Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How to Hop Your Compliance Program Up on Goofballs
Quick Take
Struggling with compliance chaos? Discover how to transform it into clarity and confidence with Adam Goslin’s expert insights. This episode of Compliance Unfiltered unveils a practical framework to streamline your compliance efforts, making them efficient and scalable.
Learn how to avoid common pitfalls like over-relying on IT and siloed processes that hinder growth. Adam shares real-world strategies, including leveraging third-party consultants and creating centralized repositories, to protect against personnel turnover and enhance transparency.
Whether you’re starting out or refining your program, this episode offers actionable guidance to build a resilient compliance operation that supports growth and reduces risk. Perfect for compliance officers, IT leaders, and CEOs ready to stop firefighting and start leading with confidence.
Tune in to learn how to turn compliance from a daunting task into a strategic advantage.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the unlimited toppings to your compliance, Froyo. Mr. Adam Goslin, how the heck are you, sir?
I’m doing good. How about yourself?
I can’t complain, man, we got a we got a fun one for the folks today. But before we get there, just want to remind you, leave us a like rating and review all those things absolutely help on your podcast app of choice.
And of course, if you’ve got things you want to share questions you want to ask directly, please give us a shout at compliance [email protected]. All right, man, it’s going down like this how to hop your compliance program up on goofballs. That’s a wild title. And I’m excited to hear more about it. Why do organizations struggle optimizing their compliance programs Adam?
Well, you know, for, you know, for a lot of organizations, they, you know, they, they, they kind of, they, they kind of keep doing what they did, um, you know, type of a deal, you know, but before I founded TCT, you know, I was leading a compliance function at a company and, uh, I remember, you know, just how much of a struggle it was to manage, manage things efficiently while leading a team of control owners and, you know, basically just muscling my way through the process. And so, you know, kind of, I’ve been there, um, you know, it’s, it’s, it’s real easy for the, I, I, I love the, you know, I, I called the executive fly by, right? Hey, uh, you know, you guys go do that compliance thing and, uh, you know, let us know when you’re done, you know, if they go off to their corner office and, you know, sipping their Mai ties and da, da, da. Meanwhile, there’s all hell breaking loose behind the scenes, et cetera. So, yeah, I know damn well, the listeners are sitting there chuckling because they know exactly what it’s like.
Um, you know, but, you know, between the fly by to, you know, tell, tell the team to go get her done and, you know, actually getting there, there’s a tremendous amount of pain, blood, sweat, tears, you know, that happens, you know, between those two points and, you know, the, the compliance managers are, you know, kind of left with the notion of having to carry the load and figuring out how to do it, you know, for even for big organizations, you know, they, yeah, they got large budgets and all that fun stuff, but because they’re a big organization, the landscape of compliance is, you know, that much more complicated. So, you know, as organizations grow, they’re, you know, their compliance programs just get increasingly complex and making it, you know, more challenging to, you know, to run an effective engagement. So, you know, uh, most of them just, you know, kind of find a way to make it happen. Um, and it’s, it’s usually involves, uh, heavy doses of, you know, I, I love to call it human glue, but you know, it’s basically, you know, sheer human grit, determination to, you know, to force this thing to get over the line, you know, type of a deal. And it doesn’t necessarily, uh, you know, kind of equate to, um, a, uh, a smooth process, efficient, effective, or anything on those lines.
Now, IT is known as like, at least in our world, as the cool kids, right? So does that necessarily make them good at leading compliance?
No, and that’s one of the biggest misnomers that a lot of organizations will make. They’re like, oh, well, you know, so-and-so, Mary, Bob, you know, choose the name. You know, they’re in IT, so they must know how to do this stuff. And, you know, it’s almost impossible, you know, to find somebody that’s a true compliance professional, you know, that is organized, while at the same time having a tremendous amount of depth of experience across a broad spectrum of compliance engagements and industries and solution types and, you know, and all this fun stuff, you know, and those types of resources are astronomically expensive. What a lot of organizations, you know, kind of do by default is, oh, well, we got somebody in IT and this is kind of IT-related stuff, so, hey, here you go, you know, shove it into the, you know, IT person’s hands and we’ll, again, fly by, walk away. And that’s just a, it’s a bad approach.
