beginning. This leads to (i) incorrect allocations, (ii) overwhelming the compliance owners with volume of tasks, reminders and reporting requirements, (iii) incorrect adoption within the organisation, (iv) decrease in morale and increase in apathy, (v) incorrect data in reports.
- Phase wise deployment: for example (i) initially allot only 1-2 particular modules; (ii) allotting only critical compliances, (ii) only allocate compliances relating to licenses/ permissions for operations, key filings, statutory payments etc. (iii) only allocate those compliances which the stakeholders are familiar with as on date and are already complying with.
- Communication: Change management instructions should be made clear and should come from the top.
- Task owner buy-in or intimation: Make sure the owners are aware of the expectations from them and are sensitised in doing it.
- Incentives: Compliance needs to be made a part of the task owners key goals linked to increments, promotions and bonuses etc.
Users push back in completing the tasks
The transition from a manual compliance checklist to a cloud-based software can be unnerving, especially when occurring rapidly. Also, the data-backed reports and increase in accountability may lead to resistance in adoption.
Sensitivity trainings, cultural and goal-setting instructions from the top usually goes a long way in addressing this issue. As long as users have their expectations laid out properly and are guided through the transition, attitudes can improve leading to appropriate adoption. The compliance team must understand that the portal has been introduced to enhance their productivity and reduce their burden of having to track and monitor multiple sources of regulatory information. Such is the advantage that a compliance management tool like Komrisk can add to an organisation.
These are some of the top and most commonly recurring issues faced in a typical deployment. There are several more that crop up from case-to-case and as long as both parties are committed to the success of the program, these are always overcome.
To sum up, active participation by the decision makers and designated SPOCs definitely make it more convenient for both – the users as well as Lexplosion – to effectively implement the compliance management solution. For every successful compliance program, it a is win-win situation for a corporate and Lexplosion alike.
- Kanishka Bose (Manager – Legal)
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. The Blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement, are Copyright 2018, Lexplosion Solutions Private Limited or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.