Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Imagine Using an Adaptive Compliance Tool
Quick Take
Struggling with compliance chaos? Join the CU Guys as they uncover how adaptive solutions can transform your compliance process. In this episode, Adam shares insights from his decade of experience, revealing how to streamline compliance with dynamic mapping and adaptable tools like the TCT Portal.
Learn to cut time, reduce risks, and save money by customizing workflows and eliminating redundant efforts. Perfect for compliance teams and leaders eager to see real cost savings and efficiency.
Tune in to revolutionize your compliance strategy today!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the fresh log on your compliance fire, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good today. Todd, how bout yourself.
I cannot complain, I truly can’t. I hope everyone out there is keeping warm.
Goodness, gravy. As a matter of fact, while you’re inside and bundled up, not trying to fight the elements, go ahead and send us an email. Let us know your thoughts on the pod, any ideas you have for topics we should cover, or your favorite recipe for us to make when it’s cold outside. We’re gonna chat today, Adam, about, well, about using our imagination. As a matter of fact, let’s imagine using an adaptive compliance tool. Tell the folks about it.
Sure. This is a topic that’s, it’s just, it’s applicable for folks that are struggling with compliance, ones that are already familiar with the landscape, et cetera. It’s a inventive and special kind of torture that people go through when you’re trying to fit your compliance program into some type of a rigid structure or setup. At some point in the game, the light bulbs start going on, or maybe not, that you’re spending more time screwing around with manual workarounds, bridging gaps between what you’d like to do and what you’re actually doing, et cetera.
And there’s a lot of tooling out there and there’s compliance platforms. They were built in a kind of a best case scenario mindset, initially up against a single standard, and then they started shoehorning in other ones, type of a deal. Somebody that was originally when they started doing things, this is the way they did it. So they built a whole platform around that, and now everybody that uses it is kind of stuck with it, type of a deal. So for folks that are juggling different certs or have some complexity to their engagement, they’ve got different divisions across the globe, et cetera, then that’s where you start moving away from that kind of best case scenario type of a deal. And so it’s part of the fun, the adventure that we’ve been on is we’ve seen how frustrating it can be to manage a compliance, a compliance engagement that has complexity because we’ve been through it ourselves.
We’ve experienced as a organization that’s gone through compliance. We’ve assisted and helped innumerable organizations with managing their compliance. We’ve worked alongside assessors and auditors. I personally spent close to two years doing level one QA work for a large international QSA firm. So it’s been a rewarding adventure to navigate the waters of seeing what was out there and then being able to serve folks that are in this space. And it’s also important for folks. One of the biggest things that I like to tell people is a lot of people will kind of get into this mode. They do whatever they do to be able to manage their compliance. And they get it to a point where it’s almost like, I’m capable of getting this done. And so they go, oh, that’s cool. We’re just going to go and stick with that. So they get into this point of where it works, AKA they accomplished the objective.
But my big recommendation is for those folks, especially if I look at it from the perspective of those in leadership as an example, I love to use this talking point a fair amount because I remember as a frontline person responsible for compliance for the organization, my boss would just swoop by my desk type of a deal. And hey, it’s compliance season again. Good luck. Make sure that we have all our crap done by blah, blah, blah, blah, blah. And then he would flip off type of a deal. And between the good luck and where’s my fucking report, There was a whole bunch of blood, sweat, tears, pain, stress, you know, but a lot of that happened.
And so I bring all of that up just to, just to encourage, you know, folks that are in leadership, in organizations that are subject to compliance, you know, don’t just go under the guiding assumption that because it got done, it got done well, you know, just go back to the, you know, to those poor souls that you, that you breezed by their desk and wished them luck, you know, and go have post-conversations after the, after the engagement’s done, get it, get your hands on, you know, on what types of investments they’re making. And it’s probably one of the biggest disconnects that I see at organizations that are subject to compliance is that disconnect between the levels of, you know, kind of upper level leadership and those that are actually doing the work and the disparity between their collective experiences, if you will, while the, while the organization’s on their compliance journey, so to speak.