The, you know, just because I can do, you know, operationally do stuff in the IT realm doesn’t necessarily mean that, you know, I’m appropriate for, you know, for leading the compliance efforts. You know, the two kind of don’t tie together. You know, you don’t want to just slap a non-technical project manager, you know, into that, you know, into that role because, you know, they’re not going to have the, you know, the expertise that’s needed for, you know, kind of driving the overall compliance program. And the last piece of that is that, you know, the whole wolf watching the hen house, you know, type mentality. At the end of the day, the objective of the compliance program is to evaluate whether or not the organization is doing the things that they’re supposed to be doing. Well, does it make any sense to have the people that are the ones operationally doing things also being the ones evaluating whether or not they’re doing it properly? No. You know, you wouldn’t go stick your day by day counting people in charge of your annual financial audit, so why the hell would you do that in your compliance arena? You know, it just doesn’t make any damn sense, but that’s something that I see a lot of organizations, you know, kind of falling into, if you will.
Yeah, I mean, it’s, it’s more common than you might think I can imagine. Um, how can organizations get some, some much needed assistance at them?
Well, you know, we were kind of alluded to it a minute ago, and, you know, certainly for many organizations, they do not possess somebody with the depth and breadth of skill and capability to, you know, kind of lead the compliance efforts. So they make do.
You know, one of the, one of the best things, you know, one of the things I brought from my past experience was, you know, I tried to go and put together, you know, solutions and services and things along those lines that were the things that I wished that I had back in the day. And that’s really where, you know, kind of a fractional compliance consultant comes into, you know, comes into play. You know, instead of relying on these, you know, under experienced, you know, internal folks for, you know, for taking care of the compliance program. You know, look for, you know, look for a third party consultant, somebody that’s been around the block that can bring all sorts of invaluable wisdom experience to the table. They can quickly parse through, you know, current state. They can identify improvements, give you options for, you know, for doing so, you know, with effective solutions, you know, et cetera. You know, the one thing that a lot of organizations forget is when you, when you bringing somebody on like a compliance consultant, they have one goal. They just want to make the compliance program. Well, they want to make it, they want to improve it. Number one. Number two, they want to make sure that the organization is truly, you know, in adherence to the various standards that that organization is going up against or that they either need to or want to go up against. So, you know, they want to see the organization, you know, get more successful, get more efficient, you know, improving confidence as things unfold. You know, they’re not an assessor. So, you know, they don’t have any skin in the game from, you know, control ownership perspective, which, you know, it applies a certain measure of a benefit in that, you know, it’s somebody that you can talk to internally that you can trust. They’re in your corner. You know, they’re not making the final call as to whether or not this meets muster. And yet in the same sense, they aren’t swayed by, you know, they aren’t swayed by, you know, by any other, you know, any other external forces. They’re there to do a job on the company’s behalf. So, you know, in the same sense, where a lot of organizations struggle, the consultant typically, you know, isn’t an organization that’s attempting to supplant internal personnel, that’s attempting to supplant existing vendors. You know, they should be coming in with an objective analysis, you know, of the organization. And I can tell you whenever, you know, I’ve ever gone through that process with a company, you know, the objective is just to figure out where do they stand right now? What is the present state? What can this organization take advantage of, of what they’ve got? You know, et cetera. And, you know, just, you know, kind of looking at it in the best interest of the, you know, of the target organization.
And the last piece I’ll say on this is there’s a lot of organizations like, well, yeah, we’ve been kind of strewt muscling through our compliance thing for the last n number of years. Honestly, getting that, you know, getting somebody with a fresh set of eyeballs that has the experience needed, et cetera, it has huge, you know, huge benefits for the, you know, for the company. It brings in a check and a balance. It puts an objective set of eyeballs in on the program, you know, and really brings a lot of things to the table that your internal personnel just have never been exposed to. They don’t have the breadth of experience that, you know, a good qualified, you know, kind of consultant’s going to walk in with. So, you know, it’s all the way around. There are a lot of benefits for organizations, you know, leveraging that.
