Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Simplifying Compliance Engagements with Request Lists
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd have a sound chat on the value of request lists when it comes to building in efficiencies to your compliance process.
Everyone is looking to do what they do better, faster and cheaper. Curious how to reduce redundancies? Wondering what you can do to create more hours in your team’s day?
You’re in luck, all these answers and more on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the whipped cream and cherry to your Compliance Sunday, Mr. Adam Gosling. Adam, how the heck are you?
I am doing fantastic today Todd, how about you?
I can’t complain, sir. I really can’t. Today, we’re going to chat about simplifying compliance engagements with the use of a request list. But Adam, I know you wanted to start this one a little bit differently, so why don’t you go ahead.
Sure. Thank you. Um, so, you know, just in general, uh, wanted to thank everybody for listening. We’ve been doing this for a week or, uh, a week or three, trying to help people in the compliance management space. Um, but if you guys can do us and your friends a favor, um, and it’s really a simple way to go about doing it. Um, a lot of times what I’ll recommend to folks is just, you know, ask them, how, how are you doing your compliance management? And when the word, uh, spreadsheets comes out of their mouth, um, for managing their compliance. Um, do me a favor, do me a favor, do us a favor, do them a favor, um, share the love, uh, direct them to episode one 52 of compliance unfiltered. Uh, it’s a, it’s an episode on making the case for a compliance management system. Um, we also have other older material, et cetera, that talks about the, uh, uh, my, uh, undying, never-ending, uh, hatred for spreadsheets when it comes to compliance management. Um, so, uh, I know that we would appreciate it and I know that they will also.
Adam, what are some of the factors that push an organization towards using a request list approach?
Well, I’m going to tackle this from a couple of different directions. I like to use a phrase which I like to define when I use it called applicants. So in my world, just because if you think about it right for TCT, when I say customer or client, you know, is it an assessment firm? Is it the assessment firm’s customer? Is it the person that’s going through compliance? So I like to use a phrase called applicant, the organization that is applying to be certified. That could be somebody that’s just going through it themselves, could be a customer of an assessor, or a customer of a consultant. But in our world, applicants are those that are actually going through and putting themselves up against a particular industry standard compliance framework that they need to meet. So, you know, for applicants that are even on a single standard, PCI as an example, you know, there’s enough redundancy in terms of evidence provisioning when you’re doing these engagements, just on PCI alone, that the notion of, man, there’s a better way to go about doing this and I want to use a consolidated list style approach makes a lot of sense. I mean, you know, as you’re going through and you’re, you know, another reason why folks get pushed to a request list. So, you know, I started on, I started on HIPAA and then I went and I layered on NIST CSF and then I went layered on ISA 27001, then I went and layered on PCI. So you keep getting these additional elements of complexity that get added to the, you know, to the engagement over, over time as you’re kind of gearing up with your various standards and certifications that either because your industry requires it or your customer base is pushing you, whatever it may be. That’s another reason. You know, yet another is that for some organizations, depending on how, how complex their compliance engagement is, sometimes they need to track things down to a level of specific locations or where they have to share information from corporate down to what I’ll call child companies or sub entities of the organization, where they need to kind of share that evidence down. The bottom line is, is that there are a lot of scenarios, you know, it just from the people that are going through it perspective that they, they have a lot of opportunity for gather once, use many. Uh, and, uh, you know, even for assessors, if I, excuse me, even as I, you know, go in and I look at the assessor arena, you know, a lot of them have sought ways to streamline their engagements and many of them have a, you know, kind of a request list approach that they will leverage, you know, for their engagement. So, you know, it just depends on the organization, what they’re doing in the compliance management space, but you know, pretty much everybody, um, there’s an opportunity to, um, you know, certainly, uh, in a meaningful way streamline, but in some cases dramatically streamline the, the, the approach that they take to their, you know, kind of annual compliance scramble, if you will.
Nice. Now, what are some easy inputs different organizations can leverage to adopt the request list approach?
