A Lack of Compliance Evidence Means it Didn’t Really Happen


Risk management is a continuous process rather than a linear one.  A pragmatic Know Your Obligations (KYO) strategy starts with building an ongoing monitoring approach by deconstructing regulatory obligations and then measuring the performance of related procedures and controls to assure compliance. The final step is to evidence that compliance.

This is a critical part of the process because, as far regulators are concerned, without that supporting documentation, it’s like it didn’t happen.

Welcome to the third part of our discussion around a three-step standard to risk profiling for regulatory compliance. In the first two blogs we have talked about building a unified monitoring strategy and then we talked about bringing clarity to how we are performing against what matters. The third  step is to be able to provide the documentation of that compliance that regulators and auditors.

Regulatory-Change-Management-BlogThe constant themes of the three-step standard Know Your Risk approach are simplification and clarity. We know which regulatory obligations are of most importance to the organization, we know how to track the effectiveness and reliability of policies and procedures that are mapped against them, and we must be clear in how we are able to evidence that oversight.

The current regulatory landscape means CCOs are under increasing scrutiny from regulators and internal and external stakeholders. Without the right processes in place, this pressure can turn assuring compliance into a costly and difficult endeavour. However, by focusing on the tenets of simplicity and clarity you are already ahead of the game.

The three-step approach enables firms to better understand the relationship between the first line of risk management activities of the business and the second line oversight and monitoring of compliance. This approach ensures that compliance oversight is fit for purpose while minimising the risk of regulatory censure.

Watch the webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance for insight on how culture impacts compliance at every level of the organization.

If we take the stance that evidence is everything in compliance then, again, we must simplify by identifying what proof points are of most importance to the organization. Too often, keeping track of compliance data has been secondary to other parts of the compliance process. And technology is your best friend when it comes to making this happen – with clarity from deconstructing our obligations and knowing how we are performing against what matters most, it becomes easier to provide proof of compliance.

We operate in a fast-paced global environment where rapidly developing regulatory expectations go hand in hand with evolving risks within an organization. Leveraging technology is one of the best ways to minimize risk what will always be a highly complex world of compliance.


Even with a comprehensive approach, there will always be unknowns, so ongoing monitoring and reporting on risk is critical. And when compliance gaps are uncovered, if you are able to evidence that you have self-identified those issues and, just as importantly, have put in place programmes to resolve them, you will be in a much better place with regulators and auditors.

Firms need to develop a monitoring and reporting strategy that ensures effective communication of risk and compliance obligations across the organization at all times. In essence, you need to have the proper forums for escalation and be able to action suitable risk responses.

A simplified approach to your KYR strategy also means you have defined the taxonomy of your data structures across the assurance functions. And you must have a clear view of what each area identifies as high risk, medium risk or low risk. In addition to determining those risk levels, you must also be aware of increasing risk as well as being able to identify when risks have been mitigated and are dissipating.

Use data to respond to risk

You’ll also be able to quickly determine what the agreed strategy is to respond to each risk. There are four ways of responding - avoid, transfer, mitigate and accept.

  • Avoidance means you eliminate the cause of the threat altogether.
  • Transfer means that you transfer responsibility of the risk to a third party such as an agency.
  • Mitigation involves taking instant steps to reduce the impact of the threat.
  • Acceptance means that you allow for the potential consequences of the risk.

This gives you the ability at Board and Operating Committees to determine whether that strategy is still the right one.

KYR-3-Step-Data-BlogBy having your evidence in both periodic and real-time dashboards you will have the answers in hand to reporting questions around key risks and high risk business areas. Technology will also enable you to immediately drill down on why something is a red flag, with the data lineage to understand what has happened without having to wait until someone has the time for manual research. Technology enables compliance programs to be on top of both industry and regulatory changes and produce succinct and timely reports.

Having technology underpin the recordkeeping part of the compliance function means data is easily available on a regular basis to ensure everything is being monitored correctly and the data points you are expecting to have are all in place, making it easier to identify data gaps or errors as early as possible.

The 3-stage process we’ve talked about in this blog series will deliver a powerful standardised oversight process run by the business 1st line to ensure the obligations of the business are met and that senior executives can attest to that in an effective and efficient manner.

By adopting this three-step approach and creating the right processes supported by the right compliance technology, CCO's won’t have to waste time hunting and gathering for information and can pivot to doing the high-level advisory work that adds real value to their firm while developing that all-important clear and holistic view of compliance risk.

One last takeaway from this blog just in case it hasn’t been said enough: evidence, evidence, evidence.

Read the other posts in our blog series on the three-step approach to managing compliance risk:

Learn more about how KYO's modular solution helps firms understand regulatory obligations, measure performance of compliance indicators and controls and provide evidence of regulatory compliance:

Ready to learn more about how MCO offers firms comprehensive regulatory governance and oversight of compliance obligations? Let’s schedule a conversation.