Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Investing in Your Compliance Program (The Year 2+ Benefits)
Quick Take
On this episode of Compliance Unfiltered, Todd and Adam walk through the challenges faced by organizations looking to take control of their compliance management.
Adam shares a bit about his journey and provides some profound advice to listeners looking to take their compliance program to the next level.
All these topics, and more, on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Welcome into another edition of Compliance Unfiltered. I’m Todd Coshow alongside the boom box at your compliance barbecue, Mr. Adam Goslin. Now after you, sir.
Well that sounds delicious. I’m great, how are you?
I can’t complain. I really can’t.Today, we’re going to talk about the benefits. What I mean by that is, what are the benefits of investing in your compliance program, specifically like year two and beyond? You started TCT for a reason and spent time building a compliance management portal for a reason. Tell us more about that.
Well, I mean, I’ve told the story of several times for the uninitiated I suffered through, you know, an engagement where, you know, I was the, you know, the head of IT and infrastructure and I was the poor soul that got nominated to go handle compliance and, you know, so I struggled through that. It was an 18 unbelievably painful months of putting my head through a wall where I struggled through it with spreadsheets and try to manage my engagement with those, you know, I, as soon as I finished that 18 month stand, I turned around and I walked away from that.I started up a security and compliance company and went about doing about five solid years of running engagements with spreadsheets and I don’t know, it was about the three year mark of that, of that parade where, you know, my background was in application development and building systems and so I’m like at about the three year mark into that five years. I said, you know what, this is stupid. I’m just going to go build the system that I wished that I’d had you for the, you know, for the, for the prior like eight years, which led ultimately to the release of the, of the TCT portal in, in 2015, you know, and we literally, you know, started this company so that it could, you know, it could help people was the, you know, was the goal of the objective.And in, and, and in true fashion, my, my emotional arts are in full effect. I’m not sure if we’ve got a squirrel going on. If somebody’s dropping a package off, maybe it’s some of the, maybe aliens landed on the front lawn. You never know.
Ha ha ha
Oh, that’s good stuff now. Why do organizations, Adam, struggle with justifying their decision to move from their existing processes over to a compliance management system?
Well, it’s interesting. It’s one of the biggest struggles, you know, since I, you know, since I started this organization, it’s one of the biggest struggles that, you know, that I’ve seen, you know, kind of the folks that used to be in my position of suffering through it and just dealing with what they got. They struggle to wrap their heads around the notion that spending time, you know, spending time, you know, and money, you know, on a compliance management system will ultimately save them dollars. It seems, for whatever reason, it seems counterintuitive.You know, I hear the quips that all Excel costs nothing and, you know, and whatnot. But the reality is, is that inefficient running of your compliance management engagement, it buries just a boat ton of, you know, wasted costs, etcetera, into the mix. And, you know, the, you know, you don’t realize just how much wasted time you’re pouring down the drain and the fact that, you know, well, Excel costs nothing. I mean, it literally couldn’t be further from the truth. You know, there’s meaningless waste of time on these compliance engagements, you know, that folks just kind of blindly sign themselves back up for. And, you know, we’ll get into that a little bit later. But, you know, the reality is, there is just a ton of wasted time, you know, meaningless effort, etcetera, that happens on these things. And it’s not like, it’s like, oh, well, you know, okay, well, you know, it costs me five minutes or so. We’re like, no joke, depending on, you know, who it is we’re talking about. In some cases, they could be saving hundreds. They could be saving thousands of hours a year, you know, on their engagements. And it’s just trying to get them to see how, you know, kind of transitioning into that, hey, I’m going to go give this a crack and I’m going to invest in my compliance management. They struggle to see how the expenditures of the real dollars equate to, you know, kind of cost savings for the organization, you know, internally. So that’s kind of the, that’s kind of the, you know, kind of the play, if you will.
Now, once a client decides to invest in their compliance program, what are the various types of I guess investments that they’ll be making across their first year?
