Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Streamlining Higher Education Institutes’ Compliance Management
Quick Take
On this Episode of Compliance Unfiltered, the CU Guys have a spirited chat about the perils of managing compliance in the Higher Education space.
Wondering why Higher Ed is just a complex environment? Curious about ways overcome these challenges? Wondering how to manage your complex compliance landscape in a way that doesn’t feel like herding cats?
Well you’re in luck, as all these answers, and more, can be found on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside The Pump, to your compliance circumstance, Mr. Adam Gosselin. How the heck are you, sir?
I feel like I want to go marching or something now. I’m good, Todd. How about you?
I can’t complain, sir. I really can’t.Today, we’re going to talk about how higher education institutes can streamline their compliance management. Tell us why these institutions struggle with managing their compliance.
Well, I mean, managing compliance within higher education, it’s definitely not for the faint of heart. For some people, it may strike them as an audit first, but it actually is one of the most complex and complicated multifaceted contexts within which to practice compliance management. For the poor soul that gets the honor of running that institution’s compliance program, the job’s stressful as hell. It doesn’t let up.There’s typically, you think about it, within a typical educational institution, they’ve got departments where purchases are being made, so PCI comes into the mix. They’ve got research facilities where potentially various forms of government-related compliance may come into the mix. They’ve got, oftentimes, there’s a health center or something along those lines on campus for the students, so HIPAA’s coming into the mix. I mean, it’s a bevy of different standards, and it’s just a whole bunch of different requirements they need to meet, assessment cycles they’re trying to meet. It’s months just trying to get prepped for compliance season. Once the gun goes off, it’s just this mad dash to go get everything collected up and to the assessor, because most of the time, they’re trying to get all of their compliance engagement responsibilities wrapped up before classes are starting in the fall. It just feels like a pressure cooker.One of the big issues that these institutions have is that they’re dealing with a multitude. There’s a multitude of different things. There’s a multitude of vendors involved supporting the organization. There’s also a myriad of different locations that are subject to compliance. We’ll just keep it in the PCI realm for right now. There’s the registrar’s office, there’s the athletics department, there’s the dining services, there’s the bookstore, the alumni association, housing departments, and that’s just to name some of them. Some of these institutions literally have between dozens and hundreds of different departments. Oftentimes, each of which is needing to be provisioning their own evidence, etc. There’s different sets of functions in these departments, different methods of payment that they’re taking, different forms of sensitive data. That means that managing compliance for them straight up sucks.We developed the TCT portal to try to make it suck a hell of a lot less. The reality is that for a properly rolled out program, we could be shaving 65% of the load off of these poor individuals, but it’s just a matter of seeing the light and taking advantage of the technology.
Well, speaking of, can you take this to a deeper level as it relates to the pain they experience?
Sure. Why not? So it’s really stressful as they’re going through and trying to manage these compliance engagements at colleges and universities. My initial endeavor just to go get compliant with PCI, it was a handful of vendors and less than 10 people I needed to go and get evidence from. And in the grand scheme of things, looking angelically back at that first foray, it was a fairly simple and straightforward engagement, but it took me 18 freaking months to get through it.You take that in contrast where you’ve got these higher education institutions with dozens or hundreds of individual merchants, hundreds of people that they need to coordinate across. With that volume of people that’s involved in the overall compliance engagement, you’re in an absolutely never-ending cycle of communication, miscommunication, trying to get everybody on the same page, trying to get all the assignments pushed out to the right people, trying to keep track of who’s got what, where’s it at, etcetera. And you’re trying to do this across hundreds of merchants and multiple hundreds of people. You figure, just to put it in context, let’s say that we’ve got a couple hundred different outposts on campus and each one needs to get 20 pieces of evidence. Well, now, just do the math, you’re talking about 40,000 different pieces of evidence that you now need to track, manage, collect, control, monitor the flow of, yada, yada, yada. And you figure that for each of those pieces of evidence from initial submission to somebody doing their manager going through and doing some form of quality assurance on it, and then the next step, the next step, the next step. So let’s say you had a workflow that had six different steps to it. Well, now, we got 40,000 pieces of evidence that potentially could be in any of six different people’s hands or states, etcetera. We’re closing in on almost a quarter million different potential states that this stuff could be in. And that’s 20 pieces of evidence, right? I mean, you run the math on this stuff and it gets mind boggling. So the typical compliance standard, there’s hundreds of different pieces of evidence that need to ultimately be submitted. Go back and rerun your mental math on how many potential intersections that could be, and the numbers are just staggering. You’ve got colleges and universities, they’ve got a significantly more complex scope for their compliance requirements than many other organizations, which means that they need to be leveraging some form of technology for managing their compliance so they can robustly and flexibly assist in bearing the weight. The intent is that the system is eliminating all of the manual processes and the spreadsheets and the mishmash of internal systems, network drop zones, internet-based file drops like SharePoint or whatever, that many of these organizations are leveraging. You just real quick go back, you look at the atypical organization and kind of how they’re doing what they’re doing manually today with all of that additional overhead on a quarter million pieces of evidence.