That makes sense. Now, what types of tooling do organizations use today in their struggles to maintain compliance?
Well, I mean, they fall into a couple of different, you know, kind of mainline categories, right? We’ve got the organization that started, you know, started, you know, doing compliance programs, you know, seemingly in advance of the invention of sliced bread. And we’re using whatever tools they had at their disposal at that time, which primarily, you know, centered around things like spreadsheets and somewhere to put files. So I call it something like a file drop zone, whether it’s somewhere on their network, whether, you know, they’ve kind of kicked it up a notch and gone to like SharePoint or whatever, you know, type of a deal, but some combination of a tracking sheet and a place to put files, you know, type of a deal, you know, and I’m going to kind of pause on each of these, you know, I’m going to kind of pause on each of these as I, you know, as I kind of go through, you know, go through. And we’ll talk about, you know, we’ll talk about each of these scenarios.
And, you know, in a minute, I’ll get to some of the, you know, some of the business impacts of, you know, of the tooling choices. But, you know, as I move on to like internally developed tooling, so for some organizations, somebody in the company said, you know what, there’s a better way to go about doing this. Kudos to them, right? You know, some person that has mad skills with development or, you know, or finds, you know, some type of a tool that will help to make this code easier. And maybe it’s a homegrown database. Maybe it is, you know, maybe it’s literally a custom coded application. Maybe it’s, you know, making these inventive scripts to be able to, to script stuff off of the, off of the Excel sheet or transmorphed into a, you know, kind of a different format so that it’s easier to manage with. Who knows? It’s actually pretty amazing having seen like hundreds of organizations that have been dealing with compliance over the last decade plus. It never ceases to amaze me. Some of the things that these organizations kind of come up with for ways to quote, make things better. But, you know, there’s some inherent downsides, which we’ll talk about here in a minute as well. The third group is folks that are actually using outsource systems to, you know, outsource systems that purport to meet the, you know, meet the need for the organization. But at the end of the day, lack flexibility or lack the capability to really optimize the program. You know, we talked earlier about, you know, kind of rigid, you know, rigid systems that were developed. A lot of times, and this is no offense to anybody in any one particular, because it doesn’t matter which one I use as an example. It doesn’t matter whether I, I started to work with PCI as an example, and now I need to expand that to, you know, ISOs and GDPRs and HIPAs and, you know, SOC, or if I started with a SOC notion and then decided that, oh, hey, we’ve got a SOC platform, so we can go ahead and bolt on, you know, these other standards. You know, one of the, that’s a downside is that, you know, wherever it started, depending on the, you know, kind of the ingenuity of the folks that decided to start it, you know, means the level or lack thereof of flexibility for when they’re onboarding those additional, you know, kind of additional standards and whatnot that, you know, that they, that they start layering into their tooling.
So there’s a couple of different ways that those things kind of morph over time, but those are generally the kind of the three buckets that folks will kind of fit into, if you will, today.
Now, you teased it earlier, but what are some of the business impacts of inflexible compliance tooling?
Well, you know, at the end of the day, there’s a lot of potential risks that kind of come into place or potential downsides, right? You know, if I stick in that, you know, kind of that spreadsheets arena where I’m going spreadsheets and drop zones, one of the biggest challenges is even when you have the drop zones, right? Everybody, go put your stuff here. It was one of the biggest challenges that I struggled with before, you know, kind of stepping into, stepping into creating TCT was that despite the fact that I told everybody on the team, I want you to put your files here. It’s just human nature, right?