Well, I mean, like with anything, right? As you go in and you start and you go, you know what I’m going to do? I’m going to go from, you know, from where I’m at now to, you know, you’re leveraging some type of a compliance management tool. If you’re going to do that, you’ve got to go in and spend time, you know, go in getting it set up, getting it configured and whatnot. So, you know, if there’s some investment that they’ll make there and that would happen, I mean, if you think about it, that had happened, whether they decide, you know, whether they decided to gut and redo their, you know, their, you know, spreadsheet approach. Well, they’d need to make the investment in their gutted spreadsheet approach.Oh, I don’t know that this would ever happen. Let’s say that your PCI 321 flips over to PCI 4.x every time they change it. Now I’m going to go back and spend time retooling, etcetera. So, you know, they’re going to spend the time anyway, but, you know, with a compliance management tool, absolutely go in, get it set up, get it configured off and running. You know, certainly you’ve got to go in, get everything assigned to the right people, you know, within the, within the system, working on getting the flow within your, you know, within your tool working properly, you know, this is different for different, different organizations. So, you know, for some organizations that are fairly, you know, kind of down the middle, if you will, maybe they just need to go up against, you know, a PCI self-assessment questionnaire. And so they’ll just work directly off of that. But for, you know, more complicated engagements, such as, let’s say I’ve got corporate headquarters and I’ve got multiple come about posts that all need to participate in the, you know, in the compliance engagement. Now that’s one, that’s one type of a configuration. In another case, I’ve got clients where they’ve got, they’re subject to two, three, four different certifications or standards. And so, you know, they want to, instead of working directly and redundantly on, you know, three to, you know, three to five different, you know, different, different things, they’ll create one single consolidated, you know, request list, which then they map to their target standards. So depending on what they’re looking for, etcetera, you know, there’s some, you know, there’s some work in coordination to go in, get that, you know, kind of get that set up. But again, you know, you start doing those types of things you’re saving, just boatloads of time, you know, training up people on how to, you know, how to go ahead and use the tool and starting to load up their evidence within the system, you know, gaining that adoption, you know, takes a, you know, takes a minute for, from, you know, those frontline evidence provisioners to, you know, do things like, you know, paying attention to the systematic email notifications that they have overdue items, you know, getting used to the fact that they actually have a system that’s available 24/7 for, you know, asking questions, submitting evidence, whatever.
So, you know, the cool part there is that, especially with the asking questions part, you know, one of the, one of the drawbacks of the traditional way of doing things is, I don’t know, this up like a weekly compliance meeting or something. And so when you set up the weekly compliance meeting, and let’s say that meeting’s on Wednesday, well, you know, let’s say it’s Wednesday morning. Well, if Wednesday afternoon, one of the people has a question about an item that they went to go start working on and boom, now I’m at full stop. Do they need an answer? Well, what do they do? Do they go and actually talk to somebody Wednesday afternoon or Thursday? No, no. Instead, what we’re going to do is we’re going to wait until next week, Wednesday morning, ask our question, you know, type of thing. And now you’ve dropped, you’ve dropped six solid days, you know, of calendar time, you know, through that process.You know, the, you know, it takes them a minute to kind of get used to being able to use the, you know, use the system and, you know, all of these, you know, various improvements and investments that they make, you know, during that, you know, kind of first, you know, first shot at going in, getting the system configured and whatnot. All of those will bear fruit in, you know, as they go into year two plus, the one thing I guess that I’d, you know, wave the flag on is, you know, it’s not like, um, it’s not like when you sign up to go use the, you know, use the portal, you know, uh, you were just like clap you on the back, give you a login, wish you luck. You know, the, the, the fact of the matter is, is that the TCT, um, operational support team is stellar at helping people get the, getting them configured, getting them set up, getting them running the way that they need to, you know, and all, and lending their expertise to that, you know, to, to that configuration. So there’s a lot of help and assistance for folks as they go through that process.
So as they move into year two on the system, what are some of the kind of direct investment benefits the organization can look forward to?
