Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Compliance Spreadsheets or a CMS?
Quick Take
Listen to our in-depth conversation about a topic that’s close to all our hearts in the compliance space: compliance spreadsheets. Specifically, how do they stack up against the compliance management software systems that are out there? Todd and Adam explore the pitfalls of the spreadsheet approach, and why compliance pros have a hard time leaving their macros behind. Adam breaks down exactly what to look for in a compliance management software and what type of ROI you can expect compared to your old spreadsheets. All this and more, on this week’s edition of Compliance Unfiltered.
On this episode:
- A compliance spreadsheet horror story
- Why do people love their spreadsheets so much?
- Downfalls of the spreadsheet approach
- What to look for in a compliance management system
- How to look at ROI
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one and only, truly the compliance legend, Adam Goslin.
Adam, how are you today? Good, Todd, how are you? I can’t complain, man. Today, man, we’re going to be talking about something that’s just… Well, it’s kind of the life’s blood of this industry and has been for a long time, but it’s something that’s, well, let’s be fair, it’s the cause of a lot of headaches.
And so I think that this is a topic that everybody can really relate to. We’re going to be talking about the struggle with spreadsheets. Are you married to your macros? Are you living and breathing by Excel?
Do you dream in Excel formulas? I don’t know. This may be for you if you do. Adam, talk me through it, man. Give me a compliance nightmare in terms of a spreadsheet or a story. Oh, gladly. To provide a little bit of context on journey, if you will, is when I started Total Compliance Tracking, I literally generated the system that I wished that I had on my first engagement.
It was further cemented in the following years. of getting through that kind of first trip to the rodeo. I had several years of trying to manage compliance, consulting engagements with spreadsheets for other companies, and so my first engagement really kind of keyed me into some of the struggles, and so I literally had to endure it firsthand, so setting the stage for what I went through in that first engagement.
I had an internal team of folks. There was about 10 different internal stakeholders that I needed to coordinate with to get different information and evidence and make sure that we were doing things right, et cetera, and those 10 different people, I mean, those spanned my kind of day-by-day IT person, my system architect.
I was kind of VP of IT and infrastructure, development, business analysis, the whole bit. And it ended up, we had folks within IT, we had folks in HR, legal, corporate level, all sorts that needed to be involved.
So there were about 10 different people that we had to coordinate with. We also had a bunch of external vendors. So including the hosting company where the production environment was held. So we were doing coordination with them also.
The company was going up against PCI DSS. And as the company was dealing with credit cards, at the time their process was kind of deeply ingrained into the business process that they required storage of the credit cards for how they did what they did.
And so what that meant is that I couldn’t say, oh, well, there’s only a portion of this compliance standard that was actually applicable. Everything was applicable. Ugh. Yeah, which made it even more awesome.
And kind of couple all of this off with, this is my very first experience going through or dealing with compliance. And so, in the struggle to try to figure out my way through the gamut, I ended up setting up weekly meetings with the internal team where I try to go in and gain status.
I had inputs coming kind of up the natural workflow from my internal team and vendors. And meanwhile, inputs and responses were coming back at me from up the workflow in terms of response to submissions that were coming out of the assessor.
And so as I’m struggling with trying to juggle all of this stuff, I had, I mean, literally, I had inputs coming at me from text messages, people would stop by my desk and tell me something, they’d send me emails.
They would print out evidence and they’d leave the paper on my desk. Even despite the fact that I had set up, I tried to structure these network folders in a place where everybody could get to and said, please go put your stuff here.
Despite the fact that I did that, well, whatever. The HR team had their own share folders where they would just say, well, go look at this location. Of course, they’d send that to me in an email, et cetera.
And I had people calling me at my desk. I had people leaving me voicemails on my desk phone, my cell phone. We’d have group meetings and somebody would be taking meeting minutes, which I’d have to go refer to.
The stuff was coming at me from like every fricking direction known to man. And so, in the eye of this hurricane is Adam with everything swirling around me. It was just, it was an absolute nightmare.
