Compliance mitigates the risk of uncertainty about the future. You create compliance when you want to limit negative outcomes. Often regulators and market pressure create compliance requirements to mitigate these risks. Organizations use frameworks to embed controls that help them abide by compliance rules. Unfortunately, compliance can turn an organization into a bureaucratic system. Instead of seeing a realm of possibilities, organizations view everything through a risk lens. At this point, any deviation from the standard, acceptable process meets the ubiquitous "no".

Agility is at odds with compliance because it strives to find the "yes" in resolving problems. Some companies use agility to adapt to the market and view change as a constant. This means taking your best resources and using them to create new, innovative capabilities. Organizations that apply agility often view problem solving as a creative process. Working together requires flexibility and the ability to focus on the problem at hand. Following set standards and restricting agility reduces the team's alacrity. The goal of agility is thus not to mitigate risk but to transform that risk into a strength.

AGILITY VS. COMPLIANCE

CHAPTER 1

WHERE DO YOU FALL ON THE SPECTRUM?Organizations that are experiencing high growth know that they will outgrow their processes. The standard way of doing things evolves and the organizational structure is fluid. They want the high growth for as long as possible because it means that they are capturing market share. Even if this comes at a loss of cash flow, growth is preferable because it does not last forever. When competitors arrive and the economic environments change, growth becomes more difficult to maintain. During high growth, implementing compliance can be like adding water to a nascent campfire.

On the opposite end of the spectrum are organizations using risk management. Organizations that have an established product or service can maximize profits. Risk management evaluates threats from internal and external sources. It works towards standardizing the process to minimize deviations that could lead to errors. In some regulated industries, compliance is a barrier for entry. The way of doing things seems to become the only way of doing things.

This dichotomy between high growth and compliance can create a difficult choice. Do you elect to continue a high growth strategy or pursue a path towards compliance? One recommendation is to treat this decision as a sliding scale. Find the balance to best fit your current business model.

2

RISKMANAGEMENTGROWTH

COMPLIANCE HELPS MITIGATE THE RISK OF DATA LOSS, THE RISK OF A PROCESS FAILING, OR RISK OF ERRORS.

These risks are mitigated when companies follow a compliance framework. Compliance frameworks outline best practices that help mitigate the risk, also known as controls. Controls are steps added to the process that monitor the risk of something negative occurring. The frameworks have to fit a wide array of companies across various industries, so they need to be both broad enough to implement and specific enough for an examiner to test.

3

GROWTH

AGILITY

Compliance

When implemented, compliancedampens growth and constrains agility. A new curve flattens out.

GROWTH VS. AGILITY

Compliance is not a bad thing. With many large corporations providing a myriad of services, the risk of failure can be high. For example, in a critical sector such as finance there is a lot of oversight to protect consumers. Companies listed on public exchanges contain a large part of our retirement investments. This can result in more compliance, oversight, and audits. Organizations providing B2B services need to establish trust with their customers.

Compliance offers a baseline in the marketplace that establishes a level playing field. Yet, often the regulatory bodies are slow to adapt to changing technology risks. Take for instance new threats presented by cyber-security. Even the best designed security architecture run by the best security experts can fail. The key is to articulate the business driver and catalyst for compliance.

4

If this is your first foray into compliance, below are some common terms and definitions:

• Compliance – adherence to a set of rules established by a regulatory body

• Risk – the chance that a negative outcome, financial loss, or error can damage the organization

• Control – a step in the process that monitors and mitigates risk

• Audit – an examination performed by an independent third-party that verifies the guidelines outlined by a regulatory body

• Attestation – like an audit, except the organization and third-party examiner share the responsibility of an inaccurate examination

• Framework – an approach with risks, controls, and processes to put in place a compliance model

• Regulatory body – the organization that defines the rules and methods to verify the rules

• Standard – the specific law, rules, or requirements that make up the scope during an examination

• Scope – the boundaries to examine, which are usually dictated by a regulatory body

5

When it comes to compliance, you need to assess the pros and cons. The decision should not be an all or nothing. Instead, you should approach compliance as a point on a maturity curve. This will help you identify the steps to ease you into a new organizational design. Striking a balance between compliance, high growth, and agility will be a prudent choice.

