Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Communication and Compliance
Quick Take
On this week’s episode of Compliance Unfiltered, Adam and Todd really breakdown the importance of quality communication in the world of compliance.
- What is communication a challenge when it comes to the compliance realm?
- How do you get your team prepared for changes in communication?
- Wondering about consolidating communications and the impact it can have on your compliance approach?
The CU guys have got you covered. Plus, Adam will give you the inside track to successful meeting frequency and anticipated outcomes. All this and more, on this week’s episode of Compliance Unfiltered.
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
I’m doing fantastic today, Todd. How about yourself?
Man, I cannot complain, I really can’t. Today, we’re gonna talk about something that’s near and dear to my heart, and that is team communication and compliance. So talk to us a little bit more. Why is the realm of communication challenging in the compliance space?
Well, you know, when you’re on a compliance engagement, anybody that’s done it before, it doesn’t matter where you are. It doesn’t matter if you were the person going through it. It doesn’t matter if you were the consultant, you know, kind of trying to play matchmaker. Doesn’t matter if you’re the assessor. Communication on compliance engagements typically is an absolute cluster F. You know, you’ve got, I mean, you’ve got stuff coming at you from every single fricking direction, you know? You’ve got, yeah, you got, okay. So you got your regular, you know, you got your meetings. You’ve got, you happen to be in a meeting about something else and, you know, whatever. Bob decides to go tell you at that point in the game, critical information that you need to know about the compliance engagement. You know, so now you’re trying to write a note down on a piece of paper or put it someplace and, you know, blah to bring it back. You’ve got people calling your desk phone, your cell phone, leaving messages on both of those text messages. You know, I mean, with the advent of all of the various communication tools we’ve got now on our teams and Slack and, you know, blah. You know, you got all those channels flying at you too, you know, emails and, and, and it’s just, you got, you’re typically dealing with, you know, dozens of people and, you know, and a dozen plus different communication channels. So, you know, everything kind of feels, feels like you’re running by the seat of your pants. You know, you’re just barely putting out a fire and three more pop up. It’s almost like a whack-a-mole, you know? It’s, and then you’ve got the other problem, which is that, you know, certain people or whatever, you know, they were supposed to get you something by filling the blank, but now they’re non-responsive and now you’re having to hunt them down, you know, especially like some of the external vendors, you know, they can go radio silent for, you know, for weeks, you know, type of deal. You know, it’s, it’s a high stress arena. You know, you’re heading in a lot of directions. There’s, you know, despite your efforts to try to hold everything together and herd the cats, you know, herd the compliance cats, you know, it’s, it’s, it’s, it’s exhausting. And so, you know, when you, when you then go look at, you know, what can we do to make things easier? You know, certainly communication comes, you know, back into that mix, if you will.
Most definitely. Now, why is good communication critical for compliance management?
Well, the reason that it’s important is that, you know, not just important, but it is literally critical that that you get the communication parts right. Um, you know, is that everybody struggles with this, internal staff, vendors, consultants, assessors, you know, your third, you know, your third parties that you’ve got, I don’t know, I mean, you got to, you know, outsource, you know, legal or HR people, whatever it may be, it’s just, it’s, it’s, it’s a huge, huge, huge challenge. Um, you know, so, you know, communication is usually one of those things that, you know, people, people will sit there, they’ll go, Oh, well, you know, we’ll make, we’ll make that better next time, or next week, or, you know, it’s like, I know, it was funny, I was talking to you, they just remind me or something. I was talking to a guy and he said that, he said, there was a place that used to work, it was a, it was like a restaurant slash bar. And up on the wall, they had free beer tomorrow, was the, was the sign. And I’m like, I like that. So emulates, you know, what happens on these compliance engagements? Because, you know, we’re like, yeah, we’ll solve the communication problem tomorrow. But no, I mean, you know, when you’re when you’re trying to get your arms around certification, you know, and, you know, you say, okay, well, what’s on my, you know, what’s on my top list of items that I want to take seriously, you know, working on the communication usually lands in, you know, around like item 100 or something, just because everybody’s got all these other, you know, burning, burning ass emergencies that are popping up. So, you know, I’ve, you know, it’s interesting and kind of putting it into putting into context, you know, clients that you first start working with, and you’re trying to get, you know, trying to get them head in the right direction, etc. You know, it’s a challenge. But the interesting part is that for folks that have worked with for let’s say, three plus years, you know, the communication issues dramatically get mitigated over that period of time. And it’s not a coincidence that they’re able to, you know, slice the amount of time they have to spend on compliance stuff, security and compliance stuff, they in many cases, it’s half, you know, half or more of what they initially spent, you know, kind of going through it. So there’s some big, you know, some big benefits there. You know, the organizations that were able to, you know, kind of gain those dramatic efficiencies is, you know, streamlining their workflows, eliminating communication problems, you know, getting everybody on the same page. I can tell you with certainty that there’s generally resistance, you know, at initially, but you know, by the time that we get to kind of the end of the engagement, the end of the first year, you know, it’s interesting, the same organizations that were, you know, kind of vehemently adamant that we need to, you know, we, we function by, you know, leveraging these 18 billion modes of communication, you know, type of thing, what they find is that, you know, there’s there’s certain advantages to consult that consolidation and streamlining, you know, that they, you know, that they can kind of go through. So it’s fun watching those that I’ve worked with, you know, kind of seeing the light bulbs go on of, you know, we didn’t understand what, why you were so insistent that we did fill in the blank, but now we get it. And so it’s kind of fun watching those, you know, watching those light bulbs go off.