People, I’m sitting in a meeting for an IT status update and somebody says to me, oh, hey, by the way, I updated my stuff and I, you know, and I sent you an email, you know, with the, you know, with the details and another person, you know, sees me in a meeting or something and then is texting me, you know, compliance status updates through text messaging, you know, or the user didn’t have access to the kind of network share that was designated. So what they did is they went ahead and dropped it onto their OneDrive that they have access to, shared the link out to me and that came in through the email. So it’s like, and, and, and, you know, telling me updates in the hallway, you know, passing me notes in, you know, in meetings, you know, leaving me voicemails, stopping by my desk to tell me things, the, just the sheer volume of screwed up, jacked up, people can’t follow instructions, pain that I had to go through, you know, that was a reality and, you know, when you’re dealing with a spreadsheet, you know, you’ve got people stepping on each other’s toes with updates. You’ve got, you know, I’m busy trying to go in and, you know, I’m, even if I’m using a shared spreadsheet, well, if I, if I went in and I, and I updated this particular line item to say, Hey, I rejected this item back to Bob because I needed additional information. And then Bob’s going in to check the spreadsheet right before the meeting. He’s like, I just sent that to, I just sent that to Adam yesterday, you know, yesterday afternoon. Why the hell is this showing? It’s in my hands. Meanwhile, Bob hasn’t, hasn’t seen his email to see that the item really got rejected. My status is correct, but Bob just blasted my update, right? It’s just, it is a never ending panacea of shit that you end up going through on these engagements and trying to kind of hold all of these pieces together. It’s just, it just absolutely ridiculous. The amount of BS that the poor, you know, folks have to hold all of this together have to go through. And the saddest part is, is that you, you end up spending. So like, you know, as an example, um, you know, as we would start the compliance engagement, I would start on like, whatever a weekly cadence, right? Um, once a week, we’re going to meet with everybody on Wednesday at one in the afternoon.
And so what would Adam do? I would never, ever, ever schedule a status meeting for compliance in the morning. Why? Because that morning, right before the effing meeting, I would get, I would get stuff getting sent to me the prior, you know, the prior afternoon that the prior, the night before the meeting and the morning of the meeting. Meanwhile, I come roll in at 8 a.m. And I’ve got just, I’ve got so many updates to make to my status that I can’t even keep up, so I would schedule my compliance meetings in the afternoon so that I had literally four hours to go through all of the BS and try to figure out where is the status on all of these hundreds of items, if you will. And so every single week I would spend, you know, four hours trying to, you know, trying to figure that out.
Um, you know, as I started to get closer to, all right, we’re approaching the deadline with the assessor. Well, now I’d ratchet up the, now I’d ratchet it up, right? My normal, my normal meeting was Wednesdays at one. I’m going to put another meeting on, you know, Mondays at noon, you know, type of a deal. So we’ve got a couple of meetings a week to try to, you know, to try to pump things up. If the team’s running behind, maybe I escalate that to three times a week. Sounds great, except for the fact that now that four hours I needed to prep for the once a week, well, now I need to spend the four hours on Monday and Wednesday and Friday when I escalate it to three times a week. Right. And so, you know, now I got 12 hours, just end up dating the F and status. Weekly. We haven’t even gotten to the point where now we’re, now we’re sitting down with the assessor, we’re going through things and figuring out what they think about what we’ve, you know, what we’ve prepared, et cetera. And now not only do I have all the internal team to worry about all the back forth, but now I had to worry about what things went to the assessor, what things did the assessor reject? Um, you know, what things went up to their QA department that they rejected back down to the assessor that need additional inputs from, from the organization, you know, blah, blah, blah, blah, blah, blah. It just, it becomes mind numbingly difficult to manage this stuff. And you know, and so, and that mantra of, you know, kind of spending the time to, uh, to try to just figure out where I’m at, that problem exists, whether I’m using spreadsheets with file drop zones, whether I’m using internally developed tooling, you know, et cetera, all of those challenges exist kind of across the board. You know, unless the, unless you’ve got the, the whole team of the control owners and everything, plus the assessors all, you know, leveraging the same system and working off the same sheet of music, you’re going to have all of, all of those problems and they, they happen on every single freaking engagement.
