Compliance knows the score

Talking recently with other old skool compliance types, we realised something we miss.

Back in the day, before GRC systems and lines of defence, any good compliance person was expected to know – really know - how the business operations worked. Not just from a process map, but from experience of what happens on the ground IRL. What the team do when time is scarce and pressure is high, how systems perform under stress, where the soft spots and weak links are. 

Not infrequently, the compliance person knew better than almost anyone else about those things end to end.

That knowledge was hard won, through constant connection and conversation with operations personnel, driven by a relentless curiosity for how things work. It gave the compliance person the authority to say to management ‘we have a problem that needs your attention’.

Today … well, compliance sometimes feels less like real work that’s done with operations than something that’s performed ritually over operations. A repeated series of system-recorded steps, orchestrated by email, to demonstrate that ‘compliance’ is happening.

This is not to dis important developments in technology that help organisations keep up with the rules and track compliance management. But the management part of compliance doesn’t happen in a sterile environment. The compliance person needs to get into the engine room and check the rivets as well as the gauges. Frameworks and GRC systems can formalise and enable but never replace the collaborative work of compliance, done on the floor alongside the operations personnel.