One of the first factors to consider is going public. Compliance is necessary for all public companies. Regulations and laws such as Sarbanes-Oxley require audited controls around your financial processes. This includes your general IT controls. Thus, the initial consideration should be the business purpose driving compliance needs.

Another area of consideration is B2B relationships. These bonds need trust to empower companies to work together. But due to the increasing threat from hackers, cyber-security is altering compliance. Companies are

asking more questions about the security of the systems they purchase. However, compliance does not equal security. This creates another lackluster outcome for organizations that look at compliance as their panacea. For this reason, you should understand your compliance path. You should balance your compliance needs and wants to protect your organization's agility.

Are you pursuing customers and markets that require compliance? Compliance has a maturity curve, which means you can still submit an RFP and market into these new segments. As you move along the maturity curve and implement additional compliance practices, your sales pipeline and market size will grow and new opportunities will be available to you. This is how you can use the compliance maturity curve to your advantage.

6

Most people think of compliance as a Boolean variable of Pass or Fail. But, this is not the case because compliance has many shades of grey. Your auditor is unlikely to offer this view because they are not trained in thinking of it as a grey zone. Auditors prefer boundaries. They use checklists because it makes examining controls a lot easier. Often, they will use less experienced resources to perform the bulk of the work. If you select an audit firm based on the lowest price, expect less experienced resources.

The compliance frameworks are also robust. They are not designed to be implemented piecemeal. The size of your organization (revenue or market capitalization)

is not a factor. Your auditor will compare the guidelines and rules to your processes. Those rules leave little to no wiggle room to tailor the framework.

This is where the compliance maturity curve comes in handy. It can serve as a roadmap to help drive your compliance using strategic thinking. Each level is a progression along the maturity curve. Begin with the first level. Track your return on investment and ease your organization into the realm of compliance. Even at the most basic level, there will be a benefit that you can point to. This approach will not overwhelm your organization. Begin early and progress at a reasonable pace.

COMPLIANCE MATURITY CURVE

CHAPTER 2

Level 1

You do not have customers asking for compliance. The product or service is about one year away from reaching critical mass. You have not yet picked a compliance domain. For the organization, this may be the first time working with compliance.

Consider pursuing the following tasks:

• Risk Assessment

• Penetration Testing

• Vulnerability Scans

• Gap Assessment

8

COMPLIANCEMATURITY

TIME

Compliance Maturity Curve

LEVEL 1

LEVEL 2

LEVEL 3

LEVEL 4

LEVEL 5

The compliance maturity curve helps organizations ease into compliance and maximize their investment.

Risk Assessment Defined

A risk assessment should be tailored to each organization. There are open source templates that help organizations through a self-assessment. With this task, you make a list of all your risks (business and technical). You evaluate each risk based on the the likelihood it will occur and the impact it would have on your organization – think High, Medium, and Low risk labels. You then plot the variables and determine how much risk appetite you want to accept. For any items with a higher risk than your risk appetite, you put a plan in place to mitigate the risk. This helps you to be more aware of the risks and communicate your risk threshold to the organization.

Penetration Testing Defined

If possible, hire an external firm to attempt to break through your security. This test can apply to your public facing side (website or external network), as well as internally (internal network or phishing). You can dictate the amount of information you provide to the firm. The less information you provide can create more work for the tester in the exploratory phase, which may lead to lower value findings. You should scope the engagement to include only those components of your solution or network that you think appropriate. It is okay to start with a small footprint and focus on closing any findings first. You can always expand that scope and fit this testing as a recurring task.