And so, since I needed the internal meetings just to, number one, try to keep the team accountable, but to, try to figure out who’s where and all that fun stuff, I now needed to look across all of those myriad of inputs.
And I’d spend, I’d spend about a half a day in advance of the status call, just so that I could get our status tracking spreadsheet somewhere close to being sort of accurate, right?
And so, you know how, like you go in and schedule a meeting, right? And you have your, it’s a weekly status meeting and invariably everybody that’s coming to the meeting, the vast majority of them, they get in in the morning, they go look at their calendar.
They get that like, oh shit moment because they’re like, oh crap, I got this meeting coming today and now I got to go, oh my God, I promised Adam, I’d get him, blah, blah, blah, you know?
And so, and so they realize they’re going to get called out on, on not producing the stuff they said they were going to produce. And sure enough, I’m sitting there in my half a day and trying to update the spreadsheet with all these input sources and blah, blah, blah, blah.
Meanwhile, all of my insundry input sources that I’ve iterated through earlier, they’re all being lit up because everybody’s dumping their crap right before the freaking meeting. It was like, it was like trying to, it was like trying to run a marathon up, uh, kind of up a sandhill, I take one step, my foot would slide, if I, if my step was a foot, my foot would slide back about 11 and a half inches and it was just, it was uphill the whole way. And so, uh, there were oftentimes I couldn’t even process all the stuff that I was getting before we actually had the meeting.
And so the meetings themselves, they would go on literally for hours, I’d be, I’d be getting on the phone. We’d be spending time trying to get on the same page who sent what, what did I miss?
Where did the, how did they send it through any one of the various input channels? I’m updating the status column with, okay, this is being reviewed by Adam or this one was sent off to the assessor or.
I’m still waiting on Bob or whatever it may be, right? And so, and meanwhile, so I mean, I’m in the status call. And then these people that have just whipped their evidence over the wall three minutes before the freaking meeting, they’re, they’re, they’re coming off like they finished it, like, like six days ago, what’s my problem, right?
Well, I, I already submitted that evidence, that type of baloney, and it was, it was just, it was an absolute exercise in frustration. So, I finish up this meeting, right?
And now I spent a half a day trying to get it prepped up. I spent hours trying to, get all the statuses lined up and blah, blah, blah. And, as we’re in the meeting, people are sending stuff, the minute the meeting’s done, people are sending more stuff, you know?
And so I never even hit a point where the sheet was “current”, the minute that I thought I was done and boof, it was out of date again. And so it was awful. And, the best part is, is that, now I get the sheer joy of being stuck in this, sick compliance version of the, of the movie Groundhog Day.
And I get to do it all over again, week after week after week, it was, it was, it was just, it was just crazy. So, that entire process, just to kind of put this in perspective, that entire process getting the company from, me going, gee, what’s PCI, to being actually compliant, took 18 months to get through.
And so this is 18 months of week over week of trying to, track and manage this effing spreadsheet. I mean, honestly, complete crapshow nightmare. Oh, man. So I mean, I have to ask this question, because, when we work in this space, and we talk to folks who, work on spreadsheets every single day, and invariably, above and beyond, just people don’t like change.
Folks have certain things about their spreadsheets that they love. Why is it that they’re so drawn to them? Well, I mean, there’s a couple of different reasons. Certainly, I mean, before the days of thankful improvements to how we can go about going through this process, I used Excel for a couple of decades.
For many people in the organization, it’s a familiar tool. It’s a tool that they know that depending on their skill level, some of them have just mad skills with Excel. It’s something that the individual user can go in and leverage.
And from the company’s perspective, a lot of the companies will go under this notion that, well, it doesn’t cost me anything because they already paid for their Microsoft licensing.
And so they look at the use of Excel as a “free” tool. The other side of that coin is that, is that for whatever the reason may be, these organizations have this notion that, well, they’re already paying the salary of these people that are on the team.
And so again, “it doesn’t cost them anything”. Well, it’s like no extra dollars that are coming out of their pocket over this decision. And so, poof, it magically doesn’t cost us anything. I understand when you’re looking at line items on a budget, but yeah, it’s anyhow.