No, no, no, no. I’d be throwing, I legit, I’d be throwing in the damn towel. I really would.
Well, how is it a challenge to manage information across multiple merchants or internal units of the organization?
Well, you know, because they’re, they’ve got so many different, um, you know, folks that are taking, taking payments, dealing with various forms of sensitive data, that even the flow gets, gets, uh, very complex, you know, and each institution’s different. So on, you know, on many campuses, the, each merchant has their own merchant account and they’re almost treated like a little individual businesses, uh, you know, type of deal.So they, each one of them kind of manages their own accounts and, and need to go through PCI individually, but it’s still the responsibility of the overall institution, uh, doing some form of validation to make sure that all of their merchants are, you know, all the internal merchants are fulfilling those responsibility, um, you know, better yet, you know, certain, certain piece of the information from the, from the top level institution, uh, need to flow down to each of the individual merchants, um, you know, in other cases, you’ve got a flow of evidence that goes from the merchants and rolls up, you know, uh, to the, you know, to the overall organization, it just kind of depends on how they, how they structured themselves, um, you know, so, uh, sometimes the, the compliance get broken down into, you know, different groups or different departments with, you know, within the facility. So, you know, regardless, which, uh, you know, which case it is that they’ve got, you know, they need to make sure that that information, uh, that the information is flowing appropriately, uh, you know, within the confines of exactly how their particular organization’s been established.
Tell me this, why is the TCT portal an advantage for these organizations?
The advantage of the TCT portal is that the sheer coordination of responsibility, communication, and evidence flow across these dozens to hundreds of entities, across dozens to hundreds of pieces of evidence, it’s nearly impossible to navigate those waters, both skillfully and successfully while keeping track of every single moving part across that entire institution. Honestly, the poor people that are carrying of this load in a manual or semi-manual system, they honestly deserve a medal. It’s a responsibility that’s extremely challenging to do successfully. If you’re relying on these manual tools or a plethora of internally developed systems, it’s damn near impossible.These are the circumstances under which the TCT portal really shines. It was designed from the ground up to be an all-in-one platform for organizing and managing those moving pieces and parts of your compliance management system. And we customized the compliance tooling to your situation. When we developed the system, we didn’t develop it with a notion of, we’re going to build the tool and you’re going to need to change to fit the tool, but instead we built the tool so that it wraps around what you need, a novel concept, right? Say so? Yeah. When you’ve got one institution that needs all their evidence flowing up to a centralized compliance entity, but we can do that. For another one, we’ve got each individual merchant needing to have compliance engagement evidence flowing down from the upper level institution, or maybe it’s a mix of both. We can do all of that from within the system in an automated fashion. We can go and get that all configured properly. And regardless of the circumstances, we wrap the tool around the needs of the target organization. We pride ourselves on being that solution that they can configure the system to without having to alter how they do what they do to fit the tooling. That’s part of what makes the TCT portal really special.
Well, how are we able to make compliance easier for everyone?