Most definitely. How does one get the team prepared for the coming communication chain?
Well, certainly, the foundation of any kind of good communication is to set the stage, right? You know, you do want to make sure that you’re, you know, how you’re starting the engagement will, you know, it will really kind of determine how it goes. So, you know, the way I put it to folks is that, you know, you need to, you’re getting a lot of pressure to get things going. Typically, when the security and compliance are going to start getting heat, it’s generally because there’s some business, business impetus that’s behind it, some big opportunity, some big client, some existing client that, you know, now wants more, whatever it may be. You know, there’s, you know, there’s usually a lot of pressure to just get it going. And so, you know, I’ll typically see, you know, see folks, you know, using that, you know, ready shoot aim approach, you know, which the problem is, is that, you know, just amassing the troops and starting to run, you know, means that nobody knows where the hell they need to be running or how they need to be running. Is this a long run or a short run? Should I be jogging or sprinting? You know, et cetera. So, you know, you really want to take a, you know, kind of take a moment and get the lay of the land before, you know, before you set out. So the folks on the team, there’s some things that they’re going to want to, they’re going to want to communally understand, you know, about, you know, about what we’re doing here. So certainly, first is the scope of the engagement, you know, how broad or how tight is this scope going to be? You know, what, what are the priorities that we need to start getting into initially and who has their name tied to those things, which are kind of the first round of, you know, round of deliverables, if you will. So, you know, kind of laying that groundwork with your internal team so that you can kind of get, get off on the right foot. That’s important.But similarly, you know, you also want to make sure that you’ve got, you know, kind of those around you involved, you know, it kind of be involved in understanding their role. So certainly, I would recommend to folks, especially up front, you know, get your own internal team with their arms around where we’re heading, why, who’s doing what, etc., then get the, get the assessor engaged right out of the gate too. If you have to have an assessor, you know, if you’re subject to having an assessment, get the assessor involved as well. They don’t have to sit there for fill in the blank number of months or weeks or, you know, in some cases, to go get through all of your preparation. But certainly having them involved out of the gate, understanding who players are, feeling like they’re part of the process, that will, that’ll win you a lot of, you know, it’ll win you a lot of kind of good karma as you head down that path. The more the assessor, that feels like they’re part of what’s, you know, they’ll be. But getting everybody kind of on that same page, heading in the right direction, it’s huge because, you know, the way we start these things out, it is enormous to make sure that you’ve just kind of got the baseline set.
And really, that doesn’t matter if I’m doing this for obviously the very first time it’s critical. But even if you’re going into year two or year three, you know, pulling the players together, you know, laying the groundwork for your next, you know, for your next run, incorporating any lessons learned, things along those lines, just a good way to start it out.
Well, I guess that kind of leads to the next question, which is like, how do consolidated communications help?
