Sustainable Compliance for the Lazy-Layman
by Fools Gold.
A complex set of regulations to keep up with technological advancement proliferates unsustainably.
In this abbreviated case study, I summarise a basic problem in a Small-to-Medium Enterprise (SME) that were at risk of fines and penalties due to regulatory non-compliance. The organisation opted to remain anonymous, and so fictitious names are used herein, but they were happy to share their case and learnings for this publication.
The Context: Lets call the organisation Gools Fold Holdings Group or GFHG. GFHG is an SME operating in the Benelux region. Though an SME, they have a few large German customers. Post-Covid, GFHG was at a pre-business rescue stage and undergoing "preventative restructuring" based on the Dutch WHOA framework. They were also on an aggressive company-wide cost-savings drive and a new strategy to outsource their need for technology and resources was implemented. With fear of lay-offs, key staff have left the organisation.
The Requirement: GFHG being a small private business in the European Union (EU), required to be fully compliant with local Dutch laws, EU laws and customer contractual legal requirements. The Corporate Governance and Compliance (CGC) department, as the custodians of the compliance process including reporting to the Executive Committee (Exco), has to decrease cost and effort without compromising the compliance required and lead such implementation.
The Problem: GFHG did not have the correct legal and IT best-practices expertise to meet the requirements to stay compliant through the respective time period of changes implemented in GFHG and has since not been compliant to EU General Data Protection Regulation (GDPR), EU Corporate Sustainability Reporting Directive (CSRD) and the German Supply Chain Due Diligence Act (LkSG). They now face potential regulatory fines and contract losses as a result.
The Root-Cause Analysis: The CGC department did not do the correct checks against the respective regulatory environment, The architecture and procurement teams did not vet new software and resourcing.
The CGC department did not have a sustainable compliance process;
A. Their department reduced from six expert resources to one intern administrator.
B. The lone resource could not cope with the rapidly changing compliance requirements.
Additionally, the technology and resource onboarding were not checked;
C. Cheaper cloud based applications stored EU private data on external clouds.
D. Cheaper Bangladeshi Company was known for having slave labour practices.
The CGC department's remaining administrator thought that the existing compliance checks could just continue running as-is. As time went by, she remained uninformed on the rapidly changing regulatory environment and the serious consequences thereof. When informed that GFHG was non-compliant to many EU laws and misaligned to best-practice frameworks, the CGC resource lacked the knowledge and capability to keep-up, update, manage and lead the requirements of compliancy throughout the GFHG. The CGC was under-resourced for the task at hand.
The architect, the last remaining from the Architecture Review Board (ARB) blamed the CGC for not informing him of the technology governance required for GDPR and that data transfer to a South African private cloud provider was not allowed. He believed that South Africa's Protection of Personal Information Act (POPIA) met the requirements of the Privacy Shield. This was found to be in question due to complex cases put forward on South African surveillance laws in apparent contradiction to privacy laws, in the light of the Schrems II case that invalidated the EU-US Privacy Shield.
The procurement team claimed that they did not need to verify good labour practices in foreign third-party suppliers and was unaware of the LkSG. There was no communication to them that Human Rights Impact Assessments (HRIAs) needed to be done on third-party suppliers before onboarding, and that they should have also consulted credible external country risk assessors.
The Consequences; The existing compliance control framework had 11 outdated EU legal statements. Further, it was 108 legal statements short of the newly enacted regulations since the CGC wider team left. The architecture review and procurement processes were not updated to meet the changing best-practices relating to third-party supplier risks and ISO27001 supplier and privacy clauses, as well as the latest requirements of GDPR, CSRD and the LkSG. That resulted in the adoption of unverified software and the support of unfair labour practices.
The GFHG Dutch WHOA administration team has informed that they faced bankruptcy in the light of the potential fines accumulated from infringement notices received from the information regulators of three EU countries and potential large German customer contract cancellations expected.
The Solution; The compliance framework update and check approach was implemented. We used the C-xO Lazy-Layman Governance Approach. A legal representative from the legal department was reassigned to the CGC. The CGC department was given compliance management training on the new approach to governance. The compliancy, architecture and procurement processes were updated. The wider GFHG team was trained on and made aware of the new compliancy requirements, architecture and procurement policy updates. All outdated, and new, legal statements were added. Further, all best-practice guidelines for implementation were put down in a practical project plan that prioritised critical best practices after mandatory legal statement implementations. We found that the private cloud provider still met the requirements of GDPR with various additional international certifications, data centre location assurances, customer contractual statement verifications as the Court of Justice of the European Union (“CJEU”) had declared that the standard contractual clauses (“SCC”) adopted by the European Union Commission were still valid. The outsourced third-party supplier contract was terminated and a new supplier was found that met the new requirements.
The Results: The CGC team was confidently updating and communicating the ongoing compliance requirements to the GFGH internal teams. A survey confirmed that the new compliancy, architecture and procurement requirements were well communicated and adopted. As an example, at the time of writing this case study, the EU Corporate Sustainability Due Diligence Directive (CSDDD) was proposed for enactment to the EU Parliament and GFHG CGC had already updated the compliancy requirements with the new expected draft control checks. A robust and sustainable compliance framework was deemed working well. GFHG was able to sincerely respond to the regulators and the customers on the errors in their operational environment and subsequent remediations implemented. That resulted in no fines and stronger customer relations thereafter. The GFHG WHOA team was able to successfully complete a business turnaround as the above approach had a minimal cost to implement and the business became profitable again.
This case study demonstrates how sometimes the people on the ground need ladders to get up above the canopy and look above the trees. Management sometimes need to understand that operational delivery, when working well, is like a finely tuned engine and is 100% driven towards leadership's goals and that their respective views must be supported by the right business intelligence. If one changes the environment to drastically without the right due diligence, the engine stops working optimally in the pursuit of misled goals....
Chasing goals unchecked leads one astray, sometimes we need to realise that we are off the path and ask for directions to get back on it.... Fools Gold.