The checklist approach to regulatory compliance typically leaves businesses still vulnerable. Smart companies are putting security programs in place that provide full compliance and also establish an appropriate security profile for the business.
Even when the compliance is voluntary, as in the adoption of a best practice industry guideline or standard, the greatest value is obtained by taking more than a minimal, checklist approach.
The Downside of the Minimalist Approach
It is ironic that regulatory programs intended to improve security can end up institutionalizing security weaknesses — that is not the intent of such programs, whose general purpose is to establish a minimum level of security to help support stakeholder interests.
When compliance measures are implemented as add-ons or exceptions to normal business practices, compliance becomes a burden and an extra cost that may have little to no return except the avoidance of a regulatory fine. If security weaknesses remain in place, the business may not avoid serious security incidents.
Many companies intentionally take a “minimalist approach” to compliance. When that happens, much of the ROI for the effort is lost because the focus amounts to “comply with the letter of the requirements for the least effort and cost.” The “least effort” approach often ends up being a checklist developed by a third party, someone perhaps familiar with the business sector but not with the specific business trying to comply. “More form and less substance” often characterizes such efforts. Sometimes, the fear of an impending regulatory deadline forces a checklist approach in the belief that it will be quicker than something requiring more thought.
One of the unintended consequences of a checklist approach to compliance is that once a “compliant” status is achieved, there is usually no program or framework established to keep those compliance measures in place. As the business changes, the measures fall by the wayside, as there is no business-specific reason for focusing attention on them. When the next compliance audit interval approaches, the cycle starts again — usually in panic mode — as the poor state of compliance suddenly surfaces.
Many regulations require periodic review and verification as part of the compliance effort; however, turnover in personnel and other business change may cause the organization to lose sight of the compliance requirements. The sustainability factor simply isn’t there.
The situation described above is not the intention of regulations, but is often what occurs — especially with a 4- or 5-year interval between compliance audits or verification. This is why nearly a quarter million Internet search results are obtained for the phrase “Beyond Compliance.” The search results are a mix of articles, compliance-related software products, business and educational initiatives that come from a wide spectrum of regulated business environments. They are produced by individuals and organizations who have learned that true business value comes from looking beyond the compliance checklist and identifying how the purpose of compliance — the strengthening of the business or the safeguarding of people, property and business resources — can be achieved in a sustainable and cost-effective manner.
The common thought among them is expressed well by the opening sentence of the corporate Vision statement of the Enablon company (www.enablon.com): “We firmly believe that companies can go beyond compliance to transform regulatory requirements into value-creating instruments and, in so doing, strengthen and optimize their business.”
Establish a Management System
The key to managed and repeatable performance with regard to compliance is to establish an ongoing management process/system that maintains and improves business factors while keeping up with internal and external changes to the business. The management system must be capable of incorporating multiple compliance programs, as many companies use them to encompass several internal and external programs.
Common factors of successful compliance programs include:
- Management sponsorship;
- Assessment of program status and requirements;
- A set of management-approved goals and objectives;
- Evaluation of business risks and shortcomings;
- Participants with assigned roles and responsibilities;
- A plan for measureable business improvements;
- A plan for implementation; and
- Performance reviews and recommendations for improvement.
Note that these items are common aspects of business operations — everyday elements and actions not exclusive to compliance. This is one of the “secrets” to the management system approach — it can easily be made a part of standard business operations, which makes it sustainable.
Get Support and Involvement from the C-Suite
A management system is an outstanding way to obtain not just management support — but also active management involvement in the risk and cost decisions relating to security and regulatory compliance. An ever-popular seminar topic is “selling management on security,” but a much better approach is to engage management actively as part of the security management process.
A close examination of the mission of security reveals why this is important and also why it is easy to accomplish. The mission to reduce security risks to acceptable levels, at an acceptable cost, prompts two questions:
- Who decides what security risks are acceptable?
- Who decides what security costs are acceptable?
These are actually management decisions, not the decisions of the security director. Most security practitioners would accept the idea that their job is to perform asset protection for the organization — even if the assets being protected do not belong to security.
Dr. Gerald L. Kovacich and Edward Halibozek, authors of the book Security Metrics Management: How to Manage the Costs of an Assets Protection Program explain: “Remember, it is corporate assets and not security assets! Executive management makes the risk decisions!”
Specifically this means that business assets are the property of the business owners; that ownership has delegated the care and protection of those assets to the executive management team; and risks to business assets — and risk decisions — are ultimately the responsibility of executive management. Thus, it is the security practitioner’s job to enable management to make the right decisions. The security practitioner does not own the risk — management does — but only if they are accurately informed and advised by the security department.