Well, yeah, there’s ripple impacts and ripple impacts and other costs. And we’ll talk about that. We’ll talk about that a little bit down the line here. But the reality is, is that in Excel, folks can go in and customize their Excel sheet based on their own specific preferences for style and layout.
What do they want on there? Oh, geez, I forgot a column, poof, I can add it. It’s got a lot of allure in terms of its capability to customize and be flexible. Because you can pretty much do whatever you want with it because, well, it’s your Excel sheet, right?
You can also, through Excel, you can leverage some automation capabilities depending on the expertise of the user that we’re talking about. They may be able to go in and leverage macros and whatnot to do some automated pulls, draws of data, re-sculpting their sheets and things along those lines.
And all of that to the user with a little bit of skill is something that they theoretically can go in and do themselves. And even if they’re semi-technical, there’s a ton of things that they can do with a spreadsheet.
So all of those things are, are elements of why folks are kind of drawn initially to that, hey, let’s just go use the spreadsheet. So I guess, I mean, the next logical question here is let’s talk about the inverse, right?
What are the downfalls? Well, the biggest downfall and kind of what I was going through in that initial overview is that in order for data to get into a spreadsheet, well, somebody or something has to actually go in and make updates.
So the data that’s in the spreadsheet is static data that it’s outdated the minute that something happens in the outside world. Now, I’ve heard the argument, well, you’re gonna have multiple users on a spreadsheet and blah.
Back in the day, yeah, you used to be able, it was actually, it was fraught with peril, if you will. The back of the, I’m gonna need to. I mean, the people listening, you’ll kind of remember the whole, trying to put multiple users on the same spreadsheet.
They initially started it, it was a really kind of clunky. It’s come a long way with the notion of like 365 and, spreadsheets online and being able to, have all of these users, making updates, et cetera.
But, the bottom line is, is that it takes a real live human being to go effect change within that spreadsheet and anything that you want tracked, like what’s its status, who sent it, when did they send it, things along those lines.
Those are all elements that, now need to be, kind of manually tracked. So, it’s tough because if every change on that sheet requires a real live human to go keep things updated, it’s like the humans, the glue that’s holding the whole thing together, as I like to call it, the human glue of the solution, right?
The other problem with the spreadsheets is, let’s say we’re going through compliance standards changes. If I’m going from, we’re about to go through, go from PCI, 3.2.1 to PCI version 4.
Well, the minute that PCI version 4 comes out, guess what? Now I’ve got to go ahead and re-architect my, brilliant, Excel solution. Or if I want to, add another compliance standard to the mix, let’s say I got to go layer HIPAA on for the organization I’m working for.
Well, guess what? Now that’s another spreadsheet. Now that’s more automation. You got to build the, do mappings between sheets and things like that. So, you’ve got all that coming, changes to any of those sheets breaking any of the previous automation you’d written.
So now you got to go back and fix that. So even if it’s just minor tweaks of adding a field or, inserting some new rows or whatever it may be, now you’re constantly breaking your automation and having humans fixing it again there isn’t there doesn’t come a point in the time you know during the game of the you know kind of the spreadsheet world where the poor person that’s the eye of the hurricane gets a break or can step away from it because again that’s that human glue that’s that that’s holding everything together it’s also difficult to trans to translate from one primary point person to another because that sheet requires a certain amount of tribal knowledge about who set it up why did they set it up that way what are they doing with each of the fields that are on there blah blah blah blah blah you have to speak the language of the spreadsheet coming no otherwise you have no idea yeah yeah and and so it’s not just hey whatever I’m gonna be out sick tomorrow can you take the status call it’s not quite that simple right and by the way can you tell that I hate a spreadsheet for compliance purposes? You are not alone but It definitely rings in the tone of your voice,
That’s for sure. It’s unabated hatred for spreadsheets when it comes to compliance management. So let me talk about this. What makes compliance management a quality compliance management system so awesome?
