11 April 2019 by Neville Armstrong
Compliance is a vital part of ensuring that organisations moves in the right direction, while creating added business value
Compliance is often seen as an organisational burden – a means of ensuring that your organisation meets the regulatory and legislative standards of the environment you operate in. The cynic might describe it as little more than a box that must be ticked in order to remain in business. However, that shows a misunderstanding of what compliance is all about. Rather than a burden, it should be considered as a statement of your organisational values and an investment in future growth.
Done properly, compliance will provide assurance to your customers that your systems and values are visible, secure and viable, hence supporting sales and driving revenue. Increasing or enhancing compliance can help increase revenue by giving you competitive advantage over your rivals and opening up new and potentially lucrative markets. It will also reduce costly mistakes and made lack of performance visible to senior management.
There are internal benefits too. It will ensure everyone in the organisation understands their roles and responsibilities and cement accountability. Operating best practice policies and processes that are externally audited will generate internal confidence, improving morale and increasing staff retention.
Compliance begins in the boardroom. Once your organisation has defined its corporate objectives and strategic plans, the next logical step should be to define the governance policies to support them. These might include both company values and behaviours, which frame how your staff operate, and the operational functions through which you carry out day to day operations. In other words, compliance helps you set out the roadmap for how you do business.
It is vital to obtain commitment and buy-in from the board or senior management, as investment will be needed to put the required systems and policies in place to achieve the desired standards and then to operate them. They need to understand the importance of adopting a governance framework and what this means. Put simply, it is to align business strategy, objectives and values with operational and IT functions through management systems, whilst complying with industry standards and best practices.
A further aspect of compliance which needs to be incorporated into policy and practice is your organisation’s appetite for risk. Every organisation needs to understand, and define in policy, its position on risk, and then use this to differentiate itself against its competitors and respond to changing markets while providing lasting assurance to its customers. An appetite for risk can be difficult to quantify. It requires a full understanding of assets, threats and vulnerabilities, which means considering three factors:
Having assessed the situation, the costs of putting effective compliance in place need to be considered against the costs to the business if a threat succeeds. The organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors.
Being averse to risk can be extremely expensive, as overbearing restrictions mean a slow response to changing situations. However, getting it wrong can be even more costly, as too few restrictions can put an organisation’s future in jeopardy. Effective, streamlined processes will promote security and minimise mistakes; compliance will demonstrate organisational commitment; and consolidating various standards will ultimately save money through reduced internal and external audit costs.
The impact of getting risk management wrong include:
Your risk appetite needs to be reflected in tailored management systems such as a Quality Management System (QMS), or in an Information Security Management System (ISMS) where IT security is key to business development and sustainability. Organisations who wish to focus on customer satisfaction may implement a Service Management System (SMS), or those who want to assure their community and ethical values may want, or need, to implement an Environmental Management System. All these systems need to consider and address risk and its management.
All these systems must be tailored to align with your corporate goals. This may mean introducing policies, processes and procedures that are unique to your organisation. There is no need to reinvent the wheel, as existing standards provide a basic framework, but these must be streamlined and tailored to your specific needs to extract value.
You may also need to comply with best practise and so should align your management systems with industry standards (e.g. ISO) whenever appropriate. It is important to be aware that achieving and maintaining industry standards is a costly undertaking. Once you have met the standard and obtained the badge, your customers will expect you to maintain it, which will require regular audits and updates. However, once you have achieved specific standards, this may open up new business opportunities and hence revenue streams.
One approach we have successfully implemented in our own organisation to streamline governance is to consolidate our security, quality, environmental and service management systems (ISO27000, ISO9001, ISO14001, and ISO20000). This means that we now, in certain areas, have single policies to manage instead of multiple policies across different systems.
Having defined the policies and procedures, you apply governance to review your organisation’s compliance to these policies. This is not a one-off activity, but requires continual service improvement to steer the organisation in the right direction.
Getting compliance right requires everyone to recognise and understand the roles and responsibilities involved. As already mentioned, it is not a one-off activity, but has to be part of business as usual. It therefore needs support and buy-in throughout the organisation, and requires a team comprising different levels of capabilities to plan, design, build, operate, monitor, react and improve governance and compliance.
This requires specific skills and experience, which may mean engaging in external organisations to supplement internal knowledge. This could include an initial audit to assess the current situation; support for implementing specific systems; and working with experts on specific standards and regulations which the organisation would like to achieve.
Regulation, internal strategy, technology and threats do not stand still, so governance, risk and compliance need to at least keep pace. In our opinion, the following are the five greatest threats to maintaining operational compliance.
The first is software management and patching, which needs to be continually kept up to date. Despite continued high profile issues such as the WannaCry ransomware attack, we find many organisations we speak to have let their patching regime slide. Sometimes the problem is lack of resources, while for others it is put into the ‘too-difficult” box. There are a number of ways to address this. Patching can be automated, using tools which can provide reporting and auditing as well as patching, and the time and resources required to set systems up can be quickly repaid by removing constant manual activities. Patching can also be provided by a third party as part of a managed service, and is now available through cloud-based services (patching as a service).
Suppliers can also be a source of risk. It is vital to ensure that all suppliers in your organisation’s supply chain (including cloud providers) align with your risk standing. Suppliers should be categorised depending on your reliance on them, with critical suppliers having, at a minimum, the same security governance and compliance as your own organisation.
Access management – the aligning of rights and privileges – is another area that requires continual monitoring. The most effective solution is to assign everyone the least privilege access rights to your individual systems, with clear processes to elevate rights on approval. There should also be the ability to monitor and log access and failed access.
Closely aligned to this is user management. Systems need to be in place to detect and create alerts for abnormal user behaviour, with everyone fully aware of threats and threat vectors. This requires robust cyber security training and awareness and acceptable use policies linked to HR policies. Training needs to be ongoing to ensure all new cyber threat vectors are understood by users and mitigated.
Finally, it is vital to securely manage access to company resources from mobile and other devices, especially where use of staff’s personal devices is permitted (i.e. BYOD, BYOT and the IoT). 2FA should be implemented along with MDM, MAM and MIM where data security is important.
With the correct policies and controls that are aligned to your organisational goals and are integrated, interactive, streamlined and verifiable, compliance can be considered as an investment and not a burden, as it will apply added value to your business.
To summarise, you should: