Compliance-as-a-service: A new concept transforming the compliance function

With increased regulatory complexity, traditional approaches to compliance are no longer future-proof. The role of the compliance function is expanding, moving from reactive to strategic. One of the concepts that is transforming the role of compliance within businesses is compliance-as-a-service. Here, we learn what it is, who is it for and how it works.

Author: Hernan Huwyler, governance, risk and compliance specialist for multinational companies.

Compliance-as-a-service (CaaS) is a new concept that transforms the compliance function from a cost center into a profit center. This is achieved by selling compliance services to clients. This approach broadens the traditional scope of ethics and compliance programs to attract customers and secure service proposals by offering a range of independent compliance services. Through this approach, the compliance officer’s primary objective is no longer to avoid losses due to fraud, fines and other disputes, but rather to reinforce sales efforts that are now vital to businesses during the pandemic.

Clients that are highly regulated and have very high quality standards are generally receptive to CaaS proposals. These sectors can outsource compliance tasks and transfer them to their value chain. They do this by paying a premium on the price of their current contracts or by contracting a new independent service.  Depending on the strength of the compliance program and its resources, evaluating a CaaS initiative can improve the board’s vision for the compliance officer’s role. It’s also important to evaluate which compliance activities could already be included in ongoing services currently being deployed to allow for independent review.

Compliance officer’s primary objective is no longer to avoid losses due to fraud, fines and other disputes, but rather to reinforce sales efforts that are now vital to businesses during the pandemic.

Another important aspect of selling independent compliance services to clients is that they must assume responsibility for their operations. Before going through with the sale, the compliance function must have well-established controls and the insurance coverage must be evaluated. Every sale requires a risk assessment to gauge profitability and client expectations.

The following are examples of CaaS initiatives that leading organizations have launched:

  • Quality testing for products and services which are handed over from clients (e.g. quality assurance certificates and laboratory tests on consumables).
  • Outsourcing of control assurance tasks typically carried out by the client’s internal audit department and demonstrated by certificates and supplier compliance dashboards.
  • Advisory services on sector-specific compliance and training issues, especially when large organizations extend their functions to small clients.
  • Auditing of compliance with environmental and occupational safety standards for entire projects.
  • Developing plans and action protocols in response to coronavirus, for example by offering facility management.
  • Quarterly due diligence audits carried out by the provider instead of the client.
  • Accessing to compliance applications developed for clients.
  • Monitoring, registration and digitalization of documentation for clients.
  • Using encryption solutions for data flow.

How does a compliance-as-a-service proposal work?

A CaaS initiative begins by identifying strategic customers that have the ability to pay a premium on their contracts for these services. The compliance officer must understand these clients’ compliance requirements, risks and expectations to assess whether they can perform these activities internally or whether they require CaaS initiatives. Next, the compliance officer offers a list of services along with success stories, growth metrics and already developed policies to give credibility to their pitch.  This proposal aims to boost efficiency and achieve economies of scale and standardization by complying with a larger volume of transactions.

With the proposal now developed, the compliance officer gives the customer concrete examples of deliverables and dashboards. Both during negotiations and drafting of the contracts, it’s vital that the language of compliance clauses is extremely precise so that the transfer of responsibilities is abundantly clear. A list of well-defined compliance checks with attributes and opportunities should be a part of the contract in order to mitigate disputes. Finally, the compliance officer needs to not only clarify the necessary controls with the client, but also internally with the staff impacted by the contract.

During the execution of a CaaS contract, controls performed on behalf of the client must be rigorously formalized and documented. In addition, there should be periodic meetings between the client, the compliance officer and the contract managers to discuss metrics, exceptions and trends regarding compliance with the controls. As with any contract, prompt communication to the client of possible risks of non-compliance maintains high levels of collaboration and trust.

Compliance-as-a-service is a key initiative that’s often omitted from the compliance agenda.  The next year will be key in maintaining profitability and orienting support functions around external sales.

shows the picture of the authorHernan Huwyler, MBA CPA, is a governance, risk and compliance specialist for multinational companies. He works in developing internal controls to address business risks and legal requirements in European and American corporations and is currently the Head of Vendor Compliance and Due Diligence – Center of Excellence Danske Bank. He previously served as Risk Management and Internal Control Director for Veolia, leading governance practices in Iberia and Latin America. Hernan frequently lectures on compliance, risk management, data privacy, GDPR and auditing at top universities and business schools. Follow Hernan on Twitter @hewyler

Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.