Avoid the Common Mistakes New Compliance Managers Make

For the vast majority of new compliance managers, their gut says, “I gotta start doing, NOW.” But because the compliance arena is so complicated, new compliance managers usually find themselves underwater within minutes.

When you’re brand new to the position, that’s the time to lay groundwork. Stage your compliance program and set things up. I can’t overstate how important it is to get your ducks in a row early on. Otherwise, you get overwhelmed with the onslaught of day-by-day compliance tasks and poof, you’re lost. Very quickly, it’s like you’ve been washed out to sea and you’re just trying to keep your head above water.

That early stage is the time when you have the opportunity to get things organized. Here are some best practices every new compliance manager should follow.

Don’t Sweat It! How to Master Your First Compliance Certification Project

Be Curious, Not Ambitious

When you’re new to a position or a company, you want to make a splash right away. It’s human nature. You want to impress your superiors right off the bat and to prove yourself as an all-star — show them that they made the right decision in hiring you.

That’s fine, but don’t let it create a drive towards making changes right away. When you’re new, you lack context. You don’t know why things are the way they are. And because we all tend to assume that our idea is the best idea, you start making changes, potentially without context and without questioning your decisions. This has the potential to backfire in spectacular fashion.

My recommendation for new compliance managers is to first learn why things are the way they are. Everything that’s in place now, for one reason or another, was done with purpose. Before you make a change, do the research and get the backstory on the current situation.

Slow down a bit, talk to those around you, and give your ideas a sanity check. You can still make improvements, but it makes logical sense to talk to the people who have been doing this longer than you. They have more experience, particularly with your organization. Why on earth wouldn’t you take advantage of that?

Get Executive Buy-in

In your first days as a compliance manager, take the opportunity to start fresh and make sure you have top-down adoption of compliance procedures — from the CEO to the janitor.

Compliance is critical to your company’s health, and it’s something that your entire organization needs to buy into. Open the dialog with the company’s leaders and ensure that their support of the compliance program isn’t just lip service.

Have a continued dialogue around how to build a culture of compliance in your organization. Meet at least once a month with executive leadership, preferably every two weeks.

  • Communicate your compliance initiatives and status
  • Discuss your challenges
  • Get executives to lead by example
  • Build a company-wide program with leadership’s support

Keep channels of communication open and stick to your meeting cadence. The more your executives are aware of compliance, the more important it will be to them.

Take Inventory of Your Compliance Obligations

Find out what your compliance commitments are. Just because you’re certified under some compliance standards doesn’t mean you’ve fulfilled your responsibilities. You may have obligations you aren’t aware of.

Have conversations with different areas of the company, especially sales. Your salespeople often get requests from customers for proof of compliance.

  • What certifications have your customers and prospects asked about over the last year?
  • What has your company agreed to adhere to?
  • Are you missing any certifications on that list?

Your industry will indicate certain standards that you need to comply with. It might sound obvious, but you’d be surprised how many organizations aren’t certified in industry-required standards. Make sure you aren’t one of them.

Review your annual cyber liability application which will include additional details of requirements for the organization.

It’s also a good idea to check with your legal department for any standards you need to be certified under, whether as a result of applicable regulations for your organization, or contractual obligations you may not be aware of.

Vet Your Vendors

Vendors come into a company in all sorts of different ways. They could be hired because they happen to be your CEO’s cousin, because someone has a friend that works at the vendor, or through an RFP.

As a new compliance manager, you don’t know what kind of vetting your vendors previously went through — if any. Did your company do due diligence on them when they were hired? Does the organization have up to date security/compliance documentation from each of these vendors? Do a quick audit to make sure each of your vendors has their act together.

I have a client that’s in the middle of this now. A group within the company brought in a key vendor that was interesting and cool and seemed to have their act together. Eventually the compliance manager heard about the vendor and asked for the vendor’s third-party security assessment. It turned out they didn’t have one.

The people who loved this cool vendor didn’t perform due diligence to ensure the proper certifications were there. Now there’s an issue to sort out, because the vendor directly violates the policies of the client organization.

Related: How to Tell if Your Vendors Are a Weak Link in Your Security

Take Stock of Your Compliance Program

Many new compliance managers don’t adequately take stock of their compliance program. They jump in and start “doing” without knowing what’s already in place.

Instead, take time to discover your program’s strengths and weaknesses.

  • What internal resources do you have?
  • What are your capabilities?
  • What are your vendors’ capabilities?
  • What type of documentation and instructions do you have, and what’s needed?
  • Do you have a rock-solid repository of files you can refer to, from the previous compliance cycle?
  • Was the last time we did this a crap show that wasn’t organized at all?

Put an eye toward making the process easier — as a template for success, use the evidence that passed muster with your Assessor in the past (and avoid things that didn’t). Have those items ready and at hand.

Related: What No One Tells You About Achieving Compliance for the First Time

Optimize Your Compliance Program

Find ways to improve your compliance program. Many compliance managers will just suck it up and make do with what they have already. They don’t want to rock the boat early on by asking for money to spend on new systems.

Typically, that means they’re stuck with a rat’s nest of spreadsheets, network drops, sharepoint, and scattered evidence. Everything is everywhere. Next thing you know, you’re the human glue holding everything together.

Manual processes come with a ton of overhead. Effectively, you’re forcing yourself to drown faster, because compliance is so laborious to manage.

Find mechanisms to better organize compliance management. Invest in an automated compliance system will minimize wasted time. A compliance management solution will give you a rock-solid repository from previous years that you can use for this year.

Managing compliance manually really sucks, but an automated compliance management system makes it suck a lot less. Streamline the entire process and save hundreds of hours per year — and tens of thousands of dollars in operational costs. Not to mention the pain management benefits.

Make the Most of Your First Days

You won’t ever again have the amount of time that you have when you first start your role as compliance manager. Take advantage of that time. Get a feel for the compliance landscape at your company and get to know the players around you, both internally and externally.

That investment in your position and role will be a key difference in the long term happiness of the organization you serve.

Need to make a case for purchasing a compliance management system? Find out how to get your CFO to say yes. Download our guide.

Featured eBook

Straight Talk on Getting Your Sh*t Together for PCI DSS

This kick-a$$ ebook helps streamline your compliance the right way.

Get the Ebook