Well, the reality is that all of the information about your engagement is in one spot. We were talking earlier about just all of the blood and the sweat and the tears and the places that people are dropping stuff and all these locations, etc.
If you mandate that internal team, obviously this takes some training and it takes a little bit of time for the team to get used to and all that fun stuff, but as long as you approach that process correctly, you can actually have all your compliance stuff landing into one single location.
I mean, it is absolutely beautiful. The status updates within a compliance management system, those status updates are immediate. So we were talking earlier about people having the morning kind of oh-shit moment and whipping stuff over the wall five minutes before the meeting, that type of thing.
Well, it doesn’t matter because the minute that I go into the compliance management system and kind of refresh, poof, it’s automatically up to date. And so you’ve got kind of immediate visibility into where it’s at.
Yeah, and that’s the most important thing, right? That is real-time data is where the value is. Well, and here’s the thing is that the real-time thing, yeah, it makes it better for the person that is needing to go and get to their compliance meeting, their weekly compliance meeting, but anybody that’s doing this, they’re constantly getting barraged.
I’m constantly getting questions from the leadership at Fill in the Blank organization. Hey, where are we at? What’s the status? Well, they’re not asking me five minutes after my status meeting, they’re going to ask me middle of the week off, offline from my status call, where if they do that, poof, I go up, I pull up the system, I hit the refresh, hey, here’s where we’re at.
I’ll also field various questions as I’m going through a compliance management engagement, things such as: hey how many items are open for me? Maybe it’s a team’s manager. How many items are open for members of my team? And how, when was the last time that, that Mary went in and made any updates within the system?
These are the types of questions that in the, days gone by, would I would have been like, I’ll get you, I’ll try to get you an answer tomorrow or the next day, because I’m going to need to, again, go and compile everything to try to get to this answer where, yeah, I mean, if you’re using a system, then it’s boom, the information is right there.
The other thing is we were talking earlier, we’re talking a minute ago about putting everything into one location. One of the, one of the I’ll call it the hidden gems of leveraging more of a compliance management system versus, this manual process with things spread all over the place is that, the biggest benefit is when you get to your next year, right?
I get a year down the road and I’m looking, I’m trying to look back and what the hell did I do last year, et cetera. If you try to put that picture together off of the extremely manual and, and spreadsheet based approach, it’s damn near impossible to figure out what happened and when, blah, who provided what, et cetera, because sprinkle all over the place.
And so with the compliance management system, when I get into kind of year two plus, it actually ends up, it actually ends up being amazing, because now I can just tell people, hey, go look at, go look at the track from last year, go in and look at, look at what you provided.
If it’s the same person, oftentimes the users will forget, oh, what did I need to provide for this one? and it’s not, it’s not unusual, from the perspective that this person might have had 40 or 50 different things that they were providing for the, for the compliance track.
So they can’t keep track of all this stuff. So it gives them a nice, easy repository. The other secondary, the other kind of, kind of less visible benefit is that in any organization, you’re going to switch or change over personnel, right?
From one year to the next. Yeah, always. There’s always. attrition. Yeah, I mean, there’s, well, there’s attrition or, so and so moved to a different department or, or, or, right. So your team make up is going to be different, almost invariably different year over year.
And so instead of the new person having to literally start from ground zero of trying to go figure this all out again, hey, they got one easy location they can go to and see if they know they’re taking over for Bruce, who was, doing this last year, they can go in, look at what items did Bruce have, what evidence did Bruce produce, specifics on what evidence, met muster.
They can see commentary back and forth with the assessor, etc. It gives them just a like, almost like a Bible for what they need to go in and do, right? And it’s just awesome. So, you end up saving so much damn time and frustration, by using a compliance management system, and at the same time, dramatically improving the, kind of the efficiency of the overall engagement. And, the reality is, is that since time is money, you actually end up saving money through that process as well. Now, and see, that makes sense to me as somebody who values efficiency as much as I do.
And most importantly, again, I’m kind of thinking about what the true ROI is on something like that, is that I feel like it’s going to make for a better work environment. It’s going to create better work-life balance.
And ultimately you’re going to have happier, more productive employees across the board. But my question to you, Adam, is what should you really look for when it comes to a compliance management system provider?
Well, there’s a number of things that, that folks should, should go out and look for. Certainly we kind of touched on it earlier, but the notion of real-time status tracking, one of the single largest, wastes of time is trying to hold all that crap together with human glue.
So, having that capability to immediately know where we’re at, who’s got what, whose hands is it in, when did they send it or have they sent it, things along those lines, all that real-time tracking just has an absolute myriad of, positive benefits that, that the organization is going to end up deriving by, using a quality system.
Certainly, if you’re using something that is systematic, then you’ve got the, you want to be looking for something that will give you the ability to track, well, number one, I’m going to start with, you want to be able to track against multiple certifications.
Why is this important? A lot of folks will go. seen this play out, in real world with real clients where they go, well, all, all I need, all I need is PCI. That’s it. And sure enough, you, fast forward, eh, six months, nine months, 18 months, something.
Um, they get some big opportunity for an RFP or some big client, comes strolling in and saying, by the way, we’re going to need you to be compliant with this and this and that, or there’s some new schniffy wiz bang certification that somebody’s cooked up, um, with just a different iteration of various requirements, that’s super, super special.
And so now we need to go out and go, go head down that route, right? It’s going to happen. Going to happen. So. don’t lock yourself in with like a system that just facilitates the certification that you have today, but look for something that’s going to give you that flexibility down the road.
And certainly, one of the real positives is being able to map from one certification or standard to another because that’s really where the benefit comes into play. Oh, yeah. Well, I mean, if I’m going to go through something that’s as specific as PCI, right?
But PCI is a great framework for organizations to be able to leverage because it’s very specific about what exactly needs to be done and that makes it thereby far easier to map to secondary standards.
So now I can take that and I can map that off against HIPAA or map it off against SOC or ISO or NIST or whatever. So that, kind of inter-certification mapping, that’s going to be a huge one.
Certainly, one of the challenges with kind of the manual process, and I didn’t really hit this earlier, but it’s just, notifications, right? Who has what? What’s open? What am I still waiting on? Blah, blah, blah. In the manual world, part of what was taking me so long with, prep for the meeting, the meeting itself and post-meeting wrap-up is that then I would need to go and send summary, summary emails out to everybody on the team.
Hey, Bruce, you’ve got these 15 items. I need these three by next week, that type of thing. And then I’d have to go and queue up another email for Mary and another email for Sarah and another email for Fred, whatever.
So, being able to, in a compliance management system, gain automated notifications, not only reduces all of that kind of manual time that you’re needing to spend, holding this all together, but you gain other intrinsic benefits like, automated daily status reports, the ability to, keep your eyeball on and get notifications as things change within the system.
Being able to get, kind of intelligent reminder emails and really to facilitate some of the communication through your compliance management tool, making sure that you’ve got the ability to integrate, communication capabilities through your compliance management system is important.
I want to stop and talk about that for a second. And the reason why is because so many times I get on these calls with organizations looking for compliance help. And what I’m hearing them say is they are struggling being able to know, what they feel that one hand doesn’t know what the other hand is doing.
And then invariably I’m talking to a decision maker and they’re tasked with going to track down what the hands are doing and making sure that they talk to one another. And I feel like a lot of the reason for that is because of the lack of intelligent reminders and the ability to actually have one central hub for not only the work, but also the communication around the work.
Well, that’s certainly the case and, and, and really, the, the trying to keep everybody on track and, and letting them know what, either providing them an easy way to go figure it out for themselves and or sending out those automated reminders.
I, I like using the expression herding cats. I mean, honestly, the, the compliance management engagement, it literally is like herding cats. It’s, it’s a struggle because, the people, the folks that you’re trying to kind of trying to corral or they’re, they are dead set on sprinkling in every direction known to man.
And, you’re trying to keep everything on the, on the rails and it’s, it’s, it’s a never ending challenge and having the system assisting with, kind of keeping that, keeping all that, centrally stored as well as, as well as notifications to people is hugely helpful.
One of the other things that we talked about is that notion of centralized data repository. I mean, we’ve kind of hit on it in a bunch of different ways, but making sure that you can do everything that you need to do in one place is huge.
So, you want it one place to be able to put your evidence and files, one place to be able to go check on your engagement status, one place to be able to send, to, to, to receive notifications, one place to send communication, one place to manage your engagement.
The reality is, is you want all of that stuff, kind of in one single blessed location because, oh my God, it’s like when, when you get on and you start, when you go from the spreadsheet nightmare to a compliance management system, it’s like you can just, you can just hear the angels singing, and hear the angels singing. It’s great. All of that pain that I used to go through, I don’t need to continue to suffer day in and day out. It’s, it’s actually, it is, it is astronomical the amount of relief that, that, that you feel once you kind of can see all of these benefits actually coming to fruition.
It’s, it’s awesome, and then, the, um, the, the other elements of the compliance management system, um, making sure that, um, not only will it, I, I don’t know, run in, uh, I call first time or one time mode, uh, for, for compliance cert
So that’s where an organization is just standing up their initial, run to PCI or HIPAA or whatever, right? That’s a more of a mode of, do I have it? Do I have it? Do I have it? Check, check, check, check, check, all the way down the road.
Once I get to the point where we throw the compliance party, well, now we actually need to go maintain this thing. And so it’s really important that the system will both work in that, hey, this is our first time run and in a mode that I call operational mode, where it will serve up to the users of the system.
Hey, it’s time to do this. Hey, it’s time to do that. Kind of keep them on track through the year, making sure they’re doing what they’re supposed to be doing, when they’re supposed to be doing it. Those are all elements.
We talked a lot, and we talked a little bit about communication already, where we’ve got, we want to consolidate all of the communication again into one location. So make sure that you’ve got all of the features and functions that you would otherwise use in a secondary process.
So if I would send an email for this, or I would text somebody for that, or I call so-and-so for this, just make sure that that system is gonna be able to handle the various needs that you’ve got for communication based on the organization.
Well, I wanna actually stop there and ask just kind of a leading question here, I think, because one of the things that I also hear about people that really like to do things in terms of spreadsheets, and they’re kind of married to that, is that they say that, it’s all in-house, we don’t outsource any information, I don’t have to worry about that.
From a security standpoint, is that a concern going from spreadsheets that are in-house to a third-party compliance management system? Yep, absolutely. I mean, whenever you’re using anything, like every single compliance standard known to man that has any level of specificity is going to require vendor due diligence as part of any form of onboarding, and it should be no different with your… especially with your compliance management system provider. the reality is if you think about it, I mean, every single detail about the internal guts of whatever you’ve got going on as an organization is gonna go into this tool.
This is gonna be, this is gonna include everything from, internal personnel, team members and their names, phone numbers and emails. This is gonna have network diagrams, firewall rules.
It’s gonna have, how you’re doing your encryption and, how all of our systems are tied together and HR information, legal agreements. So these systems have undoubtedly a lot of sensitive information.
So certainly making absolutely certain that the target vendor has, has taken their security seriously. Really my strong suggestion is that go and find out. are they going through a third party, they better be going through a third party audit.
But, but then actually look at the reporting detail. I can’t tell you how many people in the space, just given the number of different types of companies that I’ve had to, kind of interface and work with.
And some of them are shocking, to be honest with you. But, how many of them will kind of take a halfhearted approach to how they treat the security of their systems in terms of, they try to minimize or mitigate the amount of scope so they don’t have to do as much, that type of thing.
You want to make sure they’re not cutting corners, that they’re taking the stuff seriously, that they’ve, kind of included all of the, all the various elements that they need to of taking that security seriously, read their reports and make sure they keep up with it, is another important element.
Sure. And then the last, kind of the last piece of this is making sure that you have ready ability to do, I’m gonna call it gain access to data and reporting. So, all these miscellaneous questions that you get, how many things does Mary have on her plate?
How many things do I have, for members of my team? When was the last time somebody submitted something? Did so-and-so submit their stuff on time? Whose hands is this particular line item in?
The more the operational data and being able to pull and report on it, that’s important. Plus, the reporting that you can get out of the system. Finding a compliance management system which will assist with all of your final reporting needs, that’s a huge, a huge plus as well.
I have to hop in there, man. Like I, in talking to some of the folks that, in this space about this topic specifically, I’ve literally had a client tell me that the reporting, that, our portal actually spits out, is better than any Christmas present that he received this year.
And that alone says to me that this is a critical piece that people fighting with spreadsheets every day would want to appreciate. Yeah, no doubt. The integration of that outbound reporting, that’s huge, especially based on the nature of the type of company, especially for the, we’ll call them the consultants, security compliance consultants and the Assessor’s / Auditors of the world, that that ability to kind of magically produce the outbound reporting, that’s huge. Yeah, yeah. Well, I mean, I guess the last question that I really have here, and again, it is leading because this is something that I’m very passionate about, but what’s the ROI for an organization moving away from spreadsheets and moving to a compliance management software organization?
Yeah, it’s a topic that is, for some folks, hard to get their arms around. And the reason being that, if you think about it, Todd, it’s not like I can go and I can say, oh, I’m going to instantly, just because of the fact that I’m using this system, that means that poof, it’s going to save fill in the blank.
All of the benefits really are secondary, if you will. They’re like results of using the system. And so really what it takes is it takes somebody that will sit down, look at the process that they go through today, look at the process and how they can get it morphed with a compliance management system to really kind of understand that benefit.
We talked earlier about how, well, I’m already paying for my Microsoft and I’m already paying the salaries for these people. So, yeah, that “doesn’t cost me anything”.
And yet they won’t look at it in terms of how much time these people burn and when they’re out of bandwidth and now I need to add three more bodies. Well, I mean, just to put this in a really easy perspective, if all your personnel are full up and overloaded, but we’ve got too much work to do and now I got to hire three bodies and let’s say for the sake of this discussion, it’s 50 grand a pop for their annual salary, guess what? if you didn’t make your existing staff more efficient, well, then you can look forward to spending another 150 grand a year on warm bodies, right? To make up for the inefficiencies in the existing process.
And that’s always the way that I would go in and I would look at this. And so, there’s a number of different capabilities. One thing that I’ll note for the listener is that if you go out to the totalcompliancetracking.com website, go to the blog, just do a search for ROI.
And there’s one that we did. And actually, it was back in March of 2019. It’s an ROI calculator so that people can go and plug numbers in and play around with it based on their scenario. But some of the activities that you can kind of look at are how long does it take you to prep for your status meetings?
How long are you sitting in your weekly meetings? How much time is it taking you to create the manual storage system? How much time is it taking for developing a process for the collection of evidence and the tracking of compliance?
Then there’s the actual time spent by the folks on the team dealing with collection of evidence and tracking, organizing all that evidence, time going through things with your Assessor, things along those lines.
And then you can go plug in the average hourly salary of the person doing it. And you can start to get some summary numbers. But when I went through and with my consulting experience I went through and I looked at the team ended up spending about two to three times the amount of time on compliance activities previously.
And so if you figure that saves about 800 hours, then now run your hourly rate and poof, you’ve got your savings. So that’s really where the ROI starts to come into play is they would encourage organizations to go through and run this ROI and figure out how much more efficient that they can run.
And it’s not just the poor person who happens to be the eye of the hurricane, right? Or the human glue, as I like to call it. But this burden is really spread out over maybe it’s five, 10, 15 different people on the team to varying degrees.
But if we just focused on the one person at the eye of this, we could probably justify the cost for our compliance management system easily. And it becomes like absolute no brainer when you start looking across an entire team of folks that now gain that efficiency.
That really has the ability to make a big, big difference in terms of how companies are looking at that compliance management internal process. And I’ll drop a link to both of those references in the show notes here.
So you’ll be able to click on them directly if you’re listening to this.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
