As a compliance manager, your job isn’t merely to get your company across the finish line with an Assessor’s seal of approval. Your job is to equip your internal compliance team with the skills, knowledge, and resources they need to do their jobs well.
You need a confident team that knows what they’re doing, and are able to do it efficiently. And you need a team that works together as a single unit, like a well-oiled machine.
Unfortunately for many compliance managers, achieving that reality is easier said than done. When it comes to equipping their compliance teams, they feel like they’re at a loss.
It’s especially hard for new compliance managers, who are just trying to keep their own heads above water. If that’s you, don’t leave before reading this article: Avoid the Common Mistakes New Compliance Managers Make
Here are some best practices to equip your compliance team for confidence and success that I highly recommend.
Provide Personalized Training
A lot of compliance managers assume that their team will naturally pick things up along the way. They think that it’ll be a little rocky at first, but the team will figure it out before long. However, there is a big difference between showing them an Arctic temperature water survival suit and giving them 60 seconds to put it on before tossing them in the drink, and actually training them beforehand on how to don the suit properly in under 60 seconds.
I’ve found that it’s a lot easier to give your people the appropriate depth of training they need up front. Otherwise, you risk them developing bad habits that get ingrained into your culture. Worse yet, they may never properly learn certain core concepts when left to their own devices.
Instead, identify which people need to do what tasks, then provide the training sessions each person will need for their specific work. There’s more training, but because each person only learns what they need, your team can start making better progress, faster.
Your compliance team will need several types of training:
- Group training on your compliance management tool
- Orientation to the compliance certification you’re going up against
- Overview of compliance processes and procedures
- Incident response training
- Legal training
- Security Awareness training
- If appropriate for your organization, Secure Code Development training
Teams and individuals that are just getting started with compliance will need extra help. Schedule more personalized time with small groups of people who are working on similar tasks. Walk through their requests. What exactly do they need? What evidence are they looking for? Answer their questions related to that evidence, etc. Pro Tip: your compliance management system should have a place to preserve the guidance and Q&A so that you will not need to continue to answer the same questions in the future, building efficiencies.
Note: Providing training doesn’t mean you have to lead the entire thing, and it doesn’t have to be monstrously expensive. Some people may only need to watch one or two free videos from the certifying body. Others might benefit from a classroom style session with your compliance Consultant.
Set the Ground Rules
One of the best ways to guarantee a miserable compliance experience is for your team to never get on the same page. Establish your rules of engagement early on. For example:
- How will you operate as a team?
- How will you communicate?
- How often will you meet?
- How will you submit evidence?
- How will you use your compliance management system?
- Where will you put written explanations?
- Where will you attach evidence and files?
- What happens when you’re done with each task? With everything?
Lay the groundwork for how your process is going to work. For example, never do any compliance business by text message or email, and don’t verbally pass along information. Instead, put it in the system. That way, you have a record of absolutely everything in that one place. It’s challenging to get this approach in place, but you’ll thank me in future years if you do.
One of the biggest factors of compliance success is absolutely making sure that all of your evidence and documentation is consolidated in one place. A compliance management system is a critical component of that approach, because it gives you a centralized place to store everything.
If you wonder whether something is done or is still open, if an attachment has been provided or not, you can look and see at a glance. You always know exactly where to go to find out, and your life is immeasurably easier.
That central repository doesn’t just give you easy insight into your current status — it also lets you look back at what you did in previous years. You don’t have to reinvent the wheel every time you prepare for an annual Assessment — you can simply look back and see what passed muster with the Assessor last time.
I can’t tell you how valuable it is to have that historical information. I guarantee that your team has forgotten 90 percent of what they did last year that the Assessor approved.
Plus, natural progression means you have people swapping in and out of the team. The team you have today isn’t the team you had last year. That historical information is your institutional knowledge, and it’s preserved year to year, even if some people have only been on your team for a month. This knowledge will boost the entire team’s capability to move with speed instead of the annual burning of hours that happens otherwise.
Prioritize Compliance Assignments
Once all your assignments are doled out, you’ll likely have people who fall into two basic categories. They’ll either have just a couple items to do, or they’ll have a metric ton of items on their plate.
If they only have a couple of items, things are pretty easy. But if you have a group that has 150 line items to take care of, it will be tremendously helpful to prioritize their list for them.
For team members that have several assignments, prioritize your most important elements into delivery groups: A-level, B-level, C-level priorities, then the stuff you can get to last in whatever order you want.
Generally, the first elements your Assessor will want to see are the policy and procedure-related documentation, a network diagram, firewall rules, and an inventory. Those items will lay the groundwork for the rest of the engagement. Make those tasks the highest priority for your team (validate this list with your Assessor, but generally these are great starting points).
Use Your Compliance Consultant
If you have a security and compliance Consultant, leverage their full capabilities for your team.
- Find out how to handle various requirements.
- Ask about what an Assessor will be looking for.
- Get their feedback on your procedures and processes.
- Solicit their recommendations for improving your compliance management and compliance solution tools.
- Ask them about things you’re worried an Assessor will discover.
The great thing about using a compliance Consultant is that you can have wide open dialogues without fear. Your Consultant is an advocate who is there to help you. They’re on your side. You can talk to them about anything that’s broken or in shambles that you may be concerned to go directly to the Assessor over.
Your compliance Consultant can help you figure out what you need to do to get on track, so you’re confident and ready for the annual assessment. Make full use of this invaluable resource.
Make Compliance Management Suck Less
Investing into all of that prep work and training makes it so much easier for your team members to know exactly what they need to do. It gives them greater confidence, better knowledge, and stronger alignment so they can crank out their work more efficiently.
Managing compliance can really suck. But you can make it suck less — for you, and for your team.