Close Widget

Written by SureCloud’s Matthew Davies, Product Senior Director & Compliance Expert

Businesses are beholden to the regulatory environment in which they operate. As any compliance professional will confirm, keeping track of the ebb and flow of regulatory changes is a full-time job – and it’s also a mandatory one. The regulatory landscape has always evolved with time, but in today’s data-driven world of fast-paced digital commerce, it’s changing more rapidly than ever before. It’s little wonder that even the largest businesses with ample resources struggle to keep up with compliance long-term. According to Thomson Reuters’ Cost of Compliance 2020 report, financial services firms face 217 different regulatory changes each business day. That’s almost 60,000 potential regulatory changes every year that organisations have to keep on top of, with a great many of them directly impacting IT compliance. If this sounds like a daunting challenge, it’s only going to get more difficult as we speed toward interconnectivity, the Internet of Things (IoT) and an increasing number of cloud-native processes.

The duplication problem

Too often, organisations find themselves subject to resulting in huge inefficiencies and higher compliance costs. This is what’s known as regulatory overlap, and it can overwhelm compliance teams. For instance, if more than one shares jurisdiction over a particular set of regulatory issues, they may issue duplicate regulatory instructions. This results in businesses spending unnecessary time and resources, managing duplicate controls to demonstrate their compliance.

Therefore, the challenge lies in being able to avoid spending valuable resources on duplicate regulations while still ensuring across-the-board compliance. Many businesses ensure compliance using ‘controls’, which are a defined set of practices and procedures that can be automatically deployed in accordance with regulatory requirements. A ‘controls framework’ is usually employed to orchestrate compliance and mitigate risks and fines as a business runs its day to day operations. This requires a great deal of in-house talent and in-depth knowledge of the field in which the business operates, so defining how regulations should integrate with controls and manage objectives can be incredibly challenging – not to mention expensive.



Streamlining compliance

Companies that want to avoid duplication problems, such as that caused by regulatory overlap have several options at their disposal. They can take the time to build an in-house team of compliance experts, which would allow them to create a bespoke compliance management solution that’s efficient, streamlined and futureproofed for as long as the department keeps running. The downside of this approach is that it’s incredibly expensive. Given how rapidly the regulatory landscape changes, not all businesses can create their own in-house function.

Another option is to pay a consulting practise to build a control framework that works for your business. However, even if businesses can afford the initial cost, it will be left to maintain and update the framework, which can lead to spiralling costs if the right expertise isn’t on hand.


By far, the easiest and most affordable option for businesses is using a paid – or even free – meta-framework such as that provided by the Secure Controls Framework (SCF). The SCF is a volunteer-led organisation comprised of auditors, engineers, architects, incident responders, consultants and other specialists who work throughout the cybersecurity industry. Together, they’ve taken on the ambitious challenge of creating a comprehensive catalogue of controls designed to help companies build and maintain secure processes, systems and applications. The SCF’s primary objective is to tackle inefficient siloed practices within an organisation and nudge them toward a more data-centric, joined-up approach. This allows organisations to tap into a free catalogue of controls that mirror the current regulatory landscape, ensuring their control frameworks are always up-to-date. SureCloud has recently partnered with SCF, offering users access to the complete SCF catalogue through the SureCloud Compliance Platform. 

Learn more about SureCloud’s Compliance Management software here, which hosts the SCF metaframework, or contact us at to book a demo!

About Matthew 

Matthew Davies is responsible for the go-to-market proposition behind our GRC solution offerings and helps maximise the business value of our solutions. Before SureCloud, Matthew previously held positions in GRC implementation, pre-sales and product development at Deloitte and PWC.

About SureCloud

SureCloud is a provider of Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programs to the next level. 

How can we help?