Compliance is an area of high priority for any business. As the landscape changes over time, leaders must do all in their power to keep their firm up-to-date with the newest requirements, but many companies struggle to stay in line with new requirements.
Amid staff shortages and diminishing budgets, firms in the UK are deprioritizing compliance. Among those surveyed by research firm Vanta, 44% indicated their firm has dropped focus on compliance due to stretched schedules. The same report found UK businesses spend around nine weeks keeping up with security compliance per year. These factors sit alongside some organizations reducing their IT spending.
None of these issues are going away. Compliance needs will continue to push up against budget constraints, and workloads will continue to be challenging. If business leaders are to keep up with the compliance landscape in 2024, they can’t bury their heads in the sand.
Charting the compliance landscape
It is important to accept that the compliance landscape is changing all the time – this is just a fact of business life. Without that acceptance, ensuring compliance can feel more like a challenge than something a business simply must do, just like having adequate accounting systems and HR management in place. It is part of the business infrastructure, in other words.
And there is plenty of help out there for businesses. For example, consider data protection. In the UK, the Information Commissioner’s Office (ICO) publishes a series of data protection self-assessment checklists for smaller organizations, as well as lots of general information and support.
The Data Protection and Digital Information Bill (DPDI), may provide considerable easing of compliance requirements when it becomes law. It is intended to reduce overall workload and make compliance easier and less costly, which could benefit small and medium-sized businesses (SMBs) especially. Despite this, experts have also warned the DPDI could end up putting extra strain on SMBs as the abandonment of a standardized approach forces firms to figure out their obligations on their own.
It is also important not just to rely on outside information. Proactivity is key within any organization, so leaders must weigh environmental, social, and governance (ESG) regulations against their business aims. “New laws and legislation around the world will require organizations to delve much deeper into their business relationships than ever before, building a more comprehensive view of their counterparties such as ultimate beneficial ownership and end-to-end supply networks,” says Laetitia Hoffmann, global head of due diligence, Dow Jones Risk & Compliance.
"To stay one step ahead, organizations must proactively screen and monitor their suppliers against ESG concerns including modern slavery, forced labor, and adverse environmental issues,” she continues.
The effects of AI and compliance
in compliance. Hoffmann tells ITPro business leaders must examine processes and use automation where possible. AI is just one of a number of tools that can be deployed in this context, alongside machine learning (ML) and robotic process automation (RPA), but has garnered intense interest for its high business potential.
Keith Berry, general manager, KYC Solutions at Moody’s Analytics tells ITPro that there is a sizeable appetite for AI across sectors.
“Looking at the current state of play for the role of AI in compliance, a recent Moody’s study found that the banking and fintech sectors are leading the charge. In these sectors, 40 percent and 36 percent, respectively, are using or actively trailing the use of AI in risk and compliance solutions.
“In 2024, we’re likely to see the significant influence of AI in compliance in these sectors ahead of others, including insurance and asset and wealth management.”
Learn about the seven steps financial institutions need to follow to prepare for DORA
In terms of general application, Hoffmann emphasizes AI's powerful ability to assist researchers.
“AI can help compliance teams go beyond simple name matching to more in-depth research which incorporates valuable context into the decision-making process.”
Indeed, the potential for AI to reduce some of the time and cost burden of compliance is wide-ranging. In a Thompson Reuters blog, Todd Ehret, senior regulatory intelligence expert, says its remit extends into horizon scanning, policy management, and third-party risk management, to name but a few.
Of course, AI also brings its own requirements when it comes to compliance. Experts at Gartner have urged CISOs to adopt new risk management for AI by 2026 to stay abreast of compliance and legal requirements. This will mean looping in cyber security teams as AI cyber security becomes more commonplace, as well as data science, analytics, and legal teams amidst an increasingly nightmarish AI legal landscape.
The right chart for successful navigation
To stay on top of compliance, leaders needs proper oversight of their compliance needs today, alongside expert insight into what's coming down the road. Dr Ilia Kolochenko, chief architect at ImmuniWeb and Adjunct professor of cyber security and Cyber Law at Capital Technology University tells ITPro that the C-suite and legal teams would do well to collaborate more on compliance if they are to keep ahead of changing requirements.
“IT leaders should establish a closer cooperation with internal lawyers or external law firms in charge of cyber security and IT compliance questions” He argues that the distance between corporate IT and legal teams is often too wide, and the gap negatively affects the ability to implement a “comprehensive compliance program and efficient cyber security resilience strategy”.
For smaller and mid-sized businesses that lack dedicated legal teams, the option of having good relations with external legal experts may well appeal. But the compliance work still needs to be done. Hoffman warns those who want to make use of AI or decision automation at a leadership level to keep compliance front-of-mind: “IT leaders seeking to leverage AI for risk management and decision-making must prioritize compliance-ready models that are accurate, explainable, and fully auditable.” In other words, in compliance as elsewhere, AI is only as good as the quality of the data it is asked to work with. Data maturity will continue to be a core issue when it comes to enterprise AI.
How leaders can look after information security professionals
The other key factor is going right back to the basics of understanding the consequences of restricting budget and staffing for compliance teams and/or outsourced services. Senior leaders will need to examine their approach to the risks involved, balance these against the full range of other business risks, and make a judgment accordingly.
