Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The Through-lines of Business Continuity
Quick Take
On this week’s episode of Compliance Unfiltered, Adam gives you a very important arrow in your compliance quiver: how to approach the move from a manual compliance approach to a compliance management system.
What should you, the compliance manager, say to your CEO/CFO if you were looking to implement this change? How do you effectively talk about things like potential ROI, risk reduction, or overall business benefits of compliance management automation? And what about the cyberliability insurance?!
Highlights include:
- Why companies struggle with their compliance management, and convincing the boss to allow a change
- What the compliance manager SHOULD start tackling with their CEO/CFO
- CFOs want to know what’s in it for them, not the compliance manager
- CFOs like risk reduction
- Focus on return on investment
- The difference in approach to cyber liability insurance
These topics and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who you might have found wandering the halls of Oakland University solving compliance problems on blackboards in the hallways. Mr. Adam Goslin, Adam, how the heck are you?
I’m doing fantastic today, Todd. How about yourself?
I can’t complain. You know, a little Goodwill hunting tip of the cap goes a long way every day. So anyway, well, hey, listen, you know, today we’re gonna have a conversation about a conversation and it’s one that folks of this show might be having with people within their organization. So we’re gonna talk about making the case today for a compliance management system. So tell me Adam, why are companies struggling today with their compliance management? And more importantly, why are they struggling today with their convincing their bosses that they should change their approach to compliance management?
Well, the reality is it depends on each company, right? I mean, in some cases the organization is doing everything manually. And we actually had recorded a whole, you know, whatever, 40 something minute podcast before about, you know, the pluses and the minuses of, you know, of, you know, manually, you know, managing your compliance versus using a system and, you know, and all that’s entailed there. That’s not really the intent of this conversation, but, you know, companies are, you know, in a interesting position, depending on their circumstances.So either they’re doing it manually and doing it with Excel sheets and network drop locations and the emails is flying and text messages and updates in the hallway and all that fun stuff. Or in a lot of other organizations case, they’re basically because of the assessor that they chose, the assessor has their preferred way of doing it. So effectively, you know, it’s some middle ground hodgepodge and maybe they’re actually using the assessor system, which works out great for them, but, you know, not necessarily for the companies going through it. You know, and they also run the risk of, you know, if they, you know, if they end up switching assessors and, you know, now we don’t have a system and now all of our data is over there and they’re still kind of forced to manually, you know, manage it, whatnot internally. So, you know, a lot of the folks that are, that are kind of dealing with compliance the interesting part for me and it’s a measure of context is that when I started into, you know, kind of into the space, both the first time I was exposed and then for the first three, you know, three to five years of trying to manage compliance engagements for customers, you know, it was all, you know, manual effort and Excel sheets and manual tracking. And I love to call it, you know, the poor person that’s out of the hurricane. I literally did that for whatever, six plus years. So I’ve got a lot of context with just how fricking painful it is to be able to go through that process, you know?And, you know, one of the big challenges for any organization that’s trying to convince the boss is that, you know, at the end of the day if you want to go and spend money on a compliance system then you’ve got to go and get approval from somebody to give you the green light to go ahead and do it. Generally speaking, most organizations don’t have some, yeah, you can blanket spend X tens of thousands of dollars without even coming for approval. I call that far rarer type of thing. And especially, you know, the CEOs and the CFOs of the world they, you know, their mindset is such that they’re sitting there thinking, you know, I’m already paying your salary. Why would it possibly make sense for us to spend more money on a tool when we’re already paying you to do this, you know? And that’s usually kind of the, at its root that’s usually the point of struggle for the person that’s in that, you know, kind of in that compliance management arena is, you know they’ll walk in and, you know, laud the, all this thing is going to be great for me, you know because it’s got all these features.
It’s going to be great for me because it’s going to say it’s going to save me time. You know, it’s be great for me, you know, in better orchestrating things, et cetera. And a lot of them will make it centric to benefits to them but lose sight of the fact that at the end of the day if the CEO, CFO have this notion that, hey we’re already paying your salary. I’m not spending more money to make your world easier. You know, then you’ve got to get past that. And so, you know, what folks need to do is they need to kind of take a different approach to it put themselves in that mindset of the person that’s kind of making the call and get them to a point where the appeal is not based on benefits to the compliance manager but the appeal is based on benefits to the organization and putting it in such a way that, you know that they can successfully, you know kind of make that business case to, you know to the CEO or CFO.
Yeah, so what should the compliance manager start tackling with their CEO or CFO? Like, where to begin here, really?