Well, you know, in a lot of cases, you know, the people that you’re depending on for submitting the evidence, they’re not security experts, you know, they’re general managers, program directors or administrators, you know, that type of thing. You know, they aren’t compliance experts and so, you know, they don’t understand all the ins and the outs of compliance management and, you know, that means that the engagements under a traditional sense, they flow like molasses in winter.You know, it’s just, it’s crazy how slowly those wheels can grind and yet, because you’ve got so many of these, you know, pieces of evidence flying, you know, even though it’s not a lot for a single piece of evidence, well, you know, go back to the earlier example of a quarter million pieces of evidence now that you’re having to manage and orchestrate, that’s just wrong. So, you know, I mean, not only are these people, you know, they get to, you know, the people submitting the evidence, not only are they kind of learning on the job, but they’re relearning their tasks each compliance year. So, you know, they don’t go in and memorize this stuff, right? Even if you have the same damn people, everybody’s the same on your compliance engagement year over year. Oh yeah, they didn’t remember what the hell they did last year. You know, it was 10, 11 months ago when they last had to, you know, go and gather up evidence and whatnot. They’ve forgotten everything. So, you know, you can’t remember, you know, remember everything year over year, so you got challenges with being able to, you know, go in and just submit the evidence in a consistent manner across the engagement. You know, the reality is the TCT portal makes that evidence submission, just it’s easy. It’s streamlined, you know, we can do all sorts of cool stuff like leveraging a documentation request list where it’s a customized list that’s specific to your institution. It only contains the items that these folks actually need to deal with. It’s a stripped down version of the compliance standard. It’s written in plain English. We can use terms that are familiar to the participants on the engagement. And that way, it just all the way around, it makes it, you know, substantively easier for the folks to go through the process. You know, this leveraging of the document request list gives them simple instructions that, you know, people can, you know, people can go through, easily read, easily, you know, kind of adopt and go get the stuff taken care of right away. You know, all they see is the, you know, when they go and they log in, all they’re seeing is the things that are pertinent to them and they can go off and do. You know, the best part is once you’ve gotten onto the system, you’ve gone through a year of leveraging the system for generating evidence. Now that same generation of evidence is now available next year. So when I get to next year and I’m looking back, I can go in and I can look at exactly what I produced last year. Even if, you know, even if you’d forgotten or whatever, that’s right at your fingertips and kind of ready to go.
So you don’t need to worry about several things. You don’t need to worry about, oh God, how do I get my arms around? What do I need to do? You do not need to worry about whether or not your evidence is going to get rejected because it’s the same thing that you, you know, that you leveraged last year. So, you know, one of the big fears for the poor souls that are having to do the administration of these engagements, you know, they’re worried about the rework and rounds of rejected submissions, etcetera, etcetera. You know, all that starts to float away.You know, the even better part, once I’ve got, you know, a year under my belt. I mean, when you, when you invariably have some contingent of the people that are going to be provisioning evidence this year are now brand new for they weren’t here last year, right. Guess what? Now I’ve got last year’s submission. So whatever if, uh, you know, Mary’s taken over for Bob who was doing it last year. Mary’s actually able to look at what Bob did. And so, you know, right out of the gate, Mary’s able to hit the ground running, um, much higher success rate of, of being able to navigate through those waters. Um, you know, and, you know, the, probably what the, one of the best things is as the administrator of the program, you don’t have scores of people coming up to you, Hey, what is it that you need for me? Again, they can go in, they can look it up themselves. They’re right sitting there at the fingertips, you know, the whole point of the leveraging of the technology is to get the TCT portal to take the guesswork out of the compliance management. I mean, every single person knows what they need to do, uh, where, where they need to go to get it from, what format to provide it in, how they can deliver it. Um, you know, it just, it lowers stress, lowers confusion and it kind of falls into the bucket of being, being quick and easy, if you will.
Now, in an environment this complicated, I can imagine it’s painful to hurt all the compliance cats as you like to say, to get things done, right?
