Pillar 9 of 10

Compliance &
Risk

Risk management, regulatory controls, data privacy, and the emerging risks that every GBS professional must understand to protect their organization and career.

Compliance is not a department — it is a daily operating responsibility. Every GBS professional handles sensitive data, executes controlled processes, and makes decisions that have audit and regulatory implications. This pillar covers the risk and compliance knowledge that keeps you and your organization out of trouble.

Pillar Overview
12
Topics
3
Clusters
Rookie
Pro
Team Lead
Project Mgr
LEAD AND TRANSFORM

Keep the operation safe. One control failure can damage a reputation built over years.

Why this matters

One control failure can damage a reputation built over years. In a regulated process, being audit-ready every day is a habit, not a scramble before the auditors arrive. This pillar shows you how to keep the operation safe without slowing it down.

What you’ll be able to do
  • Identify the controls in your process and check they actually work.
  • Spot segregation-of-duties conflicts — where one person controls too much — before an auditor does.
  • Prepare for an audit calmly, with the right evidence ready.
Who this is for

Anyone in a regulated process — finance, procurement, or HR — who wants audits to be routine.

Cluster Guides

PRACTITIONER'S LENS

The teams that breeze through audits have one thing the others don't: a dedicated audit-readiness function — even part-time resources — that owns it year-round, not just during audit season.

  • Their job: maintain documentation, prepare samples, guide both auditors and the audited team through sampling and interviews.
  • During the year they support management testing for SOX 404.
  • During the audit they clarify and dispute potential findings before they get formally written up — that's where the real damage prevention happens.
  • Partnership with auditors matters more than most people realize: smooth collaboration means auditors progress fast, and faster progress means fewer surprises and cleaner outcomes.
YEAR-ROUND Docs · samples · readiness SOX 404 TESTING Management testing in-year AUDIT SEASON Clarify · dispute · prevent AUDITOR PARTNERSHIP Speed · fewer surprises
Audit-readiness runs year-round, not seasonally.
Full topic curriculum — 12 subtopics by cluster

9.1 Risk Management

Business Continuity Planning (BCP)
Project Mgr
+

BCP answers the question: if this site, system, or team becomes unavailable tomorrow, how do we keep delivering services?

  • In GBS, processes are concentrated in a small number of hubs — making BCP existential, not optional.
  • A natural disaster, pandemic, or infrastructure failure at a single hub can take out services for the entire enterprise.
  • Planning for this is not pessimism — it is operational maturity.
Read full guide
Third-Party and Fourth-Party Vendor Risk
Project Mgr
+

Third-party risk is the risk your vendors introduce. Fourth-party risk is the risk your vendors' vendors introduce — and you often do not even know who they are.

  • In GBS, outsourced and hybrid models are common — vendor risk management goes beyond contract terms.
  • Scope covers: data handling practices, BCP readiness, and regulatory compliance of the entire supply chain.
Read full guide
Incident Management and Crisis Escalation Playbooks
Team Lead
+

When something goes wrong — a data breach, a system outage, a compliance violation — the speed and quality of your response determines the outcome.

  • Incident playbooks define severity levels, escalation paths, communication templates, and resolution protocols — before the crisis hits.
  • The teams that perform well under pressure are the ones who rehearsed the playbook when things were calm.
Read full guide

9.2 Regulatory and Internal Controls

Segregation of Duties (SoD) and Toxic Combinations
Pro
+

SoD ensures no single person can create, approve, and release a transaction.

  • Toxic combinations are role pairings that create fraud or error risk — e.g. the same person who creates a vendor also approves payments to that vendor.
  • In ERP systems, SoD is enforced through access controls.
  • The GBS team that understands SoD prevents audit findings before they happen.
Read full guide
GDPR and Data Privacy Compliance
Pro
+

GDPR defines how personal data must be handled: lawful basis for processing, data minimization, right to erasure, breach notification within 72 hours.

  • Even if your GBS hub is outside the EU — if you process EU resident data, GDPR applies.
  • Practical implications: know what personal data your process touches, where it is stored, and who has access.
Read full guide
SOX Compliance for Finance Roles
Pro
+

SOX (Sarbanes-Oxley) requires public companies to maintain effective internal controls over financial reporting.

  • For GBS finance roles: documented processes, evidence of control execution, and audit trails for every transaction that feeds the financial statements.
  • SOX is not a one-time project — it is an ongoing discipline that affects daily operations.
Read full guide
AML and Sanctions Screening Basics
Pro
+

AML and sanctions screening verify your organization is not doing business with sanctioned entities, politically exposed persons, or known criminal networks.

  • In GBS this applies to: vendor onboarding, customer due diligence, and payment processing.
  • Missing a sanctions hit is not an error — it is a regulatory violation with criminal liability.
Read full guide
Document Retention and Archiving Policies
Pro
+

Retention policies define how long documents must be kept and when they must be destroyed.

  • In GBS this covers: invoices, contracts, employee records, audit evidence, and communications.
  • Keeping documents too long creates data privacy risk; destroying them too early creates compliance risk.
  • The policy must balance both — and someone needs to actually enforce it.
Read full guide

9.3 Emerging Risk

Shadow IT: Risks and Management Strategies
Team Lead
+

Shadow IT is technology adopted by business teams without IT approval — personal cloud storage, unauthorized automation tools, ChatGPT for sensitive data processing.

  • In GBS, shadow IT proliferates because official tools are slow to provision and often inadequate.
  • The solution is not banning everything — it is providing approved alternatives fast enough that people do not need to go rogue.
Read full guide
ESG: Measuring GBS Sustainability Impact
Project Mgr
+

ESG reporting is becoming mandatory for large companies — and GBS is directly in scope.

  • GBS contributes through: energy consumption of operations, diversity metrics, labor practices in hubs, and governance of third-party vendors.
  • Understanding how your GBS contributes to (or detracts from) the company ESG narrative is increasingly relevant for leadership roles.
Read full guide
Ethical AI: Governance of Automated Decisions
Project Mgr
+

As GBS deploys more AI — automated approvals, intelligent routing, predictive analytics — the question of who is accountable when the AI makes a wrong decision becomes critical.

  • Ethical AI governance covers: bias testing, explainability requirements, human override protocols, and audit trails for automated decisions.
  • The regulatory landscape is tightening — GBS leaders need to be ahead of it.
Read full guide
Social Engineering and Phishing Awareness
Rookie
+

Social engineering attacks target the human, not the system.

  • Phishing emails, impersonation calls, and business email compromise (BEC) are the most common attack vectors in GBS — because GBS teams process payments, handle credentials, and have system access.
  • One click on a malicious link can bypass every technical security control your IT team built.
  • Awareness is not annual training — it is daily vigilance.
Read full guide