9th September 2014
Most organisations need to comply with standards set by regulatory or industry bodies, such as the Information Commissioners Office, The Gambling Commission and the Payment Card Industry (PCI) Security Standards Council to name but a few. This typically involves implementing a number of controls and attesting to their efficacy by performing reviews and providing evidence on a frequent basis, which is an extremely time consuming activity particularly where many standards are involved.
However achieving compliance is seen by many organisations as a mountainous task that drains resources and yields little as organisations fail to recognise the benefits of improved security and reduce operational risk. Organisations should re-think how they address their compliance requirements. With the proper processes in place they can operate far more efficiently and evolve their compliance programmes to reduce enterprise risk and at the same time, reap valuable benefits.
Whatever the stipulation, compliance is a necessity rather than a choice and often perceived as a costly overhead which provides minimal return to the business. As a result, organisations tend to undertake such programmes with an element of reluctance due to the lack of support and investment at board level. All effort is focused around the annual audit rather than supporting the intent of the standard, namely to reduce the organisations exposure to risk.
Reluctant to dig deep and invest in specialist software to manage compliance, most organisations rely heavily on spreadsheets to gather and store all compliance-related information. The problem with this approach is that multiple spreadsheets have limited manageability – they lack a centralised method of control, making it difficult to consolidate and devolve information, and errors will naturally result when having to manually crunch dozens if not hundreds of work sheets. Team working is not well catered for with spreadsheets, so task management and version control also pose challenges. Furthermore, this approach only lends itself to annual assessments as it is so labour intensive, meaning that organisations only know their compliance status once a year. For example, the primary focus of the PCI DSS is to pass the annual assessment, or suffer fines, which conveniently encourages this type of behaviour; yet there is a sting in the tail – at the time of a data breach irrespective of the annual compliance assessment results, organisations will be fined for non-compliance.
With no single version of the truth, and accurate reporting an impossibility, overall visibility of the compliance programme is at best poor. A complete lack of audit trail leaves the organisation susceptible and unable to close the loop when issues occur. Efforts are often duplicated as there is no significant way to lessen the burden for the next audit, despite the fact that many regulations overlap to some degree having a handful of controls in common.
So, how can organisations get over these onerous compliance hurdles, in a cost-effective way? Is it possible to embrace compliance and make it a beneficial process? Let’s not forget that the underlying intent of statutory regulations is to improve working practises in order to reduce risk and protect the business, as well as its customers, suppliers and partners. Organisations should be aiming to execute compliance programmes that deliver more than ticks in boxes; the outcome should be new capabilities that enable businesses to benefit from the process.
Rather than undertaking annual audits, compliance should be an ongoing process, executed continuously, on a day-to-day basis. With annual audits, enterprises achieve high compliance levels at the time of the audit, but levels tend to drop until the next audit, which puts businesses at risk. Continuous compliance is not only more efficient in terms of process, it also yields higher and more stable levels of compliance. Organisations will be more secure and less likely to be breached as a result. Switching to continuous compliance needn’t be complicated; organisations that adopt a collaborative and control-centric approach find that compliance activities can be undertaken on a continuous basis. But, what do these approaches mean in practise?
Collaboration allows each control to be managed on a business as usual (BAU) basis – daily, weekly, monthly or quarterly as needed. With staff collaborating to undertake relevant tasks as part of their day-to-day roles, there is no need for a compliance project/admin team to gather retrospective evidence that controls are being met. This will drive productivity as the compliance specialists can cover more ground with business analysis and assessment.
Rather than providing evidence that each control is being met for each standard separately, a control-centric approach enables controls to be linked to one or more standards – as illustrated below. This avoids duplication of effort and provides a holistic view of the entire compliance landscape. Greater visibility will enable weaknesses to be identified, so that actions can be taken quickly to reduce business risk.
With continuous compliance, controls can be mapped to multiple standards and can be easily migrated from one version to another, when moving from PCI DSS v2.0 to PCI DSS v3.0 for instance. By moving the emphasis from the standard to the control, an organisation can more easily focus on the intent of the control – i.e. to improve the business- rather than on achieving compliance per se.
Organisations that embrace the concept of continuous compliance should use a Governance, Risk and Compliance (GRC) solution to facilitate their mission. The traditional compliance tools are not necessarily the best; they can be too prescriptive, too time-consuming to implement, as well as being expensive. Organisations should seek a cost-effective solution that automates the processes, enabling continuous compliance to be rolled-out quickly and efficiently. In addition, the solution should provide solid analytical capabilities to enhance decision making and add value to the business; for example providing the executive team with the information to decide not to trade with certain suppliers or cease “risky” activities.
Organisations such as Shop Direct Group and Domestic & General have recently changed their approach to compliance. Having experienced the headaches associated with using spreadsheets they were determined to make their quest for compliance more efficient. Traditional tools were dismissed in favour of an automated and more agile approach that would deliver new analytical capabilities as well as generate a return on their investment. As Chris McAteer, Director of Compliance and Operational Risk at Shop Direct Group summarises, “Our solution does a lot more than ensuring we have ticks in all our compliance boxes. The quality of information it delivers enables us to make better informed decisions about our supplier relationships. This helps us to provide the best possible service to our customers – something we are passionate about- and to protect the Shop Direct brand.”
Achieving compliance is a necessity, but it needn’t be a frenzied annual activity that yields little value. Aligning compliance initiatives with enterprise risk will add traction to the subject of compliance on the corporate agenda. In addition, an automated GRC solution should prove appealing as process automation will generate productivity gains over previous compliance initiatives that were a drain on resources. A continuous approach to compliance can deliver far more to an organisation than just a series of ticks in boxes, in the form of greater stability with new capabilities that enable businesses to identify weaknesses and reduce risk.