Well, I mean, you got to understand, you know, the folks that are in that CEO, CFO style position, I think they’re busy as hell. You know, they’re, they’re juggling a whole ton. Generally speaking, you know, they’re, generally speaking, their attention span is short. And so, you know, really, you know, the CEO is, is constantly thinking about just, hey, let’s, let’s get it done, get it done, get it done, you know, let’s make this sale, let’s increase this revenue, let’s, you know, work on the profitability, let’s cut these, you know, restructure to streamline the costs and appease the CFO, etc. You know, and they’re just, that’s just the world that they live in is, you know, is, you know, hyper focus on things for a brief period of time, make the call, move on. You know, the CFO is kind of got a different, a different realm, you know, they’re sitting there trying to balance, you know, risks and rewards, they need to keep the company in the black, they, you know, have profitability and, you know, and, you know, and revenue goals that they’ve got to be able to hit, you know, etc. So, you know, they’ve got, you know, kind of their own world that they’re, you know, that they’re looking at, you know, they, you know, if you think about it this way, you know, interruptions to the, you know, to the organization, you know, interruptions, sorry, you know, interruptions to these guys or girls is, it’s not just annoying, but they almost look at it as a threat to them doing what they need to do to be able to, you know, be able to keep everything moving, right? You know, the CFOs, the CEOs trying to keep the whole company, you know, headed in the right direction, the right trajectory, and the CFOs trying to hold, you know, kind of hold everything together. So, you know, you want to walk in and, you know, kind of several tasks, if you will. I mean, you want to make, you know, make the case relevant to their priorities, you know, in other words, why should they care about this? You want to be as short as humanly possible. I know that it’s hard when you’re trying to work and convince someone to do something that makes sense and you’re passionate about it. Oftentimes, you know, you’ll drone on and on and on, you’ll find yourself repeating yourself, etc. So, you know, get your delivery trimmed. You know, trim it all up, cut straight to the chase, you know, hit the major points and, you know, and pull it out expeditiously. You know, clearly communicate what you’re, you know, what you’re thinking. So, put forethought into, you know, into this business case and what are the points you want to hit. Make sure you’re not repeating yourself. If you see if they start getting that sense, then they’re going to quickly just dial off. And then, you know, at the end, at the end of it all, just make sure that, you know, your ask is readily actionable. You know, you literally laid the groundwork, you know, for these people, you know, and all they got to do is just say yes. You know, that’s kind of the, you know, the notion. While it makes sense to them, you know what I mean?
Yeah, I do. Now, word has it that, you know, they want to know what’s in it for them, not the compliance manager, right?
Yeah, I mean, and that’s really one of the, you know, one of the important points here is that, you know, the C-level folks, they’re looking for business benefits. They don’t give a crap about how it’s going to, well, I mean, okay, do they sort of care about, you know, the impact on, you know, on Bob or Mary? Yeah, they sort of care, but if the benefits only to Bob or Mary, then they go back to the whole, hey, we’re paying your salary, so suck it up, you know, type of deal. And so, you know, the job of the executive is to, you know, is to build that business high-level, visionary, you know, missions of the company and, you know, kind of hitting the things that are in their sweet spots, etc. You know, so the decisions that they make at the end of the day are things that help the business achieve the priorities that they’ve got for the organization and definitely will start shying away if they’re getting a sense that, you know, that the request is somehow competing against those, you know, against those notions. So, you know, part of the part of the game for the CFO, you know, they’re looking to, you know, they’re looking to find ways to make sure that they’re in the black, that they’re making money, you know, if they have to spend money, then they look at that as a, you know, kind of a threat to that dollar balance that they’ve got to, you know, kind of juggle through, you know, type of thing. So, you know, they’re typical in their brain, whether they say this to you or not, but in the brain of the CFO especially, you know, their goal, it’s almost like it’s built into them as a, you know, as a young person, you know, is that, you know, they just want to know, how can I avoid spending the money? Because if I avoid spending the money, to them it’s very linear, right? If I avoid spending the money, then I haven’t increased these additional costs and thereby that’s my best shot at trying to hold everything together. And certainly when they’re, you know, it depends on the state of the organization, but if they’ve, you know, if they’re relatively new to it or the company’s struggling, whatever, they’re definitely going to lean on, you know, lean on that side. You know, you, you know, you walk in, you know, as an example, you know, hey, the phone system is old, it needs to be upgraded and, you know, the phone, new phones are only going to marginally help people, but it’s a hundred thousand dollars. Well, yeah, just go, go throw that out the window, walk away. It’s not happening. But, you know, on the other hand, if those exact see the business benefits of the investment that you’re asking them to make, then you’ve got a legitimate shot at being able to, you know, be able to get their approval.