Well, number one is that if possible, if humanly by was going through the example earlier, right. You get the slacks and the, you know, this this communication thing and emails and texts and multiple phones voicemails, you know, and, and, and network drop zones, you name it. It is, it is astronomically challenging when you’re in that environment. It’s almost impossible. Yes, it’s the way I look at it is organizations that do that to their compliance people that it’s your own damn fault. You’re setting these people up for failure. If you’re going to force, you know, kind of force people to operate in that manner. I mean, it’s literally your own damn fault that things are taking so long and blah, blah, blah. Now, you know, I, I tell when I when I get started on an engagement. I emphasize, we are going this is for folks that are going through a compliance engagement leveraging the TCT portal, is that I’ll let them know I’ll say look, I don’t care. Every single element, aspect of communication on this fricking engagement is gonna go into the one single channel and repository that we have as a master location for all of our stuff sits, and I have gotten you know, like I said earlier, I’ve gotten push back from clients, but , um, you know you start doing the fuzzy math about how broad and wasting time it is you know, validating and changing back in all these various locations, because it is in these disparate channels, now you have to track it all manually, you know, etc. And next thing you know, you’re spending valuable hours every single week, just were the hell is that messaging and lot of people have sent to me, well you know was it the text message, or wait a second was it a voicemail, and no, you know you’re just wasting time looking around, and so, only to find out that, Oh Crap, it wasn’t any of those things. I remember hearing their voice and it was a phone conversation but I neglected to go write the notes down, from it and now it’s on me to go follow up you know?
When you have that single channel of communication, it’s awesome because then you know, I go to one place and I know exactly where everything is or isn’t, you know type of thing and don’t need to figure if somebody did fill in the blank I go to that place and look. You know, oh my God, you and that alone, saves such an astronomical amount of time on engagements that it’s not even funny.
Well, how does accountability play into communication here?
Well, you want to make sure you’re keeping the, kind of keeping the team accountable. Setting out those expectations, kind of either at the beginning of your annual run or your or whatnot. Yeah, it’s a good thing to go in and do. Make sure that the team knows that they’re going to be held accountable through the things that are needed.And it’s not because, some people, it’s so weird. Some people take into taking offense. Well, I don’t need a babysitter. I don’t need somebody micromanaging me or blah, blah, blah, blah. You know, the accountability isn’t those things. Because things happen, right? I mean, Mary may have had every right intention to do fill in the blank on such and such a date, but you want to know what? Your boss is, and I’m the compliance manager. The compliance manager’s boss’s boss told her she needed to redirect and do fill in the blank. So what are we all going to do? Nothing other than go, switch around the dates and whatnot. You don’t need to nag. You don’t need to micromanage, but keeping them accountable, absolutely. So, making sure that you’ve got task reminders on a weekly or possibly daily basis so that every team member is kept apprised of, what’s coming up, what’s due, what are they behind on, et cetera.And then carry that management and tracking forward into meetings and whatnot. You know, ask about those due and overdue tasks. Is there some type of a problem? Does the team member need help or clarity? I can’t tell you how many times I’ve had conversations with, you know, whatever. This thing is due on Tuesday the 17th of blah, blah, blah. And you get to Tuesday the 17th and you’re on the call with so-and-so. And that’s when they go, you know, I didn’t quite understand what it is that I needed to provide for, yep, blah, blah, blah. It’s like, go, this is, these are questions that would have been helpful yesterday. You know, so, you know, the bottom line is, is that it’s, and I’ve said it before, compliance engagements, I don’t think there’s anything that epitomizes them more than cat herding. You know, it is a true exercise in patients to be able to navigate the waters on these things. So, you know, but making sure, do they need that help or clarity? What can we do to help support them? Do they keep getting pulled off? You know, we talked about earlier, you know, about cutting interruptions, boss, boss, boss, you know, yank somebody off to go do some critical blah, blah, blah. You know, okay, it happens. But in the same sense, those same uppity ups are the ones that are gonna be, you know, that are gonna be stomping on your skull when, oh, why is the compliance engagement running behind schedule? You know, it’s like, well, all right, which side of our mouth are we gonna be talking out of here? Are we talking, are we gonna talk about the side of the mouth where it’s just, you know, whatever I say goes, or are we gonna get into the land of reality?
You know, which is if you’d stop pulling people and yanking them and changing their priorities and blah, blah would allow us to do this in a lot more efficient fashion. So sometimes there’s some tough conversations that need to happen with the, you know, with the compliance manager that, you know, kind of go back to, you know, various members of the team.
So, how often should the different groups be actually meeting?
