Compliance teams that don’t embed their controls into employee processes face a significantly higher rate of compliance failures.
The Gartner survey of 755 employees in April 2021 found these failures linked to unnecessary compliance burdens for employees.
Thirty-two per cent of employees surveyed said they couldn’t find relevant information when they missed a compliance obligation. An additional 20% didn’t recognize information was even needed, and 19% simply didn’t remember. The remaining 29% of employees who missed a compliance step said they didn’t understand (16%) or just failed to execute the step (13%).
“Creating rules and obligation for employees without properly integrating them into the processes these employees have to carry out leads to multiple causes of control failure where employees can’t find or comprehend the information they need or don’t recognize or remember when it is needed,” said Chris Audet, senior director, research in the Gartner Legal & Compliance practice.
He suggested that embedding controls led to a 30% drop in the number of employees who report they are highly burdened in this way by compliance obligations.
According to Audet, the survey also showed nearly one in five employees missed at least one compliance obligation where guidance was not embedded.
“Embedded controls help to reduce the burden employees face in remembering, understanding and executing on compliance obligations and that in turn, this leads to reduced risk,” he continued.
Compliance teams typically embed controls into processes relating to the most high-risk employee functions, seniority levels and tasks. However, compliance burden is also driving risk in organizations, leading to control failures.
Audet opined that compliance burden might be generating risk in the functions, employee levels, and in the tasks compliance has attended to least.
“Identifying where compliance burden is highest in an organization will highlight areas that are ripe for embedded controls,” said Audet.
To help compliance leaders with this, Gartner has detailed the top five compliance-burdened functions, roles and tasks from this survey (see Figure 1).
Figure 1. Most compliance-burdened functions, seniority levels and tasks
Designing controls to minimize the burden
“Compliance controls that focus solely on addressing risks without considering how employees will interact with them are in fact creating more risk,” said Audet. “More extensive controls create a higher burden for employees trying to follow them, significantly increasing the chance of the employees failing to execute the control properly or at all.”
Compliance teams should therefore consider how to minimize the employee burden their controls create, rather than just addressing a set of risks. Using common user experience principles when designing controls will minimize employee burden. Compliance can:
Help employees remember
Provide controls as close as possible to decision-making points and offer decision-supportive nudges at critical moments for business decisions.
Help employees understand
Remove unnecessary judgment calls from processes and controls, so it is clear to an employee what their obligations are.
Help employees execute
Streamline the overall compliance requirements on employees: start with the baseline requirements common to most/all employee groups.
When thinking about where to embed compliance controls for maximum impact, it is useful to understand the areas where compliance is creating the most burden on employees and how embedding controls could reduce that,” said Audet. “A narrow focus on top risks alone could be increasing risk in some cases.”