Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Compliance Management, GRC

Regulatory Overlap: Avoiding the Pain of Duplications within IT Compliance Requirements

Regulatory Overlap: Avoiding the Pain of Duplications within IT Compliance Requirements
Written by

Matthew Davies

Published on

2 Mar 2021

Regulatory Overlap: Avoiding the Pain of Duplications within IT Compliance Requirements

 

Businesses are beholden to the regulatory environment in which they operate. As any compliance professional will confirm, keeping track of the ebb and flow of regulatory changes is a full-time job – and it’s also a mandatory one. The regulatory landscape has always evolved with time, but in today’s data-driven world of fast-paced digital commerce, it’s changing more rapidly than ever before. It’s little wonder that even the largest businesses with ample resources struggle to keep up with compliance long-term. According to Thomson Reuters’ Cost of Compliance 2020 report, financial services firms face 217 different regulatory changes each business day. That’s almost 60,000 potential regulatory changes every year that organisations have to keep on top of, with a great many of them directly impacting IT compliance. If this sounds like a daunting challenge, it’s only going to get more difficult as we speed toward interconnectivity, the Internet of Things (IoT) and an increasing number of cloud-native processes.

The duplication problem

Too often, organisations find themselves subject to resulting in huge inefficiencies and higher compliance costs. This is what’s known as regulatory overlap, and it can overwhelm compliance teams. For instance, if more than one shares jurisdiction over a particular set of regulatory issues, they may issue duplicate regulatory instructions. This results in businesses spending unnecessary time and resources, managing duplicate controls to demonstrate their compliance.

Therefore, the challenge lies in being able to avoid spending valuable resources on duplicate regulations while still ensuring across-the-board compliance. Many businesses ensure compliance using ‘controls’, which are a defined set of practices and procedures that can be automatically deployed in accordance with regulatory requirements. A ‘controls framework’ is usually employed to orchestrate compliance and mitigate risks and fines as a business runs its day to day operations. This requires a great deal of in-house talent and in-depth knowledge of the field in which the business operates, so defining how regulations should integrate with controls and manage objectives can be incredibly challenging – not to mention expensive.

 

 

Streamlining compliance

Companies that want to avoid duplication problems, such as that caused by regulatory overlap have several options at their disposal. They can take the time to build an in-house team of compliance experts, which would allow them to create a bespoke compliance management solution that’s efficient, streamlined and futureproofed for as long as the department keeps running. The downside of this approach is that it’s incredibly expensive. Given how rapidly the regulatory landscape changes, not all businesses can create their own in-house function.

Another option is to pay a consulting practise to build a control framework that works for your business. However, even if businesses can afford the initial cost, it will be left to maintain and update the framework, which can lead to spiralling costs if the right expertise isn’t on hand.

SCF Logo | Secure Control Framework | GRC Solution

Metaframeworks

By far, the easiest and most affordable option for businesses is using a paid – or even free – meta-framework such as that provided by the Secure Controls Framework (SCF). The SCF is a volunteer-led organisation comprised of auditors, engineers, architects, incident responders, consultants and other specialists who work throughout the cybersecurity industry. Together, they’ve taken on the ambitious challenge of creating a comprehensive catalogue of controls designed to help companies build and maintain secure processes, systems and applications. The SCF’s primary objective is to tackle inefficient siloed practices within an organisation and nudge them toward a more data-centric, joined-up approach. This allows organisations to tap into a free catalogue of controls that mirror the current regulatory landscape, ensuring their control frameworks are always up-to-date. SureCloud has recently partnered with SCF, offering users access to the complete SCF catalogue through the SureCloud Compliance Platform. 

Learn more about SureCloud’s Compliance Management software here, which hosts the SCF metaframework, or contact us at learnmore@surecloud.com to book a demo!

Matthew Davies - VP of Product

About Matthew 

Matthew Davies is responsible for the go-to-market proposition behind our GRC solution offerings and helps maximise the business value of our solutions. Before SureCloud, Matthew previously held positions in GRC implementation, pre-sales and product development at Deloitte and PWC.

About SureCloud

SureCloud is a provider of Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programs to the next level.