Well, number one, and most importantly, meet regularly. Um, it’s probably the thing that, uh, that in some cases organizations are kind of gripe about, um, you know, is you’ve got to meet frequently and depending on where you’re at in the continuum, depending on what pressures are coming from, you know, externally, AKA above your head within the organization or clients or whatever. Um, you may need to drop things down to twice a week, every day of the week. You know, who knows. Um, you know, the, the, the thing is, is that people, people generally don’t have a hate, well, they’ve grown a hatred of meetings because they really hate pointless meetings. So if you’re, you know, and then that’s, that’s a part of the reason why people have been conditioned to just effing hate meetings is because there’s so many of them that are complete, utter waste of time.So make sure as the, you know, as the kind of the cat herder, the compliance cat herder, if you will, um, you know, just make sure you’re ready to go. You have organized, you keep it short. You keep it brief. You keep it to the point. I mean, I, I, I got into a, you know, kind of into a habit of literally kind of driving those discussions. And, you know, yep, we would clear through a ton of content and blow. We get it done in 15 minutes and be back off the effing phone because that way, you know, everybody can go do their thing. So, you know, when you go in and you’re, and you’re talking about your internal team, you know, there’s, you know, you want to meet with them at least once a week, um, probably more frequently, um, use those meetings for checking in on each person’s progress. Um, you know, the, the, the important part here is, and one of the things that I tried to, that I tried to do when I was managing engagements is be cognizant of who actually needs to be there. Have you got 20 people, uh, on the team, but you don’t have any open do or overdue elements for, you know, 10 of the 20 people will cut them loose from the meeting if they, if they, if, because they’re diligent, they just wanted to show up just in case and blah, blah, blah, that’s great. Thank you so much for joining. I really appreciate it. I’m going to give you minutes back in your day. I’m going to cut loose, you know, Bob, Sarah, Mary, and Edward, all of you guys. You’re all set. Thank you so much for joining, you know? And then just cut them loose and you do that for 10 seconds, you know? Um, they appreciate it. I appreciate them, you know, showing up perfect, you know, keep it moving. Uh, but. You know, if you’re either one of the benefits, and we were talking about TCT portal earlier, the benefit of TCT portal, and this is a piece where the light bulbs don’t quite go on for people until they tuck it in, using it and seeing the benefit, is that the project status is live. It’s a live, it’s a dashboard, it’s automatically updated based on activity within the system, you don’t need to go hunt down where are we at, you know, blah, blah, blah. You just pull up the fricking dashboard and you’re running.
So, you know, pull up that dashboard, pull up your current status, and start running through any of the specific issues, any questions, concerns, difficulties, what do they need help with? What executive do I need to go corral and tell them to stop yanking people? You know, and so clear through that, you know, make sure that things are moving. The other important element is that, is that if you’re in there using the portal, again, consolidated, all your consolidated compliance communication in one spot, as you’re going through and you’re talking with, okay, Bob, I know you’re going to try to get this for today, but now you’re going to be targeting Thursday. Fantastic, awesome. You know, then put the note in there. Bob’s going to, you know, go ahead and deliver this Thursday. That way you remember what the deal was with that particular item when you get to, you know, looking at it later in the week or come the next week, et cetera.But, you know, like I said, you should be able to, with a compliance management tool like the TCT portal, you should be able to clear, generally speaking, you should be able to clear your status meetings in 15 minutes or less. And everyone, even though they’re going to fear the fact that you’re setting up the meeting, we’ll be eternally thankful. You know, when we get to the external partners, you know, things like assessors, vendors, you’re going to need to communicate with them as well. I would not, under any circumstances, similar to how I said, cut loose the people on the internal team that don’t have something that’s open, do the same thing, you know, be cognizant of the assessors and the vendors, you know, in both cases, you know, they’re there to help, they’re there to fulfill their responsibility, but, you know, their time’s valuable. So, especially the assessors don’t want to get dragged into week after week after week at completely useless meetings. You know, if that doesn’t make any sense, it’s actually going to make them kind of begrudge what they’re, you know, what they’re doing, getting drunk through. Similarly with vendors, at certain points in the continuum, you’re going to need this particular vendor for this particular conversation. You know, put them, don’t even put them on as optional on the meeting notices, specifically invite them when you specifically need them. And then with the assessors, you can do the same damn thing. You know, don’t have them on the regular weekly meetings, but, you know, as you get to a point where now we’re really starting to turn and burn, now you can go ahead and fold them into, you know, kind of into those meetings. The other arena that I would call critical for communication, and honestly, it’s one of the most neglected communication tools that compliance managers have. And that is clear communication to the executives. We talked about some of the ancillary issues you need to get resolved with executives, but, you know, the people on the executive team, they do not need to be in the, you know, eyeball deep conversation about how exactly we’re, you know, how exactly we’re going to go ahead and tune our file integrity monitoring system.