So if you’re a company going through compliance, you actually have it easy. All you have to do is worry about your organization, where folks that are service providers, like consultants to compliant organizations or assessment firms, et cetera, well, they get this joy across all of their freaking engagement.
So it’s, uh, yeah, it, it, it is, uh, it is a world that has a lot of, uh, a lot of pain associated with it, so to speak, hold on coffee sip.
No doubt, man, that sounds rough, but I feel like there’s a solution coming. Please tell me there’s a light at the end of the tunnel that’s not an oncoming train.
Uh, I’ll tell you what, I’m going to go there, but I’m going to, I’m going to wrap up. I just needed a, uh, a quick coffee, uh, uh, coffee, coffee break here, uh, just, uh, to get some additional caffeine.
So I get the party rocking, but you know, the, for the end, one other thing I wanted to cover the internally developed tooling. Now that arena carries its own kind of special level of Dante’s Hell. If you think about it, right, who typically does the development of those internally developed tools? Well, normally it’s somebody in IT or maybe it’s one of your business analysts that has a hankering for being able to streamline things, et cetera, or maybe it’s something in your project management arena. Long story short, it’s somebody that is a very valuable resource that decided to jump into this fray, create this solution at some point in the game. Well, now fast forward. Now I have needs for the system that aren’t currently being met by the internally developed tooling. Meanwhile, the person that developed that tooling initially, they’re busy with day by day objectives and and mandates and whatnot from the business. And so this notion of maintaining the compliance tooling, it’s not even that it’s the second or third priority on their list. It’s maybe the 17th priority on their list. So you’re trying to compete with the business just to be able to get optimizations developed back into your tooling. Most of those organizations find themselves unbelievably frustrated because the necessary changes, updates, and whatnot that they need to make to the tooling, in some cases it’s for optimization, but in some cases it’s just literally in order to be able to function. So let’s say as an example, PCI goes from PCI 321 to PCI version four, which happened relatively recently. When that switch happened, everybody that had an internally developed tool had to basically gut what they currently had and redo it for the new version. Now let’s just using PCI as an example, but that would be the same regardless of the standard or certification. What if I needed to fold in a secondary standard or certification into the mix? Yeah, we were doing PCI, but now we need to do PCI and ISO, or we’re doing ISO, but now we need to fold in SOC and HIPAA, whatever. Well, the minute I got any of those types of changes now, I got to go back and I got to try to beg, barter, steal, et cetera, to just try to be able to get the time from the internal folks, which isn’t their full-time job to try to get this done. We’ve literally had in-depth conversations with some folks. Anyway, long story short, there are a lot of business impacts that are felt by the business, but again, I want to reiterate this. One of the biggest disconnects is members of leadership aren’t connecting all of this bone time on their compliance engagement. They don’t perceive that uppity ups, the way they look at it is, well, hell, we’re already licensing Excel. We’re already paying for these people, their salary, if you will. So who gives a crap? It’s not costing us anything.
Well, I’ll tell you what, you take that example I gave just a little bit ago, take somebody like me that was the eye of the hurricane that was putting in at its crescendo, putting in 12 hours a week. That’s like 30% of my week was literally spent just on hurting compliance cats, just an absolute abject waste of time. And so I’d go back to those same folks that go, well, it’s not costing us anything. Really? It’s not costing you anything? You as a leader couldn’t have leveraged 30% of my time in a more beneficial manner than just pouring it down an F and drain. That’s not plausible. So that’s why I get worked up about this stuff because like, man, get the light bulbs on. Let’s have a real conversation here instead of this disconnect taking hold. So anyway, you were leading me toward the solution that’s light at the tunnel.