And especially because you can trust, you can have a trusted relationship with that consultant. You know, certain things, you know, no offense to the assessors out there, but there’s certain things that you want to have as an internal conversation. You don’t want to, you know, just, you know, virtually lift your skirt up around your ears in front of the assessor, you know, type of a deal, you know, and especially if you’re wearing a kilt. But, you know, it’s just, there are a lot of things that are, you know, that come out positively from that, from that move.
Yeah, I can definitely see that. But, you know, as always, with any change comes fear. So tell us more how that applies here.
Yeah, I mean, what I’ve seen a lot on, you know, within organizations is, you know, and it’s funny, the reaction that you’ll get from different teams. In some cases, they’re, you know, they’re open. Things have been laid out properly. But in other cases, there’s turf protection coming into play. You’ve got some outsider that’s coming in and, you know, it’s seen as some move to stir things up. And, you know, we’ve got, you know, we’ve got folks that will, you know, they’ll feel protective of their domain within their organization. They’re seen as the experts. You know, they don’t want it. They don’t want some gets supplanted as the go-to person that people are coming to for answers. Some of them worry that they’re going to be out of a job, you know, and whatnot.
So, you know, the one thing that I tell organizations right out of the gate is that when you bring in that third-party, you know, compliance consultant, you know, style resource, it needs to be viewed as an outside expert that’s there to work with the existing control owners. You know, foster an environment that’s, you know, that contains open dialogue and transparency. You know, why are they here? What are they trying to do? You know, what are their motivations and that, you know, they’re just trying to, you know, trying to improve overall improve the program. You know, some of the most successful implementations of this kind of compliance consulting, you know, style role are ones where that trust gets built. And, you know, really it turns into a really awesome partnership, if you will, between the consultant and the people that are on the team, they’re both benefit in helping each other on the organization’s behalf. You know, it has the capability to work out very, very well. But, you know, certainly as you go down that path, just making sure that you’re keeping your eyeball open for, you know, for any of those signs of turf protection, people getting their shorts knotted up and whatnot. And, you know, go ahead and get it dealt with. You don’t want stuff to go on and linger. You want to address concerns or issues as the transition starts to happen. You know, you’ve got a lot of things that are important to make sure that go right when you’re leveraging that type of a resource. And you definitely don’t want it tanked by, you know, misgivings from the, you know, from the existing either team or vendors.
No, certainly not. Now, how should organizations get started with their analysis of the, you know, current state that they’re working with?
Yeah, and the one thing that folks need to kind of mentally prepare themselves for, and I talked about this a minute ago, you know, whether you’re brand new to compliance, you have to go do it for the first time, okay, well, that’s great, it’ll be actually a lot easier for organizations, right? But even if you’ve been doing it for years, you know, you’ve got to remember the consultant is there to come in and assess the current state, doesn’t matter if you’ve been doing it for six years, you know, etc., they just they want to make sure and validate, you know, where are we at? What do we have? Not just, you know, I’ve used this expression before, yeah, yeah, yeah, we have antivirus, you know, type of a thing and trying to blow it off. No, let’s go look at, you know, the whatever, you know, 20 different settings and configurations and setups that we need for antivirus to be implemented properly within the environment associated with evidence. So, you know, they’re really going to want to come in and, you know, and do that gap analysis whether, you know, whether you’re a first-timer, you’ve been at it for a while. You know, certainly a lot of the specifics will depend on the organization itself, but, you know, I’ll typically recommend, you know, that organizations use their most prescriptive standard that they need to go up against. If the organization doesn’t have an existing standard that they’ve chosen to go up against, that should be one of the first conversations then with the, you know, with the consultant is, you know, what are my choices, what are my options, what are things that I probably should already have in place in terms of standards or electively, which standards are we going to leverage as our, you know, kind of core ones, you know. For a long time, the PCI DSS has been one of the more prescriptive standards that exist and taking that with a scope of sensitive data often is a good recipe for being able to leverage the control evidence off your PCI engagement to map it out against secondary standards. So, you know, certainly as they go through that kind of initial gap assessment, that’s going to be able to get us to a point of absolute confirmation, are there, these things are perfectly in place, these things, they’re there but they need some work, you know, these things aren’t. And, you know, for a lot of organizations, it’s an educational process as they, you know, kind of go through that. You know, the one big thing that I tell companies and organizations is look, you’ve got to remember, this is to harkens back to what we were talking about earlier, your IT people are not compliance experts. So, there’s very likely going to be things that need improvements. It doesn’t mean that your IT people were bad, they just, they didn’t know, you know. And so, instead of, you know, backhanding the folks in IT, instead use it as an opportunity for education, for growth, for improvement, you know, et cetera.