Yeah, I mean a lot of the organizations that I’ve seen that have kind of tried to head that route it almost feels daunting and yeah You know, it’s it’s a good it’s a good way for for folks to go about it so for applicants those going through compliance You know checking internally with their folks that are boots on the ground in compliance. You may be surprised as a kind of a member of leadership You know, they may have already taken a stab at trying to put together a better way to go about doing it if you’re an organization that leverages a consultant to manage your engagement find out if they’ve got something that they’ve you know that they’ve leveraged You know for for your engagement that they can share also checking in with your assessors. Whether you got one assessor or more many of those Organizations will have a good starting point for the target You know the target certifications and standards that you’re attempting to go up against You know for the assessors of the world, you know, they may very well have one already now it might it might be old might be a little outdated might need some dusting off whatever but you know, they probably have something that they can go leverage for their handy how-to guide You know validating, you know validating with your compliance personnel You know is it would be a good idea if you don’t just have one that jumps out and hits you in the face with a two-by-four you know, then go go talk to the folks in income, you know in in compliance whether they’re your assessors or whatnot the one group often overshadowed in the in the assessor in the assessor firm are the are the are the poor souls that work in QA In many cases they have they’re often kind of shuttled off into the corner and you know they do their own thing and whatnot and and I think I think that the limited number of QA people Often, you know kind of belies the the the capabilities that these folks have they probably have taken a crack at trying to make things better make things easier, you know, etc. So, you know go and talk to your QA folks as well Find out if they’ve got something that they’ve you know That they’ve done because they may have something that’ll be a you know Kind of a good a good starting point if something isn’t already, you know, basically roughed in
Now, you name it that it’s not, right? What can an organization do if nothing is handy for starting their list?
Oh, I’ve been in this position before and, uh, yeah, it sucks. Straight up. It sucks. Um, you know, I’ll, I’ll start with this. All of this conversation is made markedly easier if you’re already leveraging a quality compliance management system. And the reason that I say that is that, you know, for organizations that aren’t I’ll go back to the aforementioned spreadsheet organizations, dude, you’re, you’re shit spread everywhere, everywhere. You’ve got, you’ve got evidence in your, you know, you’ve got evidence, uh, you know, bits and pieces. You’ve got them in email. You’ve got them in SharePoint. You’ve got them on your file server. Uh, you’ve got them in text messages. You’ve gotten, you know, post-it notes and meetings. You’ve gotten verbal, uh, updates in the hallway, you know, and, and, and, and, and long story short, your compliance data and information is spread all over the place. Which is part of the reason that if I’m using a, you know, using it of implemented a quality compliance management system, I now have, you know, uh, clouds, parting angels, singing, you know, a quality compliance management system that I can go to. It’s one stop shopping. Everything’s there. And it makes this a whole lot easier. Um, you know, so certainly if you’re not already doing that, I may even suggest, go ahead that route because trying to herd all of the cats of all of those disparate locations, that’s going to be its own challenge. Um, so just taking on the notion of what do we do? Um, you know, my suggestion is you take one of your completed engagements that’s just wrapped up and you leverage that that information that’s literally at your, uh, at your fingertips now, um, and start at the end, uh, at the end product. In other words, I’ve got this thousand list of, you know, kind of requirements. What, what all evidence did I use all across these thousand, you know, various requirement items and whatnot for each individual piece of evidence that was needed? Where did I use it? And start basically reverse mapping your deliverables, uh, from the total list of everything that I’ve gotten, uh, and go ahead and start reverse mapping that back to a list of consolidated elements of evidence. While at the same time you got to maintain the mapping, um, you know, of, uh, of where, where all everything was leveraged as you’re going through that process. Um, you know, but that, that’s kind of the, you know, the, the best approach, if you will, if you’ve got to build this thing from scratch, that’s the way that I would, uh, that, and actually I’ve, I’ve literally manually done this on numerous engagements over the years, uh, as I’ve been helping people, uh, you know, make their compliance world slightly more sane. You know, in a lot of cases, we’ll, we’ll be working with an organization that’s just trying to, uh, you know, escape the hell that is their current, you know, compliance management process.
And so, you know, as we’re going through that, giving them directional systems, helping holding their hand, how do we navigate these waters and get you from this, you know, hell that you’re in now over to a kind of a happier place, if you will.
I will. Now, why are mappings important to preserve as you’re making the list?