So especially CFOs now, they like risk reduction, like that tracks with me. Tell me more about that aspect of things and really how you would approach that conversation.
Sure. So, you know, in the CFOs are generally speaking, a group that, you know, that are risk averse, especially any financial risk. So, you know, the basic premise of their job is minimize risk to the company. And because spending money inherently introduces risk, well, then they’re going to, you know, they typically look at that, you know, with hesitance or suspicion, you know, try to avoid it, you know, etc. You know, spending in the CFOs case, if you kind of put them yourself in their shoes and what their job is, you know, they almost look at dollars is like the company’s air supply. And so the more that I spend the dollars, the less dollars I have, the more my, if you will, company’s throat is constricted and, you know, the more difficult it is to breathe, you know, is kind of the way that they look at it, right. And so, you know, if you want to get, you know, through that CFO, get that spending request approved, you need to be able to show them that the use of the of the of the target compliance management system is actually going to reduce their net risk and, you know, have the added bonus of creating, you know, kind of creating additional, you know, additional benefits for the organization.
Adam, one of the key points that execs get into when they’re on these discussions is return on investment. Can you explain a little bit more about ROI?
Sure. Well, you know, whether it’s the CEO or the CFO, they’re wanting to see, you know, they’re about, especially the CFO, I mean, they’re about the numbers, right? You know, they’re kind of bottom line that they’re looking for and looking to understand is they want to know what’s the quantifiable return on investment, you know, for this system and is it going to happen in a reasonable period of time? You know, and those two are, you know, kind of related. The reasonable period of time though, you know, they’re not going to want to, you know, they’re not going to want to spend, you know, $5,000 as an example with, you know, kind of an ROI outlook of 23 years, you know what I mean? I mean, they’re looking for, you know, how is this materially going to benefit this organization and, you know, and do so for most of them? I mean, they’re ecstatic if you can show them basically ROI, you know, by, you know, kind of year, you know, year two type of thing. If it starts to get into years three to five and now you’re on the fence, if it’s five or plus, then you can pretty much throw it out the window, you know, certainly if you can show, you know, improvements to them within that first year, oh, you’re almost assuredly going to be able to pull this off. So, you know, they’re all about making sure they get that return. But the one key here, especially about the compliance management system, is that ROI can come in, in a wide variety of benefits, which all of which aren’t immediately, you know, oh, well, you know, you put this in place, it immediately saved me 50 bucks and I now have $50 until poof, you know, we’ve now collected all the dots. Well, I mean, some of it go to, you know, increased profitability, you know, because of the fact that you’re, you know, making the time investment for yourself and the other members of the team more streamlined, that means that their stress level has gone down. It means that there’s, you know, reduced risk of burnout, employee turnover, costs associated with training the newbie that, you know, have to go ahead and get because you’ve burned somebody out. You know, you’ve got, you know, the team has more time on their hands. So, you know, you translate that into kind of increased sales or increased throughput of, you know, of your organization, improved efficiency, productivity, you know, there’s a lot of ways that you can take the realm of the, you know, the benefits of the compliance management system and turn them into factors that, you know, your CEO, CFO, you know, really are going to care about. You know, you just, you need to be able to show in quantifiable terms, you know, how is it going to work that the business is actually going to get better, you know, and it’s easy to sit there and be cynical about, you know, reducing your sanity, you know, down to a number as the compliance manager, you know, but, you know, to your CEO and CFO, you know, that number, that ROI, that tells them a story.