A lot of it comes down to the way that the leadership at the organization is handling things. So, you know, get through that, you know, get through that internal gap analysis.
Meanwhile, yeah, the consultant’s going to, you know, is going to, you know, look at the folks that are on staff, look at the vendors that we’ve got in play and look for ways that we can go through and, you know, and optimize, you know, the existing kind of suite of folks that, you know, that are working on the engagement as well as serving the engagement. So, you know, there’s just a ton of things that, you know, will come out of that that will be positive.
Sure. Now, a lot of people try to limit exposure to their internal SMEs. Why is that a bad idea?
Well, okay. When they go in and they do it, they’re doing it with the best of intentions, right? Well, we’ve got these people that are experts in their arena, and so their time is limited, blah, blah, blah. We don’t want them just getting burdened with this compliance stuff.
So they’ll stick like gatekeepers in between. And as you’re going through that process, you know, a lot of organizations, because they’ve adopted, and that mentality, quite frankly, is often adopted long before they, you know, start looking at their compliance program. That’s something that they try to do to shield these people even before the notion of security and compliance really, you know, kind of, you know, set into the mix. You know, I would say, you know, readily, three quarters of the engagements I’ve worked on, it becomes an adventure to try to figure out who’s actually provisioning the evidence, because most of these companies are dropping things through gatekeepers. And, you know, the control owners, you know, are, you know, passing things to the gatekeeper. The gatekeeper loads it up to the, you know, to the portal or to the consultant, you know, et cetera. And it causes massive inefficiencies because, you know, these gatekeepers go grab what they think is needed, hand it off to the gatekeeper. They don’t have any clue. They just plow it over to the, to the compliance manager. The, the compliance manager goes in, looks at it and says, well, you know, this is close, but I need to, we need these couple, you know, modifications, et cetera. They take whatever the, the compliance person said, hand it back toward the control owner. The control owner’s got questions. So they tried to go send the question back through the gatekeeper. We’re playing the telephone game the whole time. This is going on, you know, shit’s getting lost in translation. At the end of the day, the SME is actually burning more time than if they just sat down and had a direct conversation. So, you know, there’s a ton of wasted time, you know, in, the control owner direct interaction, you know, with the, you know, with the compliance function within the, you know, within the organization. You want your frontline resources directly engaged in the process, you know, submitting directly, getting direct responses, having an open dialogue to the, you know, just like they’re the SME in their arena, the compliance person’s the SME in and poof, you know, things just get magically resolved without all of the telephone game horseshit in the middle. So it’s going to take, it seems like a good idea initially, but the gatekeeper’s in the middle, that turns into, you know, into a rather large shit show, shall we say.
Nah, that makes total sense. I guess the easiest way to ask this question is, how can handling your compliance program properly build in personnel redundancy?
And does a central repository help in that?
Yeah, I mean, the one thing that a lot of folks, you know, lose through this is that, you know, the one of the biggest killers on on these programs is when you lose one of your, you know, kind of one of your core people, one of your one of your SMEs, they get moved into a different position, they leave the company, you know, whatever, you know, there’s a lot of things that are learned across the course of compliance engagements. And now all of a sudden, you’ve got if you have multiple key people that go poof, you know, and kind of really knew their shit, then you’ve got now a gigantic hole left in the left in the compliance program.
