How to Help Your Compliance Program Truly Excel

Before founding TCT, I led the compliance function at an organization. I remember very clearly the struggle to manage compliance efficiently while also leading a team of control owners. I muscled my way through the process — and not so elegantly, at the beginning. 

It’s easy for executive leadership to walk into a room, say, “You guys go do compliance and let me know when you’re done,” and then walk away from it. Between that point and the finish line, there’s an unbelievable amount of pain, sweat, and tears. Meanwhile, compliance managers are left with the ever-present question bearing down on them: 

How can I help my compliance team really excel?

Even huge organizations with large budgets struggle, because the landscape of a compliance engagement is just that much more complicated. As organizations grow, their compliance programs become more complex, making it more challenging to run compliance in an effective and efficient manner.

Most organizations find a way to “go make compliance happen.” It usually involves a heroic amount of sheer human grit and determination to get to the finish line, but that’s not the same as doing compliance while leveraging an optimal process. 

There’s a better way to structure your compliance management process. Let’s take a look at some best practices to help your compliance program shine.

Does Your Compliance Team Have an Accountability Problem?

Don’t Confuse Security and Compliance with IT

No matter what size your organization, it’s practically impossible to find a compliance professional who is organized, while simultaneously having deep experience across a broad spectrum of compliance engagements. These types of resources are very expensive, and most organizations are just making do with the personnel they have on hand — meaning, if you can spell IT, you may get recruited to lead your company’s compliance program.

This is a bad approach.

It is important to remember that IT isn’t the same as compliance. Being skilled in one doesn’t mean you are skilled in the other. It isn’t tenable to put a project manager or someone from IT into the compliance manager role, because they won’t have the particular expertise that’s needed for a successful compliance program. 

It also puts your organization in a position where the people responsible for the controls themselves are the same group providing oversight, which never makes sense. Why would you put your day-by-day Accounting personnel in charge of the annual financial audit of the books? You wouldn’t.

Bring in a Compliance Consultant

Instead of relying solely on under-experienced internal personnel to manage your compliance program, take advantage of a third-party Consultant who’s been around the block a few times. A compliance Consultant can bring all kinds of invaluable wisdom and experience to the table, and they can very quickly spot what’s going on and identify improvements to get more work done, more effectively.

Compliance Consultants have one goal: to make your compliance program better. They want to see you become more successful, more efficient, and more confident as you manage compliance. They aren’t an Assessor and they have no skin in the game from a control ownership perspective, which means there’s both no judgment and no need to watch what you say. 

A Consultant is entirely in your corner. Their job is simply to have the back of the organization, ensure appropriate adherence to the compliance standards of the company, to work with and develop your team so they can excel. When I come in to do an analysis, my objective is to see what is the present state of the organization. I have no interest in supplanting any personnel or vendors, I simply want to make the client more effective and more efficient. 

Whether this is your first year of compliance or your tenth year, there is tremendous value to be gained from engaging with a third-party Consultant. Especially since compliance programs tend to become more and more complex — and therefore more and more unwieldy — over time.

Address Fears About Change

Many times, I’ve seen turf protection coming into play as an outsider comes into the organization and it’s seen as a move to “stir things up.. It’s not uncommon for individuals to feel protective of their domain — they’re seen as experts within your company and they don’t want to be supplanted as the go-to person that everybody looks to for answers. They may also fear that they’ll soon be out of a job.

When you bring in a Consultant, nip that kind of reaction in the bud from the start. Assure your personnel that the Consultant has no interest in replacing anyone or supplanting anyone’s value to the company. 

Your compliance Consultant should be viewed as an outside expert who is here to work with the existing control owners. Create an open dialogue and be completely transparent about reasons and motivations for the hire and communicate that you only have everyone’s best interests at heart. 

Make yourself available if anyone has concerns or questions. Also be vigilant for any signs of turf protection from your personnel and deal with it immediately and directly. Addressing concerns and watching for any team issues will ensure a healthy engagement with your Consultant and give the effort a much greater degree of success.

Want Streamlined Compliance Management? Fix Your Team Communication.

Conduct a Gap Assessment of Your Compliance Program

Whether you’re new to compliance or have been doing it for years, chances are, your Consultant will want to start with a GAP assessment. Whether you have a Consultant or not, the first step towards helping your team succeed is to do an analysis of your current state of compliance against your requirements. This analysis should go across your entire compliance program. 

Start with your most prescriptive standard, such as PCI DSS, because that will readily map to any secondary standards you also go up against. Then, across the board, look at where your organization stands. 

Your GAP assessment should help you determine how many of your required items are already in place. What is fully in place, partially in place, or not in place? Identify the GAPs that exist between the certification requirements and where you are today. This will give you a good sense of the work that you have ahead of you.

Also look at your internal personnel. Who do you have on staff? What are their relative skill sets? If you have a Consultant who has the perspective of managing these engagements on a recurring basis across a broad spectrum of industries and compliance standards, they can come in and give you good recommendations that aren’t jaded about how best to optimize the use of the skills and capabilities of your personnel.

Engage SMEs Directly

While doing your GAP assessment, examine your workflow and note how it passes through each position on your team. You may be surprised to discover that you have some unnecessary gatekeepers that sit between the compliance manager and the evidence. 

In about 80 percent of my consulting engagements, it isn’t clear who is actually provisioning the evidence, because everything is going through gatekeepers. Control owners pass every piece of evidence to the gatekeeper, who then loads everything up into the portal. This is a problem because of the massive inefficiency and potential for error it creates.

For example: 

1. The control owner collects the evidence they believe is needed.
2. The control owner hands off the evidence to the gatekeeper.
3. The gatekeeper hands it over to the compliance manager for review. But the evidence isn’t right, or it’s incomplete. 
4. The compliance manager tells this to the gatekeeper.
5. The gatekeeper passes the message down the line to the control owner
6. Of course, the control owner has a clarification question.
7. The gatekeeper sends the question to the compliance manager
8. The compliance manager gives the response back to the gatekeeper. 
9. The gatekeeper delivers an answer to the control owner.
10. And so on.

You can see what an absolute waste of time and energy this is. Worse yet, this is just one example of one requirement with one control owner. All along the way, of course, you’re losing important information in translation, just like the Telephone Game that you used to play as a kid. 

Instead, get your frontline resources directly engaged in the process. Control owners should submit the evidence directly to the person doing the review, and the two parties should have direct access and direct communication with each other. 

At first, it may take more of the SME’s time than you’d like. But as they learn from their first time through the compliance cycle, they’ll become more efficient the next time around and your entire compliance program will accelerate.

Build a Backup System for Employee Turnover

If you’ve been running your compliance program for a while, you have a team of personnel who have become astoundingly valuable — even if your process needs a lot of optimizing. One situation you definitely don’t want is significant employee turnover. 

Nothing will tank a compliance program faster than the loss of multiple key people who know their sh*t. That kind of scenario will essentially put your compliance program back at Square One and you’ll need to rebuild from the ground up.

You have a backup system for disaster recovery, and you should also have a system for personnel recovery. If someone suddenly leaves their role, all of their organizational knowledge goes with them. How will you protect against that kind of data loss?

Make it a priority to cultivate a positive work culture for your compliance personnel. Give them plenty of reasons to stay, and be their advocate. Keep your finger on the pulse of their morale and mental health. Publicly recognize wins, provide praise, and make sure they continue to be compensated appropriately.

Create a Centralized Repository

As you go from Year 1 to Year 2, make sure you have a rock-solid repository of your evidence. The majority of organizations have a rat’s nest of files — disorganized, badly named files that are scattered across storage locations. If you need to go back to last year’s evidence to see how you fulfilled various requirements, you’ll spend hours digging through files — and may never find what you’re looking for.

With a single, already organized repository, you can quickly and easily go in and refer to last year’s evidence. It’s all there, organized and version controlled, and you can easily see what evidence was accepted by your Assessor in previous years. This one simple change will streamline your efficiency and save dozens or hundreds of hours across your annual engagement.

It’s also a valuable investment into your compliance personnel, because it relieves them of frustration and irritation, making their work more enjoyable. It makes a new hire’s job easier as well, because they can quickly and easily see what evidence was collected in previous years by their predecessor, and learn how it was provisioned before they came on board. 

The fact that the system now has a rock solid repository of what happened on the prior year track will mean that your new personnel will become far more effective, far more quickly — saving that person an absolute ton of hours attempting to get up to speed, while making many of the same errors as their predecessor.

TCT Portal gives you a fully automated central repository that you don’t have to clean up — ever. Our compliance management software provides a single location to put all of your evidence, explanations, file attachments, and policies. 

Scale Your Efficiency for Long Term Success

Without an eye on the long term viability of your compliance program, you’ll end up creating a workflow that’s just limping along and held together with duct tape and bubble gum, and sheer willpower. That’s no way to run a business and it’ll erode your profit margins and destroy your employee retention.

Make a long-term investment into your compliance program through multiple iterations of increasing efficiency:

• Year 1: Engage an outside Consultant to lay a solid foundation.
• Year 2: Create a centralized repository for easy referencing, and tweak your processes for better flow.
• Year 3: Review your organization’s changes over the past two years and make adjustments as needed. 

As your organization grows, ask the following kinds of questions: 

• Did we acquire another company? 
• Do we have a new line of business? 
• Have we added another compliance standard? 

These kinds of changes will have an impact on your compliance structure, and you’ll need to adapt your workflow to maximize efficiency.

At this point, your compliance program has settled into a system, and your personnel know what they’re doing. Every couple of years, go back and review your processes to find opportunities to optimize the program. 

Most importantly, engage your compliance management system providers for regular reviews of your current state, changes inbound, modifications that can be made, ways to take advantage of functionality they may have that you’re not even aware of. The partnership between TCT customers and the users of the TCT Portal is one that yields ever increasing benefits over time.

When you look under the hood, ask yourself:

• Where can you eliminate friction?
• What manual processes could be automated?
• Where can communication be improved?
• Is every meeting still necessary?

Even if your organization has been running a compliance program for decades, returning to this exercise every two to three years is an excellent practice.

A More Successful Compliance Program

Over the past two decades, TCT has supported small, single practitioners as well as gigantic, international, multi-billion dollar organizations — and I’ve seen challenges across the entire spectrum. Managing compliance can really suck, but we can work together to make it suck less — for you, and for your team.

Need help optimizing your compliance workflow? TCT can provide expert compliance consulting, or connect you to top Consultants we trust.