Vulnerability Scans Defined

One of the least costly tests involves a scan of your network and applications. This can detect “holes” in your network security and help you avoid some cyber-attacks. This is typically automated using software and can result in many findings on the initial scan. Many of these could be false positives, which will require you to begin tracking them and excluding them in future scans.

Gap Assessment Defined

Before embarking on a compliance assessment, you should consider a gap assessment first. A gap assessment includes hiring a firm that is experienced in the type of audit you need. Begin with one domain at a time. Focus the gap on understanding what is required to be compliant. Ensure that you explore each domain that you think would be a good fit before you agree to undertake a full assessment in that domain. Sometimes it can help to use a workshop style engagement. You visit multiple domains, without going into too much detail on any specific domain. This can give you a better sense of all the options available to your organization. It will also help develop the business case for electing to begin the full assessment process. Where possible, avoid jumping into more than one domain at a time. Try to always perform a gap assessment when embarking on a new domain. Involve a broad group of stakeholders to develop team consensus. Each team should understand both the business case and compliance requirements.

9

Level 2

You have some customers asking for compliance. Your product or service is sold across several verticals with no clear focus area emerging as a core compliance need yet.

• Gap Assessment

• Letter of Intent from Auditor

• Remediation Plan (if any gaps found)

Gap Assessment Defined

(See Level 1 definition)

Letter of Intent from Auditor Defined

This option is not well communicated across audit firms and some audit firms may not agree to this. If you ask for a letter of intent, they should be able to provide one after you have a signed engagement. The letter is usually quite short, describing the services you contracted the audit firm to perform. The letter may have the audit firm's letterhead and include a point of contact. It will not state any opinion or conclusion. Share this letter with interested parties asking to know more about your compliance status. It can also help remove friction in the market. This letter can be helpful in winning a competitive bid or contract. It shows your intent to be compliant. Once you share this letter, the reader will expect you to progress towards compliance.

10

Remediation Plan Defined

In most cases, you will have findings. Remediating the findings takes time. For example, if you need to create a new policy and procedure, it can take a week or two to write a new document. If you need to hire a new resource to strengthen the process, it could take several weeks. Some gaps do not have to be closed right away. You have an opportunity to respond to those gaps. Yes, it will result in a

non-compliant report, but if you have proper justification, the reader of the report will understand the gap. You should always have a plan underway and work towards resolving all gaps. However, do not feel pressured to fix everything all at once. Work with your auditor and those parties requesting the compliance report. You should be in control of the process to ensure you make the changes when you are ready.

11

Level 3

You have an immediate need to be compliant (either a Request for Proposal or major partner is requiring it).

• Compliance Readiness (project should be inflight)

• Internal Auditor or Internal Compliance Team in Place

• Strong Grasp on the Controls to Track to Compliance

• Focusing on One Compliance Domain and Establishing it as Your Foundation

• Letter of Intent from Auditor

Compliance Readiness Defined

You should have a project that is managing compliance. Projects help implement changes in organizations. Your compliance efforts will change the organization and should have its own project assigned to manage the change. By using a project approach, you will have a business case and a project plan to evaluate your compliance readiness. Prioritize the changes required and maximize the impact to be effective. A communication plan should be in place to alert stakeholders.

Without the proper change management in place, your compliance project will take longer and cost more money.

Internal Auditor or Internal Compliance Team in Place Defined

Once you begin a compliance process, you should expect to maintain it. Some domains require annual assessments while others have a schedule over several years. You should either hire a compliance professional or assign a team the responsibility of compliance. Strong governance should be in place that will empower the team. They will need to make changes to processes and organizational design that will be difficult. Especially when you are tracking to a prospective customer’s timeline, you need to invest in this area to secure a favorable outcome.

Strong Grasp on the Controls to Track to Compliance Defined

Before you begin any assessment, you need to understand the requirements. Never start an audit without having the controls documented and well understood. Read through the controls to understand the requirements and expectations. Track your progress to each specific control. As you

begin to add more domains to your scope, the control mapping will help identify overlaps that you can label as common controls.