Well, that is for sure. So, um, you know, the TCT portal, one of the, one of the beauties of it. Now, you know, we talked about there could be, you know, hundreds of different locations, you know, a hundred or 200 different locations with maybe one or more, one more person at each of those. You know you’re, you know, in the, in the old days, uh, you’d be sitting there trying to figure out where everybody’s at and following up with them and giving them notifications, etcetera. Well, then one of the best parts about, about the portal is it automates all those notifications, you know, so, um, the TCT portal will send out, uh, you know, kind of a morning email to anybody that’s got open items and say, Hey, you’ve got, you still have three items in your hands, etcetera, um, and it will automate, uh, all of those kind of daily reminders for this unfulfilled task and the system keeping track of the, of the status.So, you know, as, as a person goes through, uh, kind of clears out there. There’s out there, there’s a to-do list. So let’s say it’s Monday. I got my alert. I got three items in my hands. So Monday I cleared out two of those on Tuesday morning. I get an alert and say, Hey, you still got one item in your hands. And so if on Tuesday, I go ahead and clear that last item out on Wednesday, I don’t get a notification. If on Thursday, the, you know, the internal, you know, the internal QA department is going through reviewing the evidence and go, yeah, that’s pretty cool, but on one of these, we need a little bit more than, and they send it back down Friday morning, that person’s going to get an email. Hey, you got one item in your hands. So you’ve got, as long as you can channel kind of, and this is where the training comes in as you’re, as you’re going through to do the, you know, do the deployment is you train the people to pay attention to the emails that you get, they’ll stop coming when you clear your items, but if you get it, if you get an email again, that means that something’s been moved back down to you. Pay attention to those emails. It’s a, it’s a big deal because now, you know, people are getting pertinent and appropriate notifications, not just noise that’s spewing at them from some automated system, it’s actually pertinent information, pertinent detail helps everybody, you know, kind of now navigate those waters.Um, you know, and, uh, you know, it’s great because we can send out notifications, whether it’s straight off of an exit of a wholesale certification, whether it’s notifications off of a, you know, document request list. Um, but the cool part is it, it, you know, the cool part, the not cool part, the cool part for the administrator is that, you know, there’s no excuses. They know that everybody got their morning freaking email and, you know, get on your stuff, uh, we trained you on how to, you know, how to manage these things, um, how you know, trained you on, on paying attention to those emails. So, uh, but everybody’s got clarity on, you know, exactly what it is that they, uh, that they need to do. So it, uh, it ends up working out a hell of a lot better, hell of a lot smoother.
Well, described to the listener is why even determining compliance status sucks.
Well, you know, when you need to know the status of your engagement, it is damn near impossible for most of these higher ed institutions to be able to get just a hundred percent clarity on, hey, where are we at? You think about it, right? We were talking earlier about the 20 pieces of evidence and then doing the math on all the various stages and states and blah, and you’re talking about, you know, quarter million different potential intersections for where the stuff is sitting. By the time that I start, you know, from the time that I start gathering up, where am I at in the grand scheme of things? By the time that you get finished with that, the rug’s moved. I mean, the rug’s been pulled out from under your feet, right? You know, from the time it takes you to start to conclude where we are at question, things have already changed. So by the time I even finished doing a status update, it’s outdated, you know, and that’s where, you know, with the TCT portal, it’s a live system.It’s real time. I don’t need to sit and tally up where we are. I don’t need to dig through. Yeah, I’ve said this before, but, you know, client compliance submissions come in a myriad of forms, right? You know, in the traditional sense, you’ll get people telling you updates verbally, they’ll, you know, drop you a note while you’re in another meeting, they’ll tell you something on flyby in the hallway, they’ll send you a text message, they’ll call your desk phone and leave a voicemail, they’ll call your cell phone, they’ll leave a voicemail, they’ll put the file in some miscellaneous oddball spot, somewhere they had access to be able to store it, and then send you an email to tell you where they put it, and, and, and it’s just it’s mind numbing, it’s mind numbing, how many, how many inventive ways people come up with, I even had people, you know, this is the worst, I had people that would, that would print, print, kind of print their evidence out and then put the piece of paper on my desk. What do I do with that? Now I gotta, now I gotta go find a scanner, you know, oh my God, it’s all over the board. So you know, that’s the beauty of the TCT portal is that this is real live status, instead of me spending hours just to have a status meeting, instead I can just go log into the system and see where we’re at.You know, you can filter and drill down into the information to, you know, as you see fit. Literally in seconds, you know exactly what’s going on in your compliance engagement, you know, one of the, you know, one of the, the, the challenges and its human nature, right? So I went in and I set up a compliance meeting. Hey, we’re going to have a compliance meeting, we’re going to sit and talk about everybody and where they’re at and blah, blah, blah, blah. Well, nobody wants to get called out on the carpet in the meeting. And yet, yet natural human nature, these people, they’re busy, dah, dah, dah, dah, they walk in in the morning and they go, oh crap, we’ve got the compliance status meeting today. So what do they do?
