In the very early days you felt like you were standing at the bottom of an insurmountable mountain, but it finally happened. The day you have been dreaming of. Your organization has successfully achieved compliance.
This is a special moment. Enjoy it. Savor it. Pat yourself (and the team) on the back.
Actually, you should do better than that. This isn’t merely a special moment — it’s a major achievement that required innumerable man-hours to accomplish. Your team was deep in the trenches for months or years, and several of you sacrificed sleep, weekends, and possibly even vacation time to pull this off.
You deserve to celebrate properly, to throw what TCT commonly calls a Compliance Party.
Just getting started with compliance? Here’s how to master your first compliance certification engagement.
You Need a Compliance Party
I wish companies would acknowledge the accomplishment of achieving compliance a little more. It is really hard, especially the first time you go through it. You’ve had to get everything together, gather all of the evidence, work through all the problems you need to solve, continually check in with status meetings, and so much more.
Compliance standards are extremely complex, and you can’t treat compliance like an out-of-the-box activity. It isn’t something you simply check off of a weekly to-do list. On average, even adept companies with plenty of staff resources invest six to nine months in becoming compliant. For others, it could be a 12- to 24-month effort. It’s a long and arduous journey.
Getting compliant is most certainly something that should be celebrated. I’ve had my fair share of compliance celebrations, and through the years I’ve picked up a few best practices for doing it well. If you’re getting ready to achieve compliance at your organization, here are my top tips for celebrating the accomplishment.
The Invite List
This might seem obvious at first, but it’s very important that you don’t leave out any deserving folks who contributed to your success.
Certainly, the core team that was heads-down in the thick of it should be at the top of the invitation list. But there are many other players who deserve recognition. For example, the people in HR and legal were probably involved in the effort. Some of your vendors played key roles. You may have been introduced to people in other organizations who gave you sage advice or moral support. Your compliance consultant and Assessor were pivotal. All of these folks deserve to be recognized and to celebrate with you.
Include executive leadership and those who manage the teams that were involved. They may not have played pivotal roles, but their support and buy-in were vital to your efforts.
One important element that a lot of organizations tend to forget is the material impact on your people’s lives and their families. If you can afford to do it, include your team members’ significant others, because they’ve made sacrifices of their own in a variety of ways, to provide the support to your folks to help get your organization compliant.
How to Throw a Compliance Party
At the bare minimum, your company should provide some kind of recognition for everyone who went through the compliance engagement. In some cases it’s a bonus, other times it’s a gift or commemorative memento. It’s up to your organization, but it should be meaningful and appropriate to the amount of blood, sweat, and tears that were put into it.
I’ve seen many companies do some sort of evening out — a dinner or a gala event. If you go this route, I recommend making it easy for people to celebrate and enjoy themselves, and also stay safe. Provide rides home, or offer a block of rooms at a hotel.
Of course, in the COVID world, a celebration will look different and you’ll have to get creative. Some companies do virtual parties.
Whatever the venue, most companies take the opportunity to give various affirmations and recognition speeches during the event. Someone from executive management should express their appreciation of all the hard work your team has invested into the engagement.
You should also give some kind of company-wide recognition — whether it’s via internal announcements, a morning standup, quarterly update from CEO, or an all-staff email. It should go to the entire organization, with a recognition of the accomplishments and their significance to the organization.
Celebrations for the Rest of Us
Not every organization is the fancy dinner type of company. Some teams prefer to keep it a bit more casual. Here are some ideas that I’ve seen my own clients do:
- Cater in a lunch and take the afternoon off
- Rent out a movie theater
- Have a Jump Zone party
- Go paintballing
It can be anything that your team will enjoy and find meaningful. The point is to recognize those folks and give them the kudos they deserve.
Private Acknowledgement Is Important, Too
There are very few folks who form the inner circle of a security and compliance engagement. Unfortunately, those are usually the only people who truly realize how much everyone went through. It’s hard for others in the organization to truly relate to the achievement. They weren’t up through the night worrying about it, doing Google searches to solve this or that problem, wading through technical notes to understand an issue, having to do installs and software configurations repetitively during off-hours on nights and weekends. So many behind-the-scenes things that happened, which very few people are privy to.
That’s why I strongly encourage upper management to take a moment, sit down, and talk to those people. Find out what they went through, what struggles they had, how they can help make things better going forward.
Often, that simple gesture can be as powerful as a formal recognition. It’s not a substitute, but it’s tremendously affirming.
The Day After the Party
After the party, there’s one more thing to do: keep going. Getting compliant for the first time is only half the battle. You’ve achieved compliance, but now you need to maintain it. Fortunately, TCT’s Operational Mode makes it manageable and practically painless. But whatever you do, don’t let your organization take its eye off the compliance ball. You definitely don’t want to go through compliance from Square One all over again!
Get more insider insights about achieving and maintaining compliance. Subscribe to the blog at the bottom of this page.