Compliance failures caused by lack of embedded controls into employee processes
Compliance teams that don’t embed their controls into employee processes face a significantly higher rate of compliance failures, according to a survey by Gartner. The survey of 755 employees in April 2021 found these failures linked to unnecessary compliance burdens for employees.
Thirty-two percent of employees surveyed said they couldn’t find relevant information when they missed a compliance obligation. An additional 20% didn’t recognize information was even needed, and 19% simply didn’t remember. The remaining 29% of employees who missed a compliance step said they didn’t understand (16%) or just failed to execute the step (13%).
“Creating rules and obligation for employees without properly integrating them into the processes these employees have to carry out leads to multiple causes of control failure where employees can’t find or comprehend the information they need, or don’t recognize or remember when it is needed,” said Chris Audet, senior director, research in the Gartner Legal & Compliance practice. “Embedding controls led to a 30% drop in the number of employees who report they are highly burdened in this way by compliance obligations.”
“The survey also showed nearly one in five employees missed at least one compliance obligation where guidance was not embedded,” said Audet. “Embedded controls help to reduce the burden employees face in remembering, understanding and executing on compliance obligations and that in turn this leads to reduced risk.”
Compliance teams typically embed controls into processes relating to the most high-risk employee functions, seniority levels and tasks. However, compliance burden is also driving risk in organizations, leading to control failures.
“Compliance burden might be generating risk in the functions, employee levels, and in the tasks compliance has attended to least,” said Audet. “Identifying where compliance burden is highest in an organization will highlight areas that are ripe for embedded controls.”
Designing controls to minimize burden
“Compliance controls that focus solely on addressing risks without considering how employees will interact with them are in fact creating more risk,” said Audet. “More extensive controls create higher burden for employees trying to follow them, significantly increasing the chance of the employees failing to execute the control properly or at all.”
Compliance teams should therefore consider how to minimize the employee burden their controls create, rather than just addressing a set of risks. Using common user experience principles when designing controls will minimize employee burden. Compliance can:
- Help employees remember – Provide controls as close as possible to decision-making points and offer decision-supportive nudges at critical moments for business decisions.
- Help employees understand – Remove unnecessary judgment calls from processes and controls, so it is clear to an employee what their obligations are.
- Help employees execute – Streamline the overall compliance requirements on employees: start with the baseline requirements common to most/all employee groups.
When thinking about where to embed compliance controls for maximum impact, it is useful to understand the areas where compliance is creating the most burden on employees and how embedding controls could reduce that,” said Audet. “A narrow focus on top risks alone could be increasing risk in some cases.”