It’s painful to make your way through compliance for the first time. At the end of it, a lot of companies throw the “Hey We Made It” party, pat each other on the back, and dive into all the catch-up work that’s waiting on their desks. Compliance is moved off to the side until they have time to deal with it again.
But achieving compliance once isn’t the same thing as implementing a compliance program. Compliance isn’t a one-and-done thing you can check off a list and put on a shelf — it’s a way of running your daily operations.
A compliance program is an organized effort to have your approach to compliance well defined and mapped out. It’s the continual, ongoing management and tracking of your compliance activities, and it organizes the functions for supporting compliance at your organization.
I have told more than one company that the money you put into your compliance program is worth FAR more than the money you spend on cyber insurance. Cyber insurance should be your emergency parachute for the unavoidable, whereas the compliance program is the true shield for the organization and the coordination of planning for the avoidable.
Without a compliance program in place, every year will feel like you’re making your way through compliance for the first time. Here are six key best practices to build a compliance program that operates like a flywheel.
1) Don’t Wait to Put a System in Place
Once you’ve achieved compliance, you’ll feel a huge temptation to walk away from it for a while — to take a break, catch your breath, and get some distance from the stress and chaos.
I can’t stress how important it is to launch a compliance management system as soon as you can, preferably as part of your initial push to compliance. Any delays in implementing a consolidated system is enough time to forget how to do things: where were those instructions? How do I do this? Who’s in charge of that again? Who gathered that evidence? Who gave us those inputs?
While everything is still fresh in your mind, get your plans aligned. Otherwise, you’ll spend wasted cycles feeling like “Groundhog Day” putting Humpty Dumpty back together again. Make sure your compliance management system includes everything under the sun related to compliance:
- Roles and responsibilities
- What compliance management tasks need to be done
- Detailed instructions for each task
- How to verify
- Storage locations and organization
- Current status of each task
2) Turn on Operational Mode
It’s important to understand which compliance tasks need to be performed throughout the year, and when. For example, in PCI, there are over 35 separate things that need regular ongoing attention throughout the compliance cycle in order to maintain compliance — either daily, weekly, monthly, quarterly, or semi-annually (outside of the other 400ish things that need to be done annually). At TCT, we call this “Operational Mode.”
Keeping on top of those tasks is critical, because you’ll avoid hitting the end of your next audit cycle and realizing too late that you forgot something that will negatively impact your compliance stance. You don’t want to sit across from the auditor or assessor, and have some uncomfortable questions to answer.
We created Operational Mode in TCT Portal because I used to walk into annual engagements and discover that clients weren’t prepared. They hadn’t been doing the activities they were supposed to do throughout the year. TCT’s Operational Mode takes all of the compliance activities you have to do in a year and breaks them up into manageable chunks.
Operational Mode helps organizations to know what needs to be done, and when. It has a mechanism for tracking the status of each item, so you know at a glance what’s been done, and by whom — and what hasn’t been done. Automated reminders keep your team members on task and accountable, so you don’t have to.
With Operational Mode, you won’t have any unpleasant surprises waiting for you when you get to the end of the compliance year.
3) Build a Compliance Review Process
Your compliance program should include some form of a review process to ensure your ongoing compliance tasks are done, and done correctly. Different companies do it differently — some have an internal QA department, others hire a consultant to guide them through it.
If your assessor is integrated into the workflow of TCT Portal, you can share information with them early on. That way, the assessor can go in, take a look, and let you know if anything needs adjustment. That lets you make course corrections very early in the audit cycle, before you have an unwieldy beast to tame.
It also shows your assessor that your company is taking compliance seriously. That sets their mind at ease and makes things a lot easier when the annual assessment comes around.
4) Don’t Wait Too Late
Some tasks only need to be done once per year. Whatever you do, don’t wait until the end of the compliance cycle to do them. There are a lot of things to take care of as you wrap up the compliance year, and many organizations leave things until too late. Inevitably, the last six to eight weeks turn into a mad scramble.
Instead, start taking care of the annual activities sometime around the beginning or middle of the third compliance quarter. That will give you a lot more room to spread things out and avoid all nighters right before your assessment.
It’s really hard when you’re under pressure to ensure that you have continuity over thousands of documents. The more time you have, the more sane it is, the higher the quality, and the more time you’ll have to get things dialed in.
5) Create a Culture of Compliance
There’s a big difference between lip service about maintaining compliance and making compliance part of your organization’s day-to-day life. To be truly effective at tracking and maintaining your compliance, you’ll need more than a set of policies and procedures. You need a culture of compliance that permeates every level of your organization.
Building a culture of compliance starts with these four critical foundations:
- Leadership buy-in — company executives should lead the charge, or else your compliance program will eventually fall into disrepair.
- Integration into daily activities — build compliance into your daily work procedures.
- Accountability — educate all of your employees on compliance, and keep them accountable.
- The right system for managing compliance — spreadsheets won’t cut it. Find an automated system that’s designed specifically to handle every aspect of compliance.
6) Give It Time
The first full year of maintaining compliance can easily be as challenging as getting there in the first place. You’ll discover all kinds of errors you didn’t catch the first time around, and you’ll still be learning how to do compliance on a regular schedule. Nothing will feel natural for a while. That’s okay — give it time.
In my experience, it takes until about the end of the third year for everything to start clicking into place. That’s when your compliance program will start to feel like a well-oiled machine. You have a rhythm, and you feel like you know what you’re doing. People throughout the organization have learned their roles and they’re following procedures as a matter of course.
If you follow these guidelines and use the right compliance management system, you’ll have everything you need to build a kickass compliance program.