Well, there’s a lot of benefits, you know, number one, just doing this year one is going to bring its own series of, you know, kind of direct benefits. But when you get to year two plus, yeah, you got to, you got to, you got to consider this.So in the traditional way of doing things, invariably, as you’re kind of coming up on your compliance, you know, compliance completion date, etcetera, everything starts flying eight ways from Sunday, right? People are shipping you emails and text messages and, you know, smoke signals and, and, and you know, the net result of the engagement, all said and done, is you basically have your compliance information. It’s spread all over Hell’s Half Acre and disorganized, da, da, da, da, da. You know, when you, when you’re using a compliance management system and you’re looking back on your prior year activities, the organization now has a rock solid repository of evidence by line item, who did what, when did they do it? It’s all neatly organized, it’s all referenceable, you know, and since they’ve already got year one in the system, when they go in to get, get year two set up, it’s literally button clicks to go in and now configure, you know, your, your second year, you know, because now I’ve got a whole ton of things to be able to reference. I know, you know, I know how the tracks were configured. I know how the workflow was intended to work. I already have all the right people assigned to the right items. That’s all, you know, there and, and able to be used in the configuration year two. So your configuration time drops dramatically and it’s super easy on, on when you get to year two.Even, you know, the, the other benefit is, is that, you know, let’s say that, you know, last year, you know, Frank was on the team and Frank’s left the organization for whatever the reason may be. And now Mary’s taking over. Well, when you’re doing those types of personnel changes year over year, what we do is we go ahead and duplicate your year, you know, your prior year to the current year, Frank would still be listed on, you know, let’s say 83 items or whatever. Well, now it’s simple. I just go everywhere where Frank’s assigned. Now I’m going to assign Mary, remove Frank, boof, you’re, you’re off and running. So it’s, it’s super, super easy, especially in this arena, in the compliance space. You know, these are, these are resources that are in high demand. So it’s not infrequent that people are, you know, that people are turning over. And now you’ve got, when all of these folks go in and start working on their year two, the best part is, is that now when they go in and they look at their line items, right? Some of the, some of the common questions that people will ask on a compliance engagement, even if it was the same person that did it last year, they don’t remember what the hell they did 11 and a half months ago or whatever it may be.
So one of the, one of the, what did I give you last year instead of, you know, the internal compliance crew having to constantly remind people of what’s needed, what did they provide? Oh yeah, it was this screenshot, hunting all this stuff down and trying to show them the way. Instead, when that person logs into the system, they can literally click a button and see exactly what they provided last year. They know exactly which screenshots you need to grab from where, you know, etcetera, they can see all of that previously submitted evidence and, and whatnot. It’s right at their fingertips.So, you know, we start talking about, you know, start talking about the benefits, you know, just overall, you’re just, you’re saving time is the big key.
So, I guess that begs the question, right, like what are some of the indirect benefits of compliance management investment?
Well, what I was just talking about, right? Like, you know, somebody goes, oh, go, you know, and I’ve heard this comment more times than I can count. Somebody will say, well, that’s great that we’re gonna go get this compliance management system. And that’s great for the compliance management team. They look at it as a compliance management team benefit.So, you know, look at the thing I was just talking about. You know, now when I’ve got, you know, as an example, we talked about Frank that was on the track last year a minute ago. So let’s pretend Frank’s still here and Frank’s spinning up in the next year. And remember what he did 11 and a half months ago. Well, instead of Frank waiting six days for the next compliance meeting, so he can ask what he gave them, you know, as evidence for blah, blah, blah last year. Instead, Frank clicks a button, sees everything that he had to do. He’s continuing forward movement, he’s off and running. I didn’t drop, you know, end days of calendar time. Frank didn’t have to go searching or scouring the file server share point, blah, blah, blah, blah, blah, to go try to find the stuff that he gave to the compliance team last year. You know, so the, you know, you look at that scenario where it’s Mary and now is stepping in for Frank. Well, Mary’s gonna have all of the same questions that Frank had the first time he went in to go kind of get his arms around these assignments. She’s gonna have all of those questions, right? Normally, but when you look at the system where she’s got immediate reference ability to do exactly what Frank did last year, now you’ve got a situation where, you know, she can just hit the ground running. You know, she doesn’t have to do anywhere near the level of learning that she had to do with the turnover, etcetera. So that’s one big indirect benefit.You know, another indirect benefit, you know, would be, you know, you think about it this way. The organization, if they’re already subject to, you know, two different standards today, and so they decide to take on a third, well, you’re staged for being able to go in, go and integrate that third into the mix when you’re using a compliance management system because, you know, now I’ve got synergies between these various standards. I’ve got a clean repository. I’ve got something I’ve actually mapped from and two, you know, etcetera. So that’s a huge indirect benefit, you know, the ease of being able to take on a modification to the scope for the organization. So, you know, we talked about adding new standards, but things like I’ve got a new location, I’ve got one or more new locations. I’ve got one or more new people. I’ve got, you know, the organization picked up multiple more subsidiaries or maybe multiple more franchises, whatever it may be.