And as long as the justifications for the ROI, you know, kind of are adding up in their mind’s eye, you know, then, you know, then their capability for being amenable to moving forward is going to be substantially higher. You know, don’t think of it as some type of evidence that they don’t care about the quality of your work life, you know, but instead those numbers you’re putting together, they bring clarity to, you know, to the decision making for the CEO and CFO, you know, a 2% increase in quality isn’t the same as a 20% increase, you know, so the execs are looking for solutions that are going to give them, you know, give them bang for your buck, you know, so, you know, so there’s a lot of different ways that they can go about doing that. You know, the next area really is understanding your numbers. you know, do some research as somebody in the compliance arena, go in and do a bunch of research on your existing compliance setup, right? Get numbers together, compile them, do educated ball parking if you have to, but you’re a lot better off to be able to, you know, go in, interview a number of the people that are part of your compliance team. You know, go have conversations with, you know, the bosses of the departments that you interact with and their frontliners, you know, get together, you know, some type of an average, you know, hourly cost for team members, maybe even, you know, different departments are running in different ranges, etc. You want to, you want to put these numbers together and you want them to make sense to, you know, to them. So as an example, if I were to, you know, have you know, whatever, for the sake of this, this scenario, I’ve got people in compliance, I’ve got people in IT, I’ve got people in HR, and I’ve got the front desk administrative assistant, right? All of which are involved in our compliance management for the sake of this discussion. So if I just say, well, on blanket, the, you know, the average, you know, the average across these people is, you know, is $55 an hour, whatever, maybe, or $45 an hour, whatever it may be. The first, when you go present that to the CEO, CFO, the very first thing that they’re going to jump on is the fact that, that, well, you know, the administrative assistant, you know, $45 an hour, you know, and they just, you’ve got to make sure you got yourself buttoned up, right? You know, if all of the people are in the same range, and you don’t have some wild variability, cool. Otherwise, get averages based on various team members and their roles, where their average costs are similar. You know, and make sure to include things like taxes, benefits, those are all things that the company has to pay for. So, you know, just make sure you got, you know, kind of dollars all in for those folks, hours across the team, you know, and break them down those hours.
Break them down into the various phases of your engagement and any, any compliance engagement is going to have an initial spin up phase, data gathering, you know, evidence and evidence collection. Then there’s always this, it depends on the organization, how big their engagement is, but there’s some period that’s like the final push, you know, whether it, whether that final push lasts a couple of days or that final push last six weeks, you know, there’s a final push on these, you know, compliance engagements. So, you know, kind of get your hours together, bucket them into those periods based on rules and blah costs across those people, you know, and whatnot, and then turn around. And when you go look at your compliance management system, how much is that going to cost you? You know, type of thing. Now, you know, all of those are, you know, kind of good inputs for knowing the numbers as you start to get in and start working through your, you know, your efficiency, you know, ROI calculation, you know, so as you get into trying to start calculating the ROI. So let’s say you’ve got a team of six people. On average, a 40-hour work week equals 2,000 hours a year. The TCT portal, as an example, will typically save companies about 25% of their time that they spend on compliance in that first year, and that’ll jump up to somewhere around 65% in year two plus. So now that you kind of know for the compliance management system, these are the anticipated savings we’re going to get, and you’ve got all the numbers that you’ve already gone through, then you can go in and basically sit down and start kind of running the numbers for the ROI calculation. And for the listeners, over on the TCT website, we do have an ROI calculator there for companies going through compliance. So it’s a nice handy tool that you can go and just start plugging numbers into to go and run them, et cetera. But on average, if your situation is like most of the clients that we’ve interfaced with, they can probably figure on saving about 500 hours across their team over the course of the first year, 1,300 a year after that. It’s a big, big amount of hours that you’re basically saving across the company. So go in, grab the average, as we talked about with the dollars, put them in at the 2,000 a year, et cetera, run how much of the savings you’re going to go get, and get all of those numbers kind of buttoned together. The example that we were talking about a little bit ago was, let’s say it’s just an average of 45 an hour, including taxes and benefits, then you can start running the total cost to the company of the way you’re doing it now versus if you take those kind of benefits. Now, what are you going to end up spending, fold in the cost of the system, and poof, you’ve got your, how long is it going to take? You’ve got to make ends meet and all that fun stuff. And if you put it together in that regard, then it’s a lot easier for the CEOs and CFOs of the world to really get their arms around and be able to understand what you’re saying. And if you’ve done it right, you know, then it’ll make sense to them.
So are there other ROIs to consider or does it just boil down to those?
Oh, well, there’s other things that kind of come into play. So the things that we’ve talked about so far are really those elements that are readily accessible, numbers, dollars, and whatnot that you can go in and leverage. But there are other returns on investment that you can consider bringing to the table, bringing to the conversation, because improved efficiency. So we talked about the hour savings, right? It depends on who it is and whatnot. Unless you’ve got a gigantic organization that’s running through compliance, it’s unlikely you’re going to save an entire body from this department, whatever. But the aggregate savings of numbers of hours across these various roles means with that improved efficiency, now, operationally, we’re able to take on more without having to kind of hit that wall where we need to go and bring a new person. So if I’m able to alleviate whatever, 300, 400 hours out of a particular department, well, that means now how much further can the company grow without having to hire a new, warm body over there? Because if I had not saved that time, then everybody’s capped out, stressed out, whatever. We’ve hit the point where we have to go get somebody. You’re just not hitting that point as soon. Additional profitability that we end up getting, you could look at that in several ways, but not the least, which would be being able to invest that into other areas of the business. So do we want to take the dollars or time that we otherwise would have needed to go spend and allocate that to product development or throw it into the hiring pool or whatever. You can kind of decide, what do I want to do with those dollars? But the increased profitability is another area that you can go and, depending on your organization, focus on how can we translate this into something that makes sense, makes sense for the C-level folks. More efficiency means less overtime, which means cost savings could even be higher than estimated, depending on how the target organization goes by handling it. And certainly, increased efficiency reduces stress. You’re not burning people out. You’re not having to go having them quit. Happier employees equals greater productivity period. We talked earlier about the whole notion of then having to go in and train your people. The new person to be able to pick up this role.
