¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


True GRITTS
07 Oct 2025 regulation Print

True GRITTS

The compliance function has oversight of the rules that are integral to the culture and behaviour of any organisation. Successfully engaging compliant behaviour involves effective communication and technology combined. David Cowan encourages you to get your GRITTS 

When I first started travelling to the United States many moons ago, I spent some time in Tennessee and was introduced to the Southern breakfast of grits, served with honey, bacon, or whatever else appeals.

Grits are made from dried corn kernels ground into smaller bits, and stone-ground grits can be hard to find outside of the South. The Southern US President Jimmy Carter campaigned with the slogan ‘Grits & Fritz in ’76’, brought the dish to the White House, and even named his pet dog ‘Grits’.

You now know more about grits than is good for you, but let me serve up something good for your daily compliance needs: ‘GRITTS’.

Telling people that compliance is good for them is a little like being told to have your breakfast or eat your greens. We know it’s good for us, but…

When working with in-house or client-compliance teams, the biggest obstacle the team often faces is communication. The team struggles to connect people to the compliance need. This is not really surprising, given that compliance naturally involves rule-setting – and not everyone appreciates the rule.

The compliance function has oversight of the rules, which are, essentially, externally driven by regulators, professional bodies and the like, but they are also integral to the culture and behaviour of any organisation.

Successfully engaging compliant behaviour involves effective communication and technology combined.

Grits ain’t groceries

Using effective communication and technology can build in pre-emptive actions, such as early-warning systems and well-understood compliance indicators to help prevent issues from occurring, or at least help to spot them early on.

This means collecting and analysing data that indicates the outcomes of policies and actions deployed by the compliance team and their system.

Indicators may be identified, analysed, and assessed by using a model proposed here called ‘GRITTS’. To help compliance teams assess their policies and actions, GRITTS can be used to map against the legal requirements and the practical realities of deploying compliance measures.

Compliance teams need to be able to assess the organisational processes and personnel as to how policies are being understood and followed, which should also be done in respect to industry best practice:

  • Gaps – teams need to identify gaps that exist, need to be filled, and any risks to be mitigated. One of the major issues for organisations is the existence of ‘silos’, where departments, units, and projects are not connected or collaborating. For in-house legal, this can be especially irritating, as other departments see them as ‘blockers’.
  • Resolution – the existence of silos is one of the key causes of gaps, but there are many others. Closing the gaps is best achieved by having effective communication between leadership, units and teams to seek a fast resolution of problems, which also means undertaking regular policy reviews to monitor success and ensure alignment with legal and regulatory requirements, and, where possible, to do this in real-time.
  • Incidents – dealing with incidents is not simply a transactional issue. It involves sequences and patterns. This all requires effective monitoring and quick response.
  • Time – so time is a critical factor, which is not merely a data and technology solution. A people solution is also required.
  • Training – people and machines can be non-compliant. In the case of people, training is essential to create awareness and build compliance – not just directly to how it is framed by the compliance function, but also integrated into other disciplines.
  • Stakeholders – how compliance is then embraced by all stakeholders is key. Communicating with stakeholders requires connecting the stakeholder with the involved party in the organisation to encourage them to ask the key question: what’s in it for me? Clearly, there may be some negative messaging required, such as informing a third-party supplier that they will not get your business if compliance requirements are not met. However, positive messages around compliance include the importance of ensuring the integrity of the supply chain – and reputational arguments.

Breakfast in bed

For employees and other stakeholders, onboarding programmes can be strengthened to ingrain a compliance approach to working with the organisation.

New entrants from schools and universities can be set on the right track before any cynicism sets in. Third parties and other stakeholders can also be onboarded in a process that goes beyond simply signing a contract, but also by supporting them to embrace shared compliance values.

If people are to be better led into compliance, it is important to ensure that the machines and systems are part of an augmented skills-base.

The non-compliance of machines may be dealt with by identifying needs for an upgrade, update, or change of installation.

Errors may be related to various sources, including faulty data input, a data breach, accidental deletion of data, or a software bug. The error is operational and can usually be tracked.

Computers can pick up on human errors and missed deadlines, but the same can operate in reverse, and people can pick up on odd or absurd outcomes produced by computers and artificial intelligence (AI).

A person being non-compliant is more complex and relates to matters of ethics and integrity. Employees may have different ethical or cultural ideas than the corporate messaging, and the need for them to be compliant may require supporting them through the process.

This process may mean they require handling offline. Automation does not always mean automating a whole process, it often requires appropriate jumping-off points to switch between online and offline processes as elegantly as possible.

Built for comfort

Technology can provide a compliance dashboard to provide line of sight, and many organisations have them in place. However, many do not, and sometimes the ones in place do not give the whole picture.

There are a number of success factors that create an effective dashboard. Having a clear sight of the compliance issues can drive policy decisions, such as health and safety, ethics, and supplier relations.

The dashboard can help in the assessment of the compliance status of suppliers, contractors, and business partners. It can track relevant certifications and the status of contract terms. These dovetail into managing supply chains and other risks by ensuring full compliance.