It’s been a rough one so far today. Oncoming train. I don’t know about all y’all, but I’m having a great time getting fired up about this. So no, the reality is that back in 2013 when I founded Total Compliance Tracking and we set about basically making the solution that we wish we had for compliance, which we affectionately call the TCT portal, it was built from the start to be adaptive. Yeah, we started on PCI, but I had experience across at the time, at least PCI, SO, NIST, ISO, HIPAA, GDPR, some of the FFIC stuff, et cetera, and had all of that as backdrop walking in. So while we started with PCI, when we structured the system, we built it in a way so that it would be very capable at adapting to the needs of the varying organizations that we were serving. We’ve worked with folks that came to us because they were tired of struggling with other systems that made the users fit into their approach. We have helped folks that were stuck in spreadsheet file drop zone hell. We have helped people that had internally developed systems that they could never get the time of day from the folks that wrote it originally to effectively and efficiently make updates to it. So that’s why when we designed the TCT portal, we wanted it to be a high performance compliance management portal that would serve complicated and complex compliance engagements. We felt that pain of trying to put the round peg in the square hole and whatnot, and the notion of building a system that would allow the users of it to be able to adapt the tooling to the way that they take their compliance approach. That was kind of at the forefront of what we did and whatnot. So we didn’t want to be forcing people into our vision of how to run an engagement, but we wanted to be able to kind of… I don’t know. It’s the craziest notion as a vendor in this space, but we actually wanted to serve our clients. It’s crazy. Time after time after time, we’ve had organizations that have come back to us and expressed tremendous relief and satisfaction because they could finally use a tool, set it up the way that they wanted, the way that they needed.
They were able to eliminate waste of time BS on their engagements. Stress levels went down for their organization over time, over time, drifted away.
And a lot of the complexities that they were dealing with or struggling with, with these manual or semi-manual or rigid systems, started to kind of shift off. So there was a lot of thought and really forethought that went into how we do what we do for the customers in the security and compliance space.
Well, what are a few examples of the ways that the TCT portal provided the flexibility that organizations need to supercharge their compliance?
Well, there were a couple of different things that we put in specifically. I mean, one of the things that I tell that I try desperately to get organizations that are using the tooling to kind of get in the mode of is don’t get it set up to the point that it works and then stop asking questions and just keep doing what you’re doing because now you’re doing exactly what I was saying.
Don’t do that with your spreadsheets and blah, blah, blah. If you’re sitting there thinking to yourself, there’s got to be a better way to go about doing this, you know, um, bring that question back to the TCT crew. I mean, we’ve got the knowledge, we’ve got the experience. Yes, we tried to set up a, you know, set up a system that was streamlined, easy to use all that fun stuff, but you know, really, you know, ask the questions. You know, the, the, the outcome is going to be most of the time. Oh yeah, we can do that. All we have to do is flip these three levers and poof, you know, a poof. You can go ahead and do exactly what you wanted to do. Um, that’s what happens the majority of the time when we have those discussions. Um, but it’s more about just kind of understanding what is their goal, what’s their objective, what are they seeking to accomplish, you know, and then we can help them, you know, navigate those waters. The best part is, is that if they’ve come up with some feature or function that we don’t have currently, you know, currently in the system, well, number one, there’s a really good likelihood with all the other inputs that we’ve gotten that somebody else has also asked for the same thing, in which case, you know, we can tag their name with the, you know, with the request, uh, otherwise we’ll go add it to the list of things that we’re going to go in and do. Um, so it’s, uh, it’s been, it’s been a fun ride. I’m going to watching this unfold, but, um, going to some of the specific features that we’ve, that we’ve built in that make a difference, uh, you know, for, for our clients is, um, you know, right from the start, we integrated, uh, the capability to be able to do, um, you know, mappings within the system. Um, initially that started with, you know, our ability to take like a full blown PCI rock and map the control sets off of the PCI rock over to let’s say an ISO 27001 or a HIPAA, uh, engagement, uh, and basically being able to share the evidence off of your PCI track with other certification standard tracks. Uh, and while doing so literally instantaneously. So as an example, the minute that I go load up the information security policy to the PCI, it would immediately show up in all of the right spots across a HIPAA and across an ISO 27001 same thing with the network diagram, same thing with firewall rules, same thing with access controls, you know, and, and, and, and so, um, you know, it is beautiful watching that, watching it unfold from that perspective, uh, because, you know, it’s load, load once use many, you know, all that fun stuff. Um, you know, maybe the organization decided to go down this route, or maybe you’re working with an assessment firm that in either case, um, either of those parties could have, and let’s stick with this PCI HIPAA ISO, uh, you know, type approach, maybe the company itself said, has already done the leg work and said, Hey, I know I need this information security policy and I know that I need this one policy on all these locations across PCI and ISO and HIPAA as an example, so they’ve already done the legwork to kind of map out almost like a document request list and a lot of assessment firms have a similar notion where they’ll give a unique list of requests to the, you know, to the target organization, um, have them fill that in and poof, it’ll, you know, all go map into the standards of search.
