Questions to ask about GRC – #10: Compliance

10. Does compliance ‘chase the bus’, or is it part of strategy-setting and initiative decisions?

In many organizations, managing compliance is an afterthought. The decision is made to expand into a new country, deliver a new product or service, without serious consideration of the potential implications of ensuring the organization is at all times compliant with applicable laws and regulations. Compliance personnel may, at best, be informed of the decision so they can initiate efforts to ensure compliance. At worst, they find out late and have to “chase the bus” to try and catch up and get on board.

Ideally, compliance requirements, risks, and related costs and opportunities are considered when strategies are established and related projects and initiatives planned and executed.

This questions should be considered in conjunction with #4, which talks to the potential fragmentation of compliance – which can lead to duplication of effort as well as gaps in coverage.