Focus on One Compliance Domain and Establish it as Your Foundation Defined

It can be tempting to group several domains into one audit. Intuitively it feels like there would be a lot of overlap. Although this may be the case with some domains, there are too many nuances between each domain. Regulatory bodies compete to make their framework the best. This creates changes and customizations that are not apparent. It is better to begin with one domain and make it your foundation. This domain should be the one that aligns to your business and should set the tone for investing in compliance. As you add more domains to your compliance portfolio, the foundation domain will be the key to making it easier to add an incremental domain. You will have a baseline to compare new, eligible audit domains. The stronger your foundation, the easier it is to build on top of it.

Letter of Intent from Auditor Defined

(See Level 2 definition)

12

Level 4

You have passed one compliance audit domain. You are asked to add additional audit domains to your compliance portfolio.

• Dedicated compliance staff to manage vendors, findings, and schedule audits

• Central repository for tracking requests, evidence, and control evidence

• Seeking multiple auditors to provide competitive quotes

• Additional Gap Assessments are a precursor to new domains (one gap per each new domain)

• Project Plan for remediation, audit scheduling, and staffing resources assigned to support audit

Level 5

You have a number of audits that are required by customers that you cannot afford to fail.

• Dedicated compliance team with organizational structure to oversee process

• Sophisticated Governance Risk and Compliance (GRC) system in place

• Dotted line to the Board of Directors with constant updates to the audit committee

• Multi-year commitments with both external and internal auditors

• Compliance consolidation and leveraging a single point of contact becomes a priority

13

The compliance curve is a reflection of the type of experience organizations go through before they are compliant. Most organizations fail to reach a compliance maturity without making mistakes. However, these mistakes teach them lessons that help improve their approach. The more sophisticated the person managing the compliance can be in dealing with the auditors, the better success they will enjoy.

Sophisticated compliance managers know how to deal with auditors. They know when to push back on findings. They can spot pedantic procedures and convert them into useful, sustainable

processes. Auditors do not gain much by failing an organization so there is always some room for dialogue. Bullying an auditor can sometimes work, but this should never be the norm. In the long-term, the auditors will rotate and future auditors may not be so easily bullied. You may find yourself failing an audit because the previous pushover auditor moved on and you have to face the reality of a non-compliant environment. Usually this also carries the risk of financial penalties.

14

TIPSDepending on the size of the audit firm you hire, you can use letters of intent to your advantage. The letters of intent state that the audit firm will perform an audit. They do not express a conclusion and are only a paragraph or two. However, these can be useful to remove friction in the marketplace with prospective and current customers. It confirms your intent and buys you extra time (usually 6-18 months) to perform a gap analysis, remediate findings, and pass the assessment.)

When undertaking an audit, you might fail some of the controls. It is okay to receive less than a 100% grade. For overachievers, this can be difficult because the findings are usually presented in red font at the top of the report. They stand out and make you look bad. Yet, those findings show that the process was followed honestly. Many organizations have findings and the exception is to have zero findings. It is also appropriate for you to comment on those findings and explain your response to the gap. This shows your maturity and understanding of the process.

It also helps the reader of the report if you contextualize the findings. You can provide a backdrop along with a business justification behind your reason. Customers that want new features are going to understand that the process for change management may be weaker, such as implementing highly desired features by circumventing the compliance-driven waterfall method. You can explain the rationale for your decision, while maintaining your agility and high growth strategy.

15

Compliance nirvana is a state that will take time. You will need to measure the tradeoff between agility and growth. Each step along the way will build your confidence that you can strike the right balance. The better you can manage the change, the more in command you will be of the final outcome.

COMPLIANCE AGILITY REQUIRES AGILE TOOLS.Trying to figure out if there is a tool out there that will fit your compliance needs? Talk to one of our GRC experts.

Visit us online at www.reciprocitylabs.com.

16

CONCLUSION