You know, they just, they don’t give a crap. All they want to know is are you done yet, you know? You know, type of thing and high level. So, you know, you know, kind of gear your, you know, kind of gear your communications based on the audience, certainly for the execs, you’ve got to keep it at a big picture milestone level, et cetera, they all have mouths and emails and blah, blah, blah, blah. They can go ahead and open their mouth if they want to know more about fill in the blank. But generally speaking, walk into it with that notion of executive level overview, you know, at a high level. They trust you to take care of the day by day and that you’re doing your job, otherwise they wouldn’t be giving you a paycheck. So, you know, but having those periodic meetings for, you know, with the executive leadership, it’s really, really important. You want to, you don’t want to, you know, meet with them too often. So you don’t need to meet with them once a week, but maybe once a month would be appropriate. You know, you can gear it based on your organization. You know, is it a… every three weeks, is it every six weeks, whatever. But make sure whatever you’ve established, stick with that. It’s really, really easy. What I’ve seen, especially for the status updates and the execs, is it’s really, really easy for them to go through and just, ah, I don’t have time for this. I’m gonna go ahead and kill, I’m gonna go ahead and kill the compliance status meeting type of thing. It seems to be one that they’ll typically toss off, but you definitely do not wanna be in this arena where they haven’t heard from you. And I’ll just make it, I’ll just go with scenario game. They haven’t heard from you in three to four months now. Not a peak, no idea, right? And everything that they know is everything’s on track. And all of a sudden, six weeks before we’re supposed to be done, now we’re popping out of the woodwork and going, oh yeah, by the way, we have this problem that occurred, and now we’re gonna have to push back by another two or three months, they’re gonna hit the ceiling tiles, hit the ceiling tiles, because they’ve been in the dark for this entire time. Well, and they have to, and I know about the stuff earlier, blah, blah, blah, blah. If you’re meeting with them every three weeks, four weeks, whatever it may be, now you’ve got an opportunity to kind of go, you know, go back, you know, to go back, gain their support. There’ll be, you know, kind of more behind you, if you will, you know, et cetera. It’s really fun when you watch a compliance manager that’s kind of really got it together, especially with the executives, the amount of, you know, kind of tonal shift in how they view security compliance within the organization. It’s dramatically different when they’ve got that continuous stream of internal communication.
Now, when do you typically see these changes being effective?
Well, you know, we’re, we’re, we’re trying to, we’re trying to basically, uh, you know, wrangle the cats, right? You’re going to need to give it a little bit. Um, you know, even if, even if you go through, if an organization goes through, does everything that we’re telling them to do, et cetera, you’re not going to master them year one. It’s just not going to happen. So give it some time. Um, you know, what it typically say to folks is your, your very first run through compliance is going to take fill in the, you know, is, is going to take as long as it takes to be able to kind of get there your first full year of maintaining compliance. You’re again, you’re going to now you’re now shifting into this new arena. Um, new arena of actually maintaining what you said that you, you have in place initially, um, it’s going to have its own series of challenges, et cetera. So, you know, your, your first trip to the compliance rodeo is going to be painful. Uh, your first full year will be slightly less painful than the first trip because that was horrifying. But what a, you know, a lot of folks underestimate that first full year. Um, then once you start getting into the second full year of, you know, kind of operational compliance, now you’re going to start to see, okay, now I’m starting to see, uh, dramatic, you know, kind of significant improvements, streamlining, et cetera. Usually it takes until you’re into kind of your third or fourth year of, of what I call operational compliance, maintaining what we’ve got before you really see things kind of settle out, uh, you know, settle out, really gain that level of efficiency. But, you know, the unfortunate part is, is that it, it takes time. But earlier on I said, Hey, if you’re going to go do this, then you need to be, you know, you need to be the one that is, you know, kind of driving on this ship. You need to enforce that they’re, you know, actually going to go in and, you know, do these things and follow the communication path that we’ve got set out. Um, but if you stick to your guns, if you, if you enforce that as you go, remind people mercilessly, then, uh, you know, you will, uh, you, you will certainly see the benefits in the long run.
Excellent parting shots and thoughts
Well, if you can’t tell, given we managed to somehow fill up, I don’t know, 20 something minutes worth of just talking about talking, communication is an arena that is extremely underrated. Organizations really need to focus on it. As far as I’m concerned, it’s one of the most critical elements to get right for a successful engagement, because if you don’t have this right, you’re just making your life miserable. At the end of the day, all the planning and all the prep will be worth it. You just gotta give it time. That’s the good stuff.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.