And now you’re having to start from scratch again, you know, for a lot of organizations, the data and the information spread all over Hell’s Half Acre. That’s why, you know, for, you know, for a lot of these compliance engagements, your best tool is a, you know, kind of a quality compliance management system, leveraging that because, you know, if you I go through my compliance cycle, and the evidence and the and the experts that were loading things up, learning lessons, etc., are going ahead and loading it into, you know, kind of this, you know, into that system. Now I’ve got the ability to go back and look at the prior year and clearly tell, you know, if Bob was here this year, he left and, you know, Angela’s coming in to take his place. Well, now that I’ve got, number one, all of the data and information in one central centralized, you know, compliance management system. And I know exactly what Bob provided last year. Now, guess what? When I go from year one to year two, now Angela can look back, what did Bob supply? Hell, even if Bob’s still there, if you have the centralized repository, you know, at hand, Bob doesn’t remember what Bob did 11 and a half months ago, you know, there’s been a long period of time that’s happened between then and now. And so, you know, instead of, you know, basically trying to look through the rat’s nest of, you know, file server locations and different places where people were, you know, kind of stuffing files and evidence and things along those lines last year that nobody now remembers. Instead, if it’s all in one centralized location, whether it’s Bob looking back at Bob’s own stuff or Angela stepping in and trying to pick up for Bob, either way. It is a central repository. It’s all right there. It’s organized, version controlled. I can see what the assessor accepted. I can see what screenshot was, you know, what was the one that worked for them. I can see what I need to go in and supply. So I can’t understate the value of that investment into the program by, you know, using that centralized repository. You know, and having it there because it both helps with, you know, kind of disaster recovery, you know, if you will, in terms of personnel and it, you know, it helps to have everything in one spot. There’ll be a lot of benefits by the time you get to year two.
Yeah, that makes sense. Well, speaking of like, how should the organizations look at scaling out their compliance program as they mature?
Well, as you go down the path, you know, you want to do a couple of different things. So in that first year, I would strongly recommend bring somebody from the outside, a consultant to get a good foundation laid, leveraging that compliance management system to get everything into there so I have that central repository. By the time then that I get to year two, now I’ve got that central repository for ease of reference.
I can go ahead and make tweaks and modifications to our workflows. I can start making improvements, certainly by the time I get to year three. Now I’m starting to incorporate changes and modifications that happened at the organization across the course of the two years and making tweaks and adjustments. You know, some of the things that happened for companies are maybe they acquired another company. Maybe they’ve got a new line of business. Maybe they have new locations. Maybe they needed to fold in an additional standard. Maybe the version of the standard they’re already compliant with changed. There’s a ton of things that can happen year over year, you know, as you’re going. But what you find is that you get into that year two, year three, year four, you know, now have an iterative process for making a stream of continuous improvements. Looking at, you know, areas where I can reduce friction, areas where I can increase automation, areas where we can improve communication, you know, and really streamlining the associated meetings that you have with your, you know, with your overall program. There’s a lot of benefits that start happening as you start to scale out that compliance program. Hmm.
Hm, parting shots and thoughts for the folks this week, Adam?
Well, take it seriously about, uh, you know, about, uh, hopping your compliance program up on goop balls because they’re, they’re a ton of benefits. Um, you know, a lot of people look at it as a, you know, kind of a big hill to climb, uh, right out of the gate, but, um, you know, it, it may feel like that, but you look back and it’ll be one of the best decisions that you’ve ever made.
Um, you know, especially when you start to gain the serenity of, uh, you know, confidence in the program in that rock solid repository, in the ability to be able to bring new people in and get them up to speed on the program quickly. Uh, you know, having things buttoned up and running like a well-oiled machine. Uh, all of those things are huge benefits for, you know, for everybody involved.
They certainly are. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
