Compliance stakeholders and how to work with them

Who are compliance stakeholders?

An organization's focus on compliance will vary depending on its industry. For example, in the U.S., healthcare organizations should comply with HIPAA legislation, especially the Security Rule that protects patient data. Financial institutions might need to be compliant with the Sarbanes-Oxley Act and Securities and Exchange Commission rules.

Individuals at high levels in an organization are considered stakeholders, as are external entities that might have invested in or helped establish the company. While a company might have multiple stakeholders, ranging from employees to major corporations, compliance stakeholders are those that have some type of investment in the company's ability to demonstrate compliance with key rules and regulations. For example, a major investor would want the organization to achieve its financial goals and satisfy its KPIs; otherwise, the investor might decide to withdraw its investments.

External stakeholders

External stakeholders are individuals and organizations that operate outside of a company, but possess a specific interest in the business. Companies might work with the following different types of external compliance stakeholders:

• Customers and clients. They are often the foundation of the company's ongoing success, and their voices are important to company leadership. Long-term clients are more likely to be aware of and concerned about compliance with specific standards and regulations. Their satisfaction and trust depend on the organization's compliance with relevant regulations and standards.
• Regulators. The entities that develop the rules, regulations, legislation, statutes and other guidance should be well known to company leadership, as compliance with specific rules might be essential for the organization to remain operational. Failure to comply with regulations, such as the EU's GDPR, can result in severe financial penalties.
• Government agencies. Various government agencies develop and administer rules and regulations that affect companies. They typically issue documents sharing how an organization can be compliant with regulations. Organizations that must comply with such regulations are responsible for acquiring that information and following the guidance carefully.
• Investors. These individuals and companies form the financial foundation for many organizations, so their views on all business issues are essential. Compliance is often one of their most important concerns, as lack of compliance in critical areas can potentially affect the company and its continued viability. A company's adherence to compliance regulations, or lack thereof, significantly affects investor confidence in the organization's stability and success.
• Suppliers. Compliance can be a two-way street when it comes to suppliers. External suppliers want to make sure their partners are performing to their highest levels. Evidence of compliance sends a positive message to those suppliers. Likewise, a company wants to make sure that its suppliers are also performing to high quality standards. Demonstrating a commitment to compliance can help a company's supply chain as well as its relationship with suppliers. For example, compliance with established regulations makes it more likely that products and services will meet certain quality benchmarks. This consistency builds trust among supply chain partners and reduces the risk of defects and returns.
• Community members. Residents and organizations within a company's geographic service area can be positively affected by the company's commitment to compliance. For example, community members that know an organization is compliant with ISO 14001 requirements will feel more confident that the company will not do anything to harm the environment.
• The media. Virtually any organization is open to media scrutiny, regardless of type or size. For example, media knowledge of a company's commitment, or lack thereof, to specific environmental regulations might affect potential media coverage.

Internal stakeholders

Internal stakeholders typically include all employees and shareholders, plus senior management and the board of directors. Companies might work with the following internal compliance stakeholders:

• Employees. Establishing a culture of compliance requires employee buy-in at all levels. Their actions and understanding of compliance procedures are crucial for success. Periodic communications with employees and shareholders are important for making sure that all will support the company's efforts to comply with standards and regulations.
• Management and executives. Senior leadership sets the tone at the top and is responsible for driving compliance efforts. The responsibilities of these types of stakeholders might include funding for compliance programs to work toward ISO 9001 compliance, setting up departments focused on compliance and showing support at events about compliance.
• Board of directors. Working in partnership with senior management, board members provide oversight and direction to an organization's compliance efforts and ensure accountability for all employees who are responsible for performing compliance activities.
• Internal compliance team. Senior management might launch an official company office that directs all compliance efforts, including hiring a compliance officer. The activities that the team might undertake include identifying relevant rules and regulations, determining what the organization needs for compliance, establishing programs and activities to help employees be compliant, and producing reports and other content that illustrate the company's compliance.
• Internal audit team. Whether an internal audit department is in place or the company employs an external audit firm, an audit team gathers evidence of the organization's compliance activities, interviews employees about their compliance activities and produces audit reports that describe ways in which the company is compliant while identifying any areas for improvement. Internal audit teams might work closely with the internal compliance team during such activities.