We opened up three new sales offices, whatever it may be. They’re now staged for being able to do that and readily fold them into, you know, into here.You know, the other, you know, kind of indirect benefit that organizations will see as well, you know, a lot of times with those, you know, the security questionnaires, you know, they got, hey, you know, tell us how you’re doing this and tell us how you’re doing that and what, da, da, da. Well, you know, when you’ve got all of your security and compliance information in a system that’s immediately both searchable and referenceable, well, now when I’ve got to go in doing responses to security questionnaires, etcetera, they’ve got, you know, just a compendium of information that’s available for them to be able to go in, take a look at and, you know, and facilitate responses. So, you know, there’s a, there’s a bunch of different, you know, kind of indirect benefits, if you will.
Hmm. That makes sense. Now, when you talk about investment into compliance management, that’s typically associated with ROI to make the decision. Tell us more on that.
So, you know, the real reason for moving into the kind of advanced technology to assist with running compliance engagements, the stark reality is there is a ton of waste of time on engagement. So, you know, we talked about kind of some of these, but I’ll go through and I’ll kind of highlight them again, you know, for any organization that, you know, each year when they have to go kind of prep up their, you know, this year’s, you know, kind of system for managing and monitoring and whatnot, their, you know, their compliance engagement. You know, even if it’s just straightforward, right, there have been no changes to my standards and I don’t have massive scope changes, etcetera. I still have to go spend a ton of time swinging up, you know, locations from drop zones for people to drop their, you know, drop their evidence into and, you know, duplicating my sheet from last year, getting that cleaned up and ready to go, etcetera.So you’ve got all of this prep work set up, etcetera, where when you go and move to, you know, move to technology, the technology solution, granted this is a once a year savings, you know, you’re pushing a button and if you’re ready to rock, you know, you can, you know, you can do the setup and configuration is, you know, minutes, not, you know, not, you know, hours, you know, hours or weeks, if you will, you know, the, the, the other area where that plays into it is, you know, whether it’s a, yeah, I’ll go from the perspective like a, you know, a consultant or a service provider, an assessor, right? You know, they need to have, you know, they would need to have meetings with their client. Um, you know, they would also need to have internal meetings for status. So, um, whether in, and if you’re somebody subject to compliance, well, you’ll have, you’ll probably have one or more internal meetings to, to a, where are we at and who’s got what and you know, rallying the troops, etcetera, and have a meeting with your assessor. So either way, there’s typically multiple rounds of meetings, um, you know, that are happening. And normally that’ll happen at least, uh, once a week. So every time I’m going into prep for those meetings, I mean, think about in the old way, I would have to manage, maintain, update my, my Excel spreadsheet with who had what submitted what, you know, um, the, the biggest problem is, is that I remember clearly I would, depending on the complexity of the engagement, I would spend, I’d say between two to four hours of prep time before a status call, um, just to try to figure out where’s everything at. Well, now, now when you sit in the TCT world, you now log in and you bring up the live dashboard, right? I didn’t have to spend two to four hours trying to figure out where everything’s at. It’s done already. You know, you’re literally for every status meeting where you’re blowing time, trying to prep for it and you’re, you’re, you don’t have to do that anymore.
Um, you know, in terms of where we are and whatnot. So what I, what I’ll typically tell people is the prep time for meetings that I used to do. Um, now I can literally go log into the portal, pull up the track five minutes before the meeting and just get my bearings, boom, go get on the call, you know, that type of a thing, because it’s live. It’s, it’s, it’s a current state of the, you know, of the information, you know, we talked about, the, like evidence processing that they, that has to be done.
