The checklist approach to regulatory compliance typically leaves businesses still vulnerable. Smart companies are putting security programs in place that provide full compliance and also establish an appropriate security profile for the business.
Even when the compliance is voluntary, as in the adoption of a best practice industry guideline or standard, the greatest value is obtained by taking more than a minimal, checklist approach.
The Downside of the Minimalist Approach
It is ironic that regulatory programs intended to improve security can end up institutionalizing security weaknesses — that is not the intent of such programs, whose general purpose is to establish a minimum level of security to help support stakeholder interests.
When compliance measures are implemented as add-ons or exceptions to normal business practices, compliance becomes a burden and an extra cost that may have little to no return except the avoidance of a regulatory fine. If security weaknesses remain in place, the business may not avoid serious security incidents.
Many companies intentionally take a “minimalist approach” to compliance. When that happens, much of the ROI for the effort is lost because the focus amounts to “comply with the letter of the requirements for the least effort and cost.” The “least effort” approach often ends up being a checklist developed by a third party, someone perhaps familiar with the business sector but not with the specific business trying to comply. “More form and less substance” often characterizes such efforts. Sometimes, the fear of an impending regulatory deadline forces a checklist approach in the belief that it will be quicker than something requiring more thought.
One of the unintended consequences of a checklist approach to compliance is that once a “compliant” status is achieved, there is usually no program or framework established to keep those compliance measures in place. As the business changes, the measures fall by the wayside, as there is no business-specific reason for focusing attention on them. When the next compliance audit interval approaches, the cycle starts again — usually in panic mode — as the poor state of compliance suddenly surfaces.
Many regulations require periodic review and verification as part of the compliance effort; however, turnover in personnel and other business change may cause the organization to lose sight of the compliance requirements. The sustainability factor simply isn’t there.
The situation described above is not the intention of regulations, but is often what occurs — especially with a 4- or 5-year interval between compliance audits or verification. This is why nearly a quarter million Internet search results are obtained for the phrase “Beyond Compliance.” The search results are a mix of articles, compliance-related software products, business and educational initiatives that come from a wide spectrum of regulated business environments. They are produced by individuals and organizations who have learned that true business value comes from looking beyond the compliance checklist and identifying how the purpose of compliance — the strengthening of the business or the safeguarding of people, property and business resources — can be achieved in a sustainable and cost-effective manner.
The common thought among them is expressed well by the opening sentence of the corporate Vision statement of the Enablon company (www.enablon.com): “We firmly believe that companies can go beyond compliance to transform regulatory requirements into value-creating instruments and, in so doing, strengthen and optimize their business.”
Establish a Management System
The key to managed and repeatable performance with regard to compliance is to establish an ongoing management process/system that maintains and improves business factors while keeping up with internal and external changes to the business. The management system must be capable of incorporating multiple compliance programs, as many companies use them to encompass several internal and external programs.