The latest enterprise risk management news from around the world

Unnecessary compliance burdens for employees are creating risks and failures

Compliance teams that don’t embed their controls into employee processes face a significantly higher rate of compliance failures, according to a survey by Garner, Inc. The survey of 755 employees in April 2021 found these failures linked to unnecessary compliance burdens for employees.

32 percent of employees surveyed said they couldn’t find relevant information when they missed a compliance obligation. An additional 20 percent didn’t recognize information was even needed, and 19 percent simply didn’t remember. The remaining 29 percent of employees who missed a compliance step said they didn’t understand (16 percent) or just failed to execute the step (13 percent).

“Creating rules and obligation for employees without properly integrating them into the processes these employees have to carry out leads to multiple causes of control failure where employees can’t find or comprehend the information they need, or don’t recognize or remember when it is needed,” said Chris Audet, senior director, research in the Gartner Legal & Compliance practice. “Embedding controls led to a 30 percent drop in the number of employees who report they are highly burdened in this way by compliance obligations.”

“The survey also showed nearly one in five employees missed at least one compliance obligation where guidance was not embedded,” said Audet. “Embedded controls help to reduce the burden employees face in remembering, understanding and executing on compliance obligations and that in turn this leads to reduced risk.”

Compliance teams typically embed controls into processes relating to the most high-risk employee functions, seniority levels and tasks. However, compliance burden is also driving risk in organizations, leading to control failures.

“Compliance burden might be generating risk in the functions, employee levels, and in the tasks compliance has attended to least,” said Audet. “Identifying where compliance burden is highest in an organization will highlight areas that are ripe for embedded controls.”

Designing controls to minimize burden

“Compliance controls that focus solely on addressing risks without considering how employees will interact with them are in fact creating more risk,” said Audet. “More extensive controls create higher burden for employees trying to follow them, significantly increasing the chance of the employees failing to execute the control properly or at all.”

Compliance teams should therefore consider how to minimize the employee burden their controls create, rather than just addressing a set of risks. Using common user experience principles when designing controls will minimize employee burden. Compliance can:

  • Help employees remember: provide controls as close as possible to decision-making points and offer decision-supportive nudges at critical moments for business decisions.
  • Help employees understand: remove unnecessary judgment calls from processes and controls, so it is clear to an employee what their obligations are.
  • Help employees execute: streamline the overall compliance requirements on employees - start with the baseline requirements common to most/all employee groups.

“When thinking about where to embed compliance controls for maximum impact, it is useful to understand the areas where compliance is creating the most burden on employees and how embedding controls could reduce that,” said Audet. “A narrow focus on top risks alone could be increasing risk in some cases.”

Gartner clients can learn more in: ‘Under Control: Redesigning Compliance Risk Controls for ​a Changed Environment​’.

www.gartner.com/en/legal-compliance



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.