So, you know, you’ve got folks that need to go through and, you know, go through and review evidence and, you know, they’re, they’re trying to, you know, approve evidence to move it, you know, move it along the workflow or rejecting evidence down the workflow, turning around and updating their tracking sheet. Um, you know, if they’re consultants, assessors, etcetera, answering all these questions we were talking about earlier. So, you know, there’s, there’s all of those various things that, you know, kind of play, play into it as well, where, you know, those activities are centralized there. You’ve got, you know, ready reference of, of things from the prior year, you’re saving time on, you know, on not having delays and answering questions about, you know, well, what did I supply you last year or what do you need for this item? You know, because the, the, you know, a compliance management system will have directed guidance, both from the industry standard as well as, uh, directed guidance for the, uh, you know, for the portal, I’m sorry, for the, you know, in the portal for, um, like your assessor, your consultant or whatever. So you’ve got all that at your fingertips. Um, you know, for assessors, I have to go ahead and generate reports. It’s normally a multi, uh, it’s normally a multi, uh, we’ll call it multi-day or multi-week process to go in and generate reports. Well, in TCT portal, it’s a click of a button, you know, you’ve done your work from within the system. You’ve generated, you know, you’ve got, got your report text within there. You know, you punch a button and poof, you got your upbound reports. They’re done, right? So now you’re just abolishing, um, scads of, you know, uh, of time that would have to get put into that, you know, and then finally, you know, at some point in the game, some, some poor schlep has to go in and archive off everything that, you know, whatever, whatever the disastrous current state was of the engagement that you just, you know, kind of did the, I like to use the, the, uh, the, the analogy. You know how you see that dude? Yeah. He’s running, you know, here it’s a fire and he’s chest out, arms back, hair is flowing in the wind. And you know, he goes through the, you know, it goes through the ticker, you know, the, the ticker tape at the end of it, whatever. Um, you know, yeah, that sounds great in concept, but the vast majority of compliance engagements getting across that same finish line looks more akin to somebody tripping about five yards off, off of the line, landed on the front of their face.
Their legs are up over their, you know, over their head and they’re sliding on their chin over the line. That’s kind of how it works in the compliance arena.So, you know, the reality is that there’s just a ton, there’s a ton of things that happen which people don’t, they don’t really give enough, you know, kind of enough credence to, you know, as they’re going through their engagement. You know, and part of it, you know, is that, and we do have an ROI calculator out on the TCT website. So for those who want to go play around with it, etcetera, just go to, you can go to gettct.com, which is a short form for being able to get to the totalcompliancetracking.com website, go under resources, go under ROI calculators and punch the button on one. But, you know, if you go in there, you can go in, play with the numbers, you know, based on your scenario, that type of thing, you know, and the cool part is, is that it’ll show things like, you know, they anticipated number hours that, you know, number of your personnel hours that are saved when using TCT portal for year one, year two, you know, things like how much personnel cost was saved during that time. You know, if you re-attributed that saved time toward revenue generating activities, then how much would that, you know, what’s the potential upside of the time savings? And so when we sit here and we talk about ROI on the engagements, one of the big problems, especially for, I like to call them the uppity ups. I happen to be an uppity up for TCT, but, you know, for the uppity ups of other organizations, you know, they’re not close enough to the pain. They’re not close enough to the process to clearly understand just how much time they’re likely to match to, you know, and I think it should be eye opening, you know, to them that, you know, this isn’t an out of pocket, I’m gonna go spend this money and it just goes into some black hole. They should be able to articulate the time savings that they make on engagements and kind of bring that ROI, you know, back to the organization with some real benefits.
Hm. Parting shots and thoughts for the folks this week, Adam.
Well, I mean, if you can’t tell, I love getting fired up about this stuff because it’s just, I built the damn system for a reason. The TCT portal, when we made it, we didn’t want to build a system that anybody coming to it would have to change all their processes for. So, instead, when we built it, we literally built it so that it molds to the company and the way they want to run their engagements and give them the configurability and flexibility to be able to set it up and stage it the way that they want. So that’s a huge benefit.The one thing that I especially love telling people, I love telling folks this when we have every single time that we have an onboarding session for a new organization, I’m on the phone. I want to be on the phone because, and one of the things that I’ll point out to them is I say, look, this thing launched, I said earlier in 2015. This is a system that literally has been for over a decade, been up, running, live, serving people in the compliance space. TCT took the approach on day one. We listened to the users of the system. We wanted their feedback on desired functionality, things they thought that needed to be improved, etcetera. And so now, more than 10 years later, when we’ve got folks that are coming onto this platform, they’re literally stepping into a platform that they can take advantage of that has over a decade of input from real, live compliance folks where they’ve given their input.And so, and honestly, I encourage the new folks that come onto the platform to be part of the solution. It was a system, the TCT portal, it was literally a ground up build by compliance people to solve problems for compliance people. You know, and I said earlier that, you know, we started this company to help people, but just to put a more succinct point on it, we literally started this company to help people make managing compliance suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
