In the realm of governance, risk management, and compliance (GRC), self-assessments and attestations have long been the conventional methods for gauging adherence to regulations and standards. Whether used for supplier declarations, control self-assessments, conflict of interest disclosures and many others, there are inherent shortcomings in relying solely on subjective evaluations.
In this article, we hope to shed light on the deficiencies of self-assessments and attestations and make a case for a shift towards data-driven approaches, leveraging continuous monitoring and analytics to provide an objective and independent view of compliance areas.
The Pitfalls of Self-Assessments and Attestations
Subjectivity and Bias:
Self-assessments rely heavily on individuals within an organisation to evaluate their own compliance. This introduces a significant risk of subjectivity and bias, as human judgment can be influenced by personal interests, internal politics, or a desire to present a favourable image. This subjectivity can undermine the accuracy and reliability of the assessment. Take the example of asking an employee if they have read and understand the corporate card policy: very few would respond “No”, yet the data will often reflect that the policy was either not read or not understood.
Limited Scope and Depth:
Self-assessments often lack the comprehensive scope needed to thoroughly evaluate compliance. In many cases, individuals may not have the expertise or resources to delve deeply into complex regulatory requirements. This limited scope can result in oversights and gaps in compliance that may go unnoticed unless the data is examined. For example, any question asking whether one is acting within a stated regulation assumes that one knows what that regulation means.
Traditional attestations are typically point-in-time assessments, providing a snapshot of compliance at a particular moment. However, compliance is a dynamic and ongoing process that requires continuous monitoring to adapt to changing regulations, business processes, and external factors. The compliance burden on employees, suppliers, and other third parties means that self-assessments cannot be expected to be delivered much more than once a year. However, the business environment changes on a daily basis. Can you afford to find out about critical areas of non-compliance up to 12 months after the fact?
The Case for Data-Driven Approaches
A data-driven approach involves implementing continuous monitoring systems that collect and analyse data related to compliance as close as possible to real-time. This allows organisations to move from periodic assessments to an ongoing, dynamic evaluation of their adherence to regulations, policies and other controls. Continuous monitoring ensures that any deviations from compliance are identified promptly, allowing the business to respond effectively before the issue is exacerbated. For example, the continuous monitoring of supplier financial risk will mean that an organisation can respond quickly when that supplier is experiencing financial difficulties or has been sanctioned by a regulator.
Leveraging analytics and automated tools provides an objective and standardised assessment of compliance. Data-driven approaches eliminate the human bias associated with self-assessments, offering a more reliable and impartial view of an organisation’s adherence to regulations. Take the example of conflict-of-interest disclosures: our experience is that such attestations almost always only reveal the information the discloser wishes you to know about. At the same time, objective data exists to tell that the employee in question is also a director of one of your suppliers.
Efficiency and Accuracy:
Data-driven approaches streamline the compliance process by automating data collection and analysis. This not only improves efficiency but also enhances the accuracy of assessments. With the ability to process vast amounts of data quickly, organisations can identify patterns, trends, and anomalies that might be overlooked in manual assessments. For example, corporate card spend data can quickly be processed to detect activity that goes against policy guidelines. This will reveal the true nature of compliance – quickly and efficiently.
Shifting towards data-driven compliance
While self-assessments and attestations have been the traditional pillars of compliance evaluations, their limitations are increasingly apparent in today’s dynamic and complex business environment. Embracing a data-driven approach that employs continuous monitoring and analytics provides a more objective, efficient, and adaptable means of assessing and maintaining compliance.
This not only mitigates the inherent risks associated with subjective assessments but also positions organisations to navigate the evolving landscape of governance, risk management, and compliance with confidence. The bottom line is that people will provide you with opinions – the data will tell you the facts.