An augmented compliance dashboard tracks the status of employee-training requirements, compliance with specific policies, and any breaches of company guidelines.

This can ensure that all employees complete required training on compliance topics, such as cybersecurity, data protection, and workplace ethics. It also flags overdue training sessions and compliance violations.

Factors in a compliance dashboard should include:

  • Regulatory tracking – the dashboard is proactively responsive to regulatory shifts, domestic law changes, new EU regulations, international requirements, and industry rules to ensure compliance alignment. It tracks alignment with current regulations and provides historical trends and forecasts. The dashboard needs to adjust quickly.
  • Data integration – collates data from diverse sources into a consolidated compliance hub, including operational data from enterprise systems, insights from compliance policy materials and manuals, legal documents, and updates from external regulatory databases. The dashboard needs to present a holistic compliance view.
  • Data visualisation – turns raw figures into readily-accessible insights. Using data visualisation, such as heatmaps, the dashboard presents detailed metrics and key performance indicators to highlight a variety of functional, regional compliance, and business-unit variations and trends. Dashboards needs to have intuitive visual formats.
  • Real-time – delivers timely responses to enable decision-makers to access the latest insights for prompt and effective decisionmaking. Dashboards need to seamlessly incorporate real-time data across operations.
  • Policy adoption – highlights gaps and issues where internal policies may be overlooked or bypassed, either intentionally or unintentionally. A dashboard needs to have a clear framework and policy to map against practice.
  • Training and certification – tracks all employees and contractors who have completed necessary training certifications and shows this as a percentage of those who have completed necessary training. The dashboard needs to flag where training is not being carried out.
  • Incident and violation tracking – enables granular tracking of unauthorised data access, privacy breaches or other violations. Helps identify problem areas. The dashboard needs to have effective mapping of all security vulnerabilities and offer real-time notification.

Sixteen tons

Compliance management and software tools support the mission but differ in the principles, methodology, and framework deployed, and are based on different profiles in respect to risk-management and compliance-policy approaches.

Some tools are effective at monitoring, while others are more technically focused on, for instance, audit matters or ESG factors. These tools may be classified as:

  • All-purpose,
  • Sector or industry-based compliance tools,
  • Governance, risk, and compliance (GRC). 

Spoonful

Artificial intelligence is all-purpose and can offer many benefits to organisations managing their compliance needs.

The need to inform employees, customers, or other stakeholders can be managed by chatbots. Everyday monitoring can be conducted by AI, able to identify suspicious transactions or behaviours that may or may not be dangerous.

An apparent suspicious item may well be random, benign, the beginning of wrongdoing, or the surfacing of a major fraud. AI and machine-learning algorithms are able to examine business and financial transactions and detect patterns of fraud or other abuses.

Systems enhanced by AI can collect a considerable amount of data that allow analysis of patterns of behaviour, which can act as early-warning detectors of change and risk, thereby providing compliance teams with the opportunity to stop wrongdoing before it becomes systemic or damaging.

Not all data and activities are structured. There is a great deal of data use that is unstructured data, the largest volume being email exchanges.

In isolation, an email may appear innocuous but, once put with other data, a pattern may emerge, which is often better spotted by AI than humans.

Compliance teams have historically been hampered in their attempts by the need to find a needle in a haystack. AI may discover that needle, which might be an email, WhatsApp message, or the use of an access card.

These are all big-data items that become manageable for today’s AI-enabled compliance officer.

Walkin’ by myself

At the basic systems level, a communication platform is needed to be effective at recording communication across platforms used by employees, and this is again a big-data issue.

Managing records of emails sent, any social media apps used for business purposes, as well as access and usage of platforms, are needed for various legal and regulatory demands.

They are also essential for forensic needs in compliance investigations and, when used with AI tools, they can detect behavioural patterns in employee activity. They can also be linked to tracking of employee activity, such as mobile location and keystrokes – which are controversial, as this borders on employee-rights issues.

Platforms include tools that are tailored to a specific sector or industry. While automation can save great costs, switching to new platforms and deploying new tools can increase costs.

There can be hidden costs in the inefficiencies created by not taking a GRITTS approach and missing compliance targets. Such inefficiencies represent significant governance, risk, and compliance factors.

A systematic and responsive GRITTS approach to legal and regulatory changes helps to build robust impact assessments and prepare effective plans for implementing changes required across the organisation.

This also supports the management of compliance risks. At its heart, compliance is a matter of changing human behaviour, and humans are not always good or welcoming when it comes to changing habits.

As a species at work, most of us are happy to operate with comfortable inefficiency, meaning we like to do things the way we have always done, even when the change being deployed will make our lives better.

This all dovetails into an augmented approach to managing employee-related and operational risks. Giving ‘line of sight’ to risks in the organisation is important to all involved, not just the compliance function. So make sure that you and your clients get their GRITTS!

Dr David Cowan FRSA is assistant professor of law at Maynooth University and is the author of (Bloomsbury Professional Ireland, 2025).   

Dr David Cowan
Dr David Cowan FRSA is assistant professor of law at Maynooth University and is the author of Law and Technology (Bloomsbury Professional Ireland, 2025).
Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.