9 best practices for working with compliance stakeholders

Companies should find ways to effectively engage with key compliance stakeholders. To maximize collaboration, compliance leaders should consider following these tips for working with both internal and external compliance stakeholders:

1. Identify stakeholders

Company leaders must first determine the compliance stakeholders. For example, a compliance officer is a compliance stakeholder.

Senior management, business unit leadership, board members, employees and suppliers can help identify these stakeholders. Even the act of brainstorming about stakeholders can be a starting point. Not only must leaders find out who they are, but their availability and willingness to support compliance efforts must be confirmed.

2. Identify compliance requirements

The company's compliance officer is responsible for identifying areas where the company might be at risk of being noncompliant. To augment their research, officers might learn about rules, legislation and other compliance requirements from internal and external stakeholders.

Internal departments that are directly involved with business operations are most likely to know which standards and regulations are essential for compliance, and any external stakeholders can provide additional insights and feedback about compliance. Compliance officers who stay attuned to these stakeholder insights help keep compliance measures relevant and effective as regulations and market conditions evolve.

3. Establish a stakeholder compliance program

Organizations should establish a formal program for engaging compliance stakeholders. These engagement activities can include scheduling interviews with key stakeholders, gathering stakeholder insights, recording and analyzing them, and then communicating the results to senior leadership. Establishing policies and procedures for engaging stakeholders in compliance issues, such as how to address instances of noncompliance, can also be useful.

4. Establish training programs

Every employee must understand relevant standards and regulations. A training program can help employees understand regulatory compliance issues and changes, ethical standards, and compliance expectations. Organizations can carry out this training through workshops and e-learning.

5. Connect KPIs to compliance efforts

Companies can link KPIs to relevant standards, regulations and other key rules. Linking KPIs to compliance can illuminate how well employees are following regulations and the effectiveness of the company's compliance program.

For example, leaders might establish a KPI for training completion rates, which measures the percentage of employees who complete required compliance training within a specified time frame. Key internal stakeholders can likely bring their knowledge to help with connecting KPIs to compliance efforts.

6. Use technology automation

Many software products that address compliance issues are available. For example, compliance automation software can help with adhering to regulatory updates and reduce errors in compliance reporting. These tools might use AI and other technology to identify relevant standards and regulations, establish compliance goals, and detect anomalies.

7. Perform audits and risk assessments

Internal and external risks, threats and vulnerabilities can affect a company's ability to comply with standards and regulations. For example, an internal compliance risk might be healthcare workers mishandling sensitive patient information and potentially violating HIPAA. Organizations must conduct regular compliance audits to determine their level of compliance and identify potential areas for improvement.

Moreover, compliance leaders must make sure that stakeholders recognize the potential risks of noncompliance. Stakeholders can help identify potential risks, such as corrupt practices, privacy breaches and environmental concerns, using a risk assessment matrix tailored to the company's needs. Asking stakeholders about their views on compliance risks can also be enlightening.

8. Report on compliance

Communication is key regardless of whether stakeholders are internal or external. In addition to awareness and training, periodic briefings with senior management and board members on compliance issues are essential. Similar briefings might be desirable for key external stakeholders, such as investors and regulatory agencies.

9. Establish a culture of compliance

Stakeholder engagement activities can be part of a larger corporate initiative that starts at the top and involves all employees. Compliance can become a key part of how the company operates, just as an emphasis on producing high-quality work can influence company operations. A culture of compliance can help make sure that company operations meet stakeholder expectations.

Why compliance is important to stakeholders

Stakeholders should be able to trust that an organization is carrying out compliance efforts to the best of its ability. Through compliance, organizations should be able to demonstrate the following to internal and external stakeholders:

• The company is running effectively and following established best practices, standards and regulations.
• The organization is improving and refining operations such as employee performance, operational performance, and a culture of commitment and motivation.
• The company constantly strives to improve overall performance, boost shareholder value, manage risks effectively and expand market opportunities.
• The organization seeks to consistently prove to its customers and stakeholders that it can be trusted to deliver on commitments.
• The company continually builds strong relationships with customers, suppliers and others.
• The organization strives to reduce the chances of receiving internal and external auditor reports from key customers, suppliers and other stakeholders.
• The company is competently performing its activities and satisfying requirements from major customers, regulators, auditors and others.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.