Automating Compliance Tasks E-Book

Table of Contents

Foreword

Unpredictability versus trust

What "compliance" is and how it works

The value of management systems per se

What are management systems for?

Platzhirsch ISO - What's inside, what's the story?

Myths, legends and illusions

How is a management system structured

A step-by-step plan for setting up a management system

Stage "Where and why"

Stage "Which destination"

Stage "Who"

Stage "What"

Stage "With what"

Stage "How"

How to avoid frustration

Approaches to avoid rejection phenomena

Emotional Response to Change according to Kübler/Ross

Kurt Lewin Model

The Adaptive Cycle Model

John Philipp Kotter's model of the 8 steps

Agile environment and management systems - is that possible?

What does VUCA mean?

Where does VUCA apply and where does it not?

What kind of thinking is required when designing management systems in an agile environment?

What does this mean for those who want to establish management systems

Technologies that can help

Undesirable side effects of technologies

What compliance has to do with automation

Automation - what you need to know in compliance

Where artificial intelligence can make compliance work easier

Backsight - Insight and foresight in compliance

How to switch to automation in GRC - an implementation guide

Automation of GRC tasks with the help of the GRC automation blueprint

Summary

Bibliography

Further publications

Blogs - Sites - Contact

About the author

Foreword

Compliance as a separate corporate function is by no means the part that will elicit the greatest feelings of pleasure from a company manager.

In times when designers, decision-makers and innovators are hoping for more room for manoeuvre, more clout or more efficiency, issues relating to regulations, audits, compliance with due diligence obligations and more are indeed an issue, but only when they can no longer be circumvented or avoided.

On closer inspection, however, even the most hardened company manager will have to recognise one thing.

The purpose of regulations and compliance is to prevent nasty surprises!

Investors, the state (i.e. the taxpayer) and entire economic areas have experienced this many times over the past 20 years

Whether it was Enron's accounting tricks (which led to what we now call SOX), whether it was government aid after the mortgage crisis in the US or after the Covid era (which showed how weak companies' resilience could be), or in today's tense situation surrounding the supply of energy, information and operationally important raw materials (keyword critical infrastructure, sustainability)

As soon as it became painful, both regulators and initiatives driven solely by private interest resorted to regulations that were designed for such purposes.

Compliance with requirements and the associated weak points checked

Proof of compliance based on facts

For one purpose: to ensure trust in the market. Because without trust in the market itself, in the worst-case scenario the market itself will no longer exist.

This becomes painful for company managers when it is said:

In the absence of proof of "X..." certification, we cannot place any further orders with you

In the absence of evidence of due diligence in the annual report "X", we are unable to commit to further financing

Due to the lack of evidence in the due diligence, accounting and sustainability report, we are issuing you with a penalty notice for "x%" of your annual turnover....

While in the last edition of this book I wrote about the customer's love of the familiar and of quality labels in order to make decisions more quickly, the stormy weather conditions mean that the wind is blowing more strongly in the direction of business leaders.

It's still about trust; in the past it resonated in the background. Today it is demanded with vehemence and evidence!

In the previous edition of this book, the focus was on describing how management systems (especially those centred around ISO) work and how they should make life easier for an organisation in the battle to maintain trust capital.

In this new edition, we address these issues, bearing in mind the increasing "compliance requirements" and the creeping shortage of experts in this field:

How compliance itself works

What exemplary role do "management systems" such as those from the ISO world play in this issue?

How can you counter the creeping shortage of specialists in this area in a growing compliance environment to remain capable of acting as a company?

Unpredictability versus Trust

If there is one parameter that applies to today's world characterised as "digital", it is the word "unpredictability".

What has changed. Now, in the age of the internet, the wind began to change. All-encompassing information allowed today's consumers to inform themselves on a broader basis, without major obstacles. Search aids and search engines helped to master this flood of information.

The information monopoly of many manufacturers and service providers was thus softened, but not yet broken. There was still one factor that could be counted on:

The customer's desire to save energy when making decisions, the tendency to give the expected, reliable and familiar a chance rather than the unknown new.

With the advent of social media and all the rating, reference and exchange platforms (Trivago and Facebook have led the way), the combination of the familiar reference, which could be found anywhere and at any time in the vastness of the web, gained enormous potential. Unfortunately for the suppliers, they were no longer the only source of information.

Now it was possible to exchange experiences, obtain references and get more independent information, without going through the "manufacturer".

The effect was that consumers were now able to avoid inequalities and information disadvantages when making consumption or investment decisions. The previous targeted influence, indeed, the compulsion to believe because you simply couldn't know, was over. What's more, the customer became a new "power" in the game with manufacturers and service providers.

For suppliers of goods and services, previously stable markets and areas of need have suddenly become an uncontrollable minefield.

But it still didn't get any easier for consumers. A lot of information had a disadvantage. It required evaluation, but it was precisely this and the associated decisions that cost the potential buyer energy.

This means that even in the world of digital storms, there is one constant. Those who manage to build up sufficient continuity and "trust capital" with their consumers in a turbulent environment save the subsequent customer "strength" when making decisions. As a result, providers survive longer and with more sustainable margins than those who will eventually lose the race for survival with constantly changing unique selling propositions.

Nota bene, one detail still applies: in every storm there is an "eye of calm". This is true even in the digital environment.

It therefore depends on how close you are to the customer as a supplier or service provider, or for which customer or competitive environment you have to think and live with in your own service provision to stay in the game.

The closer you are to the masses of end customers, who are at the same time capricious and fickle when it comes to forming opinions, and the smaller the end customer's involvement in a transaction, the more chaotic it becomes for a provider, ergo the more trust capital to the front and more stability "to the rear" are required.

In addition, as the pace increases, the respective consumers will focus on a clear benefit factor and continuity in delivery performance.

This is because the benefits and the consistency of results increase trust, but also because the flood of information means short decision-making cycles, security and therefore less energy expenditure in decision-making.

The rule for service providers is therefore that the higher the amount involved in a customer's purchase, the more predictability is required and the longer the phases in which the end customer's "opinion" extends to the end of a supply chain, the more important the trust-building factors become Traceability, stability and predictability.

This is where the need for the visibility of a service recipient's trust capital comes into play again (show me that you know your business).

In short, the more resources and energy you invest in a service or product, the more the respective supplier is obliged to "advance" trust capital in the form of evidence

The easier this "proof" or the "pre-investment" shown is for the respective customer to categorise, or the more trustworthy the source of this proof is, the more likely the desired supplier-customer or service relationship will meet with the goodwill of the decision-makers.

Why: The more qualified and independent the reference statement on a delivery service is, the lower the expected fulfilment risks, dangers and fears of the decision-maker.

What "compliance" is and how it works

"Compliance" basically means nothing more than "adherence to rules". Someone who behaves compliantly therefore adheres to rules. Rules that you have either imposed on yourself, rules that a higher authority or the market has imposed on you.

These rules can often be found in regulations, legal texts, ISO standards, industry standards, but also later in internal policies, mission statements and guidelines.

A brief outline:

Guidelines for the protection of critical infrastructure (NIS 2)

Directives for the protection of the financial sector (DORA)

Guidelines on economic and environmental sustainability (Corporate Sustainability Reporting Directive)

Standards for

In all these examples, compliance with these rules is checked by means of audits based on predefined requirements and test rules.

This is probably how you categorise this topic. It is not without reason that the word audit causes more fear in many people than the appearance of the Holy Inquisition.