The best part is, is that because of the fact that TCT portal is a platform where right now we’ve got like 85 plus different, um, standards on the platform. It continues to just grow.
Um, you know, because we can load any, uh, industry standard compliance framework to the platform, uh, it also allows us to load up document request lists, things along those lines into the, uh, you know, into the, into the system. So, uh, that’s one area where taking advantage of the, of the, of the capability of mapping really makes a difference and the, and the best part about it is that, um, with, when you’ve got, you basically either your, or your assessor’s, uh, request list, uh, mapped into your compliance tool, guess what? Now you can keep a man, you know, you can, you can keep and manage your own system. It’s in a format that you and your people are already used to, or your assessor’s used to, um, you know, your, your closing communication gaps, your, uh, you’re making sure that you’re, you know, mapping things directly to the right locations for, you know, for your assessor you’re, you know, doing the load once use many, um, you know, et cetera, this, this could happen across multiple, uh, search or standards. It could happen across multiple assessors, uh, you know, et cetera. And, you know, one of the biggest things that, that I love to encourage organizations subject to compliance is, um, own your own compliance management system. It’s one thing for your assessor’s life to be made easier because of the fact that they’ve forced you to use their compliance management system, but that means that the target organization doesn’t gain all of those same benefits that they can retain for themselves in terms of streamlining and whatnot. So, you know, if you, if you’re able to, you know, go license the TCT portal yourself, now you can use that with, in association with your assessors. If something happens and whatever, you know, all sorts of things happen, right?
Yeah, I get bought out. Um, my parent company has a different assessment firm. Now we need to switch. You’re not literally lighting a match to your, to your compliance system that you decided to just use the assessor system for, um, that’s, that’s a big, big deal.
Um, a different arena where, you know, where we’ve got, uh, some capabilities for, you know, kind of complicated engagements, it’s what we call requirement splitting, so in our, in our system, you know, you’ll have, um, Maybe, uh, you know, multiple types of firewalls that I need to gather evidence from. Maybe I’ve got a specific physical, uh, you know, physical locations where I need to collect up physical security evidence. Maybe I’ve got two different types of operating systems and I need to go, uh, you’ll go gather baseline data and information on, et cetera, whatever the example may be, um, TCG portal has the, the ability to, uh, to split out a particular requirement. So let’s just stick with the, I’m going to make this easy for the sake of this discussion, let’s stick with, I got two types of firewalls, so I need to gather evidence across each of those firewalls. Well, excuse me. When I go in and I do that, I can split my, I can split my firewall requirements across the line. I’m just going to say, uh, Fortinet and, uh, and, and Cisco ASA, uh, as an example. So I can split it across the Fortinets and ASAs, uh, and then have a separate bucket for each of those systems across each of the controls that I need to collect information on against firewalls. Uh, the best part is usually in mo in a lot of organizations, the person that’s the Fortinet admin isn’t the same person. That’s the ASA admin as an example or whatever use, you know, windows and Linux or whatever you want, but oftentimes it’s different people, right? When I do the splits, the beauty of this is now, when I split that item, I can assign the ASA items to the ASA admin. I can assign the, uh, the Fortinet items to the Fortinet admin. And now I have at detail level automated system tracking that all the way down to that level. So, you know, I don’t need to, because what would happen before, back in the day is I would take that requirement for firewall and I’d need to remember if I’m the, the Fortinet admin, I would need to remember that, Oh yeah, I need to double check to see if the, uh, if the, the, the ASA admin applied their stuff. More often than not person would forget. And so what happened is the Fortinet admin would go add their stuff. They moved that up the workflow. Um, somebody say, you know, one of the, one of the reviewers sees it and says, well, where’s the ASA stuff pushes it back down. And what happens? The Fortinet admin that already submitted the evidence look is looking at this kind of shared requirement and going, well, my stuff’s done, boom, they punch the button for move it back up the workflow again. So now all we’re doing is shuffling peas and carrots on the compliance engagement. It’s just, it’s a nightmare. So, um, you know, you can do splits across kind of any, uh, different type of engagement that you wish, but that’s kind of the, the notion there, if you will.
