As US regulations continue to compound, navigating constantly changing compliance pitfalls can be overwhelming for many businesses. Add on the plethora of international regulations and regulatory compliance may feel like an insurmountable task. However, upon closer inspection, many regulatory requirements may not be as daunting as they first appear. This is especially true for businesses that develop a comprehensive compliance program rather than tackling regulatory requirements individually as the need arises. A robust program can alleviate rework and reduce duplicated effort in gathering identical control data from one regulation to another, while providing a roadmap to address the unexpected and navigate the unknowns. Below, we’ll explore some of the most common elements required for an effective compliance program.
Executive support for the compliance program is the first and most important step. Executives set the company culture, and employees will take their cues accordingly. If the leadership team is dismissive about compliance and regulatory requirements, the rest of the workforce is likely to follow, creating an uphill battle. Gain buy-in with the leadership team by illustrating the efficiencies a comprehensive compliance program can create. And, if necessary, explain the risks involved with non-compliance. At the very least, the Executive team needs to understand they are on the hook for risk acceptance and sign-off for non-compliance. In some cases, regulatory non-compliance can result in hefty fines and loss of contracts. This is especially true in the financial and government sectors, with little room for error.
Executive support needs to come in several forms. Not only should the leadership team lead by example, but they need to plan for ongoing funding allocations for the program. Depending on the size of the business and the number of regulatory requirements that need to be met, one or more team members should be assigned to own and manage the compliance program. The leadership team also needs to assure others will designate at least some time to implement controls, maintain them, complete awareness training, and provide evidence as required for compliance. In many cases, those who own and use specific applications and IT functions will need to be responsible for providing evidence of effective controls and compliance. A compliance manager will likely not have the necessary detailed knowledge about every single application in scope for compliance, and thus will have to rely heavily on application owners and IT support teams.
Once buy-in and support are established at all levels, each of the relevant regulatory requirements should be reviewed together to identify overlapping controls across the various standards. A single standard may have hundreds of individual controls in play. These controls are likely to overlap with other standards and requirements. Combining these into a single collection exercise will save a significant amount of time and money.
Attempting to manage multiple compliance standards with spreadsheets will require significant time and effort. Having a compliance partner can alleviate some of that expenditure. A good compliance partner will be able to combine standards and consolidate controls using industry tools. Time and funds for a small engagement with a reputable firm may be worth the money if multiple standards or numerous controls need to be met. Compliance with these standards should be driven through company policy. In mid-large organizations, this is usually driven through publication of an Information Security Policy as well as specific IT Standards documents outlining what must be done, by whom, when it must be completed and why it is important.
A plan should be developed to document which controls are already in place and where new controls may need to be implemented. Funding and resources may be required if the new controls require new IT Security systems to be implemented. Although evidence collection may commence in parallel, work on new controls will need to be completed before attempting to submit compliance evidence to regulatory agencies. Be sure to document how to use and maintain controls with job aids and standard operating procedures as appropriate.
Once all controls are in place, employees should be trained. In most cases, all employees should receive compliance training, though specific training requirements will vary for different roles. Every employee should receive some sort of awareness about regulatory requirements and the importance of compliance as well as the consequences for non-compliance. Employees should acknowledge or certify they understand the importance and agree to comply to the best of their abilities. Employees responsible for executing or implementing specific controls may need additional training in order to ensure adherence for more complex controls.
With policy in place, training completed, and controls enabled, the next step is testing. It’s obvious that testing and evidence collection is required to demonstrate compliance. But, beyond the frequency specified by the regulatory standard, controls should be routinely tested on an ongoing basis. It’s critical to know when a control becomes ineffective—and be able to remediate it—before the audit exam. Most audits require extensive samples throughout a calendar year, thus, waiting until sample time to verify a control is still working will almost certainly result in non-compliance.
A good compliance partner will also be helpful on the testing front. The partner should be able to help establish an evidence repository. Not only can a centralized repository make pulling samples and providing compliance documentation easier, but it can also help manage transitions as employees move into new roles or leave the company and are backfilled by other employees. Having an example from the prior year may be just what’s needed to help get someone quickly up to speed and avoid compliance gaps due to turnover.
Once all of these elements are in place, a strong ongoing governance process should also be established. The governance process should review the various documents and standards, training, and effectiveness of the required controls. Updates should be made at least annually, driving potential systems and process changes in order to maintain compliance. The governance team should also work to stay ahead of regulatory changes, incorporating updates into policies and training, and planning for systems updates to ensure compliance is maintained. Benchmarking should also be considered within the scope of governance to make sure the tools and processes for a particular requirement are cost effective and efficient.
In summary, the above steps outline some of the basic elements that are common to all effective compliance programs, regardless of which regulatory standards are in play. By no means should this list be considered a comprehensive guide for do-it-yourself compliance. Rather, the steps provided are intended to give some idea of what’s involved in tackling a compliance effort. Specific regulations may require additional steps, well beyond the scope of an introductory article. Although motivated over-achievers can probably navigate some compliance requirements alone, an experienced partner can help to avoid many of the pitfalls outlined above. A partner will also bring tools and templates to the table, as well as inside knowledge that can significantly reduce the time to successfully implement a new compliance program.