They go ahead and kind of do a dive through their ARSE exercise to pull together all of this evidence and when do they do it? At the very last second.So that when they’re submitting stuff to you three minutes before the meeting, meanwhile you did your status report hours ago is when you were looking at their stuff and you go walk in the meeting and you’re like, Hey, Bob, you know, where’s your stuff? You know, so it was outdated, you know, that it wasn’t submitted. Oh, yes, it is. I submitted, I’ve already submitted that to you and you’re sitting there going, I know damn well, this dude just just shoved this stuff my way three minutes ago, uh, you know, type of a deal, but it’s just, it’s the way it works. So having the system right there live, etcetera, um, you know, it’s huge. You don’t have to go hunt down 200 people to, uh, 200 people to figure out where everything’s at and whatnot. You don’t have to manually check all these dozens of different places just to hunt down where the hell are we at? It’s, uh, it is, it is night and day when you go from, uh, the days gone by to using technology to your advantage.
No doubt. Parting shots and thoughts for the folks this week, Adam.
Well, you know, I mentioned it earlier that the portal was able to reduce the time and effort on compliance engagements by as much as 65 percent. And that’s literally not an exaggeration. It frees up valuable people’s resource time. You know, you can reclaim that time as you wish as an organization. A lot of people do a lot of different things with it, right? Yeah, they use it as a reduction of stress factor. They use it as a, hey, we can do different things with our resources. They find that, you know, especially that kind of core compliance team, that you don’t need eight people to do it now. You can do it with four. And, you know, the people that are on that compliance team, man, these are some seriously capable individuals. I’m pretty sure that there’s something else they can be doing that will be more productive with their time and be able to use that to the benefit of the institution.You know, just the general stress levels of organizations, when they go from the way they used to do it to leveraging technology to their advantage, I mean, you figure these engagements, I mean, we talked about the 200 different people that you have in 200 different groups or whatever that you had to go and gather the information from, that doesn’t count the other, you know, core personnel, if you will, at the institutional level, you know, that are involved. So you got the core compliance team plus a number of other departments there, et cetera. I don’t know, I mean, you’ve got 250 people that are, you know, that are ultimately involved in this. And that is a lot of people over which to save time. It is a, you know, it is a big deal when you can start shaving minutes off of, you know, off of things, reducing stress, making things easier. You know, I think there’s a there not even I think there used to be a general hatred of the compliance season, you know, type of a thing just because of the dysfunction that it brings and how challenging it is to, you know, to manage. So, you know, the reality is that the TCT portal is a platform. It was built by compliance experts for compliance experts. It was launched over a decade ago at this point in the game. This system has a full decade of solid inputs for, uh, features, enhancements, etcetera, by people literally living the nightmare that, that often was, uh, you know, compliance management. And so, you know, we’ve taken those inputs, we’ve integrated them into the, in, into the tooling and it just keeps getting better and better and better. And man, the best part yet is the way that we, that we lined it up pricing wise. I literally priced this thing. So it would be a no-brainer for an organization to go in and take advantage of what we want, you know, I started this company so that we could help people in the compliance space, uh, make compliance management suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