Sure. Just wrapping up here, how did TCT’s operational mode come about, and why is that helpful for organizations to graduate to?
The, honestly, the capability for operational mode came about quite simply because we were constantly hitting, we had clients that were doing the atypical annual engagement. And we were getting to the assessment and discovering that for a myriad of reasons, somebody forgot to do something in quarter two. This position turned over in late Q2, early Q3. So the responsibility shifted, but there was no valid handoff to the next person taking over what needed to be done. We’d be literally sitting in front of the assessor with shorts around the ankles and basically trying to explain away why did this issue happen and whatnot. So we wanted organizations basically to have their absolute crap together by the time before they got to the annual review.
And so operational mode just allows items that need to be done every day, week, month, quarter, semi-annually to get spread across the entire compliance cycle so that the right things are being done at the right times. It also allows you to even spread out your annual items so you don’t have this gigantic kind of compliance item purge that happens in your Q4 of your compliance as everybody is trying to get ready for the annual. You can spread those out even across the course of the year. The right people are getting the right reminders at the right times, you know, et cetera. The overseers have the capability to tell if anything’s overdue, are we keeping up with our operational requirements. It is literally like an insurance policy for going and walking into your annual assessment and being able to walk into it confidently. You know beyond any shadow of a doubt, I have all of the things that I need to be able to go in and do this. It’s just, it is magical. It’s automated. You’re not blowing time trying to figure this crap out. The system is basically doing the heavy lifting for you. It’s a really, really big deal.
There you go, parting shots and thoughts for the folks this week, Adam?
Well, one of the things that I wanted to just layer on, you know, is the operational mode, I can’t begin to tell you how much I would encourage organizations to take that type of an approach. It makes things easier.
It reduces risk. And one of the things that I’ll tell folks is like when they, when they’ll onboard with TCT, they’ll say, look, do your, you got to have your first, you know, kind of engagement. So, you know, you need to, uh, what I tell them to do is I tell them, Hey, go in and do your first engagement on the, you know, on the portal. The minute that you get that unwrapped up immediately spin up. So let’s say I’m in the middle of 2026, spin up your, you know, your, your track for 2027 right then and there allow your operational mode to take effect, and that’ll keep you on track. Um, you know, for, you know, for folks that have lived in this space for some period of time for folks that are listening that are, you know, kind of brand new, do me a favor and just, uh, you know, and especially if you’re in members, if you’re on the level of management for the organization, do, do me a favor, ask questions, let’s have a conversation. Um, you know, we’re just literally, we, we got into the space to help people make their compliance suck less. Uh, we’ve been doing that since 2013. Uh, we’re here to help people in the space. Long story short, we, uh, we want to try to make your lives better.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow, and I’m Adam Gosling. Hope we helped to get you fired up to make your compliance suck less.