Well, with those mappings, so, you know, if you think about the process I was just talking through, right? I go in and I’ve got unique elements of evidence. I’m keeping track of where all they go to as I’m kind of putting my list together. Well, with those mappings, now, once I’ve got this list of unique elements of evidence or information, confirmations, whatever, that I need to be able to navigate my compliance engagement and now I’ve got the mappings of where that element, you know, needs to go, I can now use the compliance management system so I can get my list into it and then once I’ve got an element of evidence along with all of its associated mappings, I’m now empowered on my next run that now I can gather up information against the consolidated list, I can place the evidence once and I can use it many times on, you know, across the track.So, as an example, if I, you know, I’ll use an easy one, but my overall information security policy on a typical full-scale PCI-style engagement, that information security policy is literally going to map to hundreds of line items, you know, it could be hundreds of line items just across PCI or if I’ve got more than one target, you know, kind of target certification, you know, now I can go load that, you know, that element and have it automatically, you know, kind of, you know, flowing over to all the locations on PCI and all the locations I needed on HIPAA and this CSF and ISO 27001 and I’m telling you what, it’s, yeah, it’s a different world when you start, you know, start heading down that route, you know, the other cool part is, especially for those organizations that have, you know, kind of, we’ll call it more complex, more complex scenario, I was talking earlier about, you know, corporate sharing data and information down to subsidiaries, you know, corporate, you know, needing to allocate evidence by location, you know, across their kind of configuration, you know, once I’ve got this consolidated request list, you can literally have almost like a waterfall that starts to happen as I’m going in and populating my, you know, I’m just using PCI again, as I’m going in and I’m populating my evidence over to my mainline PCI certification for corporate, that corporate PCI engagement can now start ripple, flowing the information down to the, to the subsidiaries. We also have the capability through the TCT portal to map and mirror evidence up that chain as well. So I can map information from those subsidiaries back up to corporate. It really just depends on what the target organization, what their needs are, we’ll denote how the system is, you know, you go in and configure the system, you know, but that’s pretty much what’s going to go ahead and drive that process.
Nice. Now, what can an organization do that are finding it daunting to create their list? This could be a lot for some new folks, especially.
Yeah, well, honestly, Todd, it’s, yes, new folks, they’re going to be absolutely over their eyeballs in terms of the water level. But even for the seasoned, seasoned folks in compliance. Part of this is that a lot of folks are creatures of habit. They rinse and repeat.They didn’t have time to go get this all lined up nicely before their next run at compliance. And so what do we do? We throw on the circus music. We go and do the same old dance again. And we all trundle off down the path and do the same thing we did last time, just because we know it works. And even for those folks, regardless of your circumstances, at the end of the day, come and have a conversation with us at TCT, whether we’re able to help directly or we can give you some directional guidance to get you headed in the right direction. We got some mad skills, and we know a lot of people that got some mad skills. So by all means, let us know that you need help. That’s the, what is it that’s the first step to solving your problem? Is it admitting that you have one?
The first step on the road to recovery is admitting you have a problem, right?
So, you know, and the reality is that I said this many times before, but we got into this space to help people make managing their compliance suck less. We’ve been doing it for well over a decade and, you know, at the end of the day, we’re here to help.
Parting shots and thoughts for the folks this week Adam
Well, I can’t underscore enough. What a game changer. Consolidated list approach, leveraging the AI of the TCT portal, what that’s going to do to change your world. It is a big deal.It doesn’t matter if you’re an applicant, if you’re an assessor. When you make this move and combine it with the AI of a quality compliance management system, you now have the capability to stage your organization to literally save hundreds to possibly thousands of hours across your organization across the course of a year. Obviously, it depends on how big you are, how complex you are, how many people you’ve got, and what type of business you’re in, and whether you’re an applicant or assessor. But long story short is that I think any organization would struggle not to justify the ROI of these systems. And really what I would implore the folks that are listening is just think about what could you do with all of that time. The best part about it is the time that you’re saving is time from people internally that have a ton of capability and skill. You think about the people on these compliance engagements. These are your real gear heads. These are people that are in your compliance arena that have a ton of broad spectrum skills. They could literally be used anywhere in your organization. And yet, what do you have them doing? It got them slaving away and burning time on their compliance engagements and whatnot. I mean, the bottom line is that you ought to have better shit to do with these people’s time just being completely honest with you.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