An effective approach is to engage middle management first, creating a middle-management-approved risk treatment plan that can be brought to senior management. This makes the plan not just security’s, but a plan created by the business with recommendations from middle management.
By establishing a security management process that involves middle management — the operations-level decision-makers — a realistic appraisal can be developed of security risk tolerance, cost tolerance and compliance program needs across the business. The resulting risk and compliance plan is aligned with the operational needs and objectives of the business, and has support of middle management — a plan that senior management can confidently approve. Additionally, senior management can provide high-level and board-level insight and, if appropriate, adjust the planning to align with high level thinking and planning that hasn’t yet been shared with middle management.
Thus, the management system is the framework by which management makes the risk and cost decisions at appropriate levels, and through which security executes the security and compliance initiatives and programs.
Management System Maturity Model
One of the drawbacks of rushing to meet a compliance deadline is that it results in a “do everything in one big effort” situation. This is one of the factors that contribute to the checklist compliance approach, because in the face of the fast-approaching deadline, both the compliance team and management have no basis for confidence in any other method.
A maturity model provides a sensible, phased approach to putting a management system into place. If the checklist approach seems to be the only way to deal with an immediate deadline, then the overall plan should be to somehow put the minimal compliance requirements in place, and then move on to develop a management system and establish a sustainable security risk and compliance program.
To support a phased approach to management system implementation, ASIS has developed and released the Organizational Resilience Maturity Model, now an ANSI Standard (see resources sidebar). The genius of the standard is that it takes into account two realistic situations for an organization’s security program:
1. The security program consists of reactive, ad hoc activities; no clearly defined management process is in place; the overall program is an unstructured collection of security procedures and controls that provides two main metrics: costs and numbers of security incidents; performance and security-effectiveness is not visible to management or measurable; or
2. Management is (or is likely to be) skeptical of a new security or compliance “methodology” or “standard,” with concerns for cost and potential negative impact or burden on the business.
The Phases of Organizational Resilience
Using this maturity model, an organization can achieve and maintain and appropriate level of security (including compliance requirements), as well as emergency preparedness and business continuity, in a progressive approach that takes into account the current state of security risk management within the organization.
The descriptions of the maturity model’s phases are tailored for this article’s focus, and are more fully described and related to organizational resilience in the standard’s own document.
Phase One: Pre-awareness
Describes a state where there is a lack of understanding in an organization regarding one or more business functions related to security risk, such as emergency preparedness and business continuity. Realization is triggered by a disruptive event, expressed stakeholder concerns, contractual requirements, government regulations or risk assessment results — causing the organization to consider exploring a more proactive approach. Once the organization becomes aware of the need or the potential benefits of a more structured and organized management approach, it is ready for the next phase.
Phase Two: Project Approach
Management becomes willing to test the concept and establish a trial project to explore the benefits. The brilliance of this phase is that it doesn’t require a permanent commitment from management, which in some cases cannot be obtained without clear evidence that a management system approach would be of value. Attention is focused on “low handing fruit” issues, rather than on emphasizing the management system framework structure — after all, management is more interested in (and will base its decisions on) the results and value to be obtained, rather than in the details of how to obtain them.
Two things are actually being tested here: the business contribution of the management system being exercised or implemented, and the ability of the security practitioner (or whoever is the “Project Leader”) to obtain results.
Phase Three: Program Approach
Now the view shifts from specific issues to division- or organization-wide issues. Risk management applications are selected for their chances of demonstrating success and awareness. Senior management is aware of the importance of the items being addressed, and of the need for pre-planning and a systematic approach. The management system is still in a pilot testing mode, but parts of the organization are applying the elements of the maturity model and testing action plans to make a business case for implementing the management system in full.
Phase Four: Systems Approach
The pieces are put together in the iterative continual improvement process (described as Plan, Do, Check, Act or PDCA) that is the core of the management system. This is the point where the security program and its compliance elements cease to be just a collection of procedures and controls and becomes a structured program in which senior and middle management are appropriately engaged and committed to their assigned roles of organizational responsibility.
Phase Five: Management System
By this point, the management system is implemented according to its defined scope. Security management — including any compliance, preparedness and continuity elements — is considered a key component of the overall decision-making process of the business.
Phase Six: Holistic Management
The scope of the management system evolves and expands to embrace the relevant interests of all security risk-management stakeholders, including supply chain relationships and community responsibilities.
Ray Bernard, PSP, CHS