Well, what about the difference in approach to cyber liability insurance, for example?
Sure. So the reality is that if you think about it, the C-level folks, to me, I find it, I don’t know, I’m going to call it mildly entertaining, that the C-level folks will just, they will go in and they will every single year, I just know I have to pay my cyber liability insurance. They’re happy to go fill out the paperwork, pay the big huge bill for their cyber liability insurance, et cetera. And they don’t question it, right? Meanwhile, the company, hopefully, hasn’t had to file a claim, but you’re paying into it every single month. And if you think about it, the dollars that they put into that cyber liability arena, it’s not providing any dividends to the company. It’s just sitting there on standby as an emergency parachute, and you may never even use it. The dollars that you put into a compliance management system, those dollars are making a difference, right? Your insurance isn’t making any real difference in your day by day work. Your insurance isn’t increasing efficiency or improving operations or reducing stress or blah, blah, blah, blah. So if the company’s willing to pay into the cyber liability insurance with no promise of benefit, well, then why not invest into a compliance management system that makes a promise of actual net gains? Better yet, one that helps to proactively protect the organization. One of the key points that we spoke in other episodes, especially I think, especially hit this when we’re talking in the cyber arena, is that in the cyber world, it is literally emergency parachute. It’s not doing anything to proactively benefit you. But when you go through and you’ve got a really rock solid together program for security and compliance management, the task the team is doing on a basis through that period, those are outstanding benefits to the organization. It’s proactive protection. I’m actively reviewing the user accounts. I’m actively running my vulnerability scans. I’m actively reviewing my logs every day. You have these tasks you do on a security compliance management, well-tuned compliance management program. Those are active, active, proactive shields for the company. If you can get the CEO, CFO light bulb to go on on this particular point, it’s going to be something that really paves the way to being able to move forward.
At this point, is the compliance manager ready for the battle that is about to ensue?
If they’ve done all of these things, then yes, it’s not going to get much better than this. I mean, what I would recommend or suggest is do yourself a favor, do not spend an early afternoon whipping some numbers together to whip onto a spreadsheet and go head into a meeting with the CEO, CFO. This is something that is, it’s going to be important, and this is the way that I look at it, is that this is a topic that’s going to be important for the company, even though the CEO, CFO may not have had the light bulb go on to this point. You know, in the grand scheme of things, you’re really working in the best interests of the organization. It’s something that’s important. It’s something that’s going to help the company, help the people at the company, you know, et cetera. So take your time. You know, gather up the numbers, put it together. You know, put together your whatever, whatever your presentation approach is, a lot of people will go and throw it into, you know, two, you know, two, three, five slides, whatever, in PowerPoint or something. But, you know, polish that. Write your speaking point notes, you know, don’t just whip a bunch of high-level bullets up there figuring you’re going to remember everything. Literally spend the time to go and, you know, kind of script this out so that you can share this story well. Because going back to one of the points that we had earlier is these guys don’t have a lot of time. You know, they’re not going to sit there for, you know, for an hour-long dissertation about the benefits of the compliance management system. You know, if you can get this delivery really kind of buttoned up into 15 minutes, you know, 10 minutes, 15 minutes, 20 max, that’s about what you should be shooting for, you know. But to do that, take some iterations, some iterations and practice, run through your, you know, your thing a couple times. And then the other piece is, and again, depending on what data point you decide to pull into this, really take off your fill-in-the-blank hat, whether you’re in HR, whether you’re the compliance manager, the compliance officer, take that hat off and instead look at what you’ve just put together and say, what are the things, you know, how is this going to ring true with the CEO, CFO, kind of given their, you know, given their target objectives, you do that, you get them to look past just the bare costs of the compliance management system and really understand, you know, the benefits and gains to be had for the company. Yeah, you’re going to have a heck of a lot better shot at winning that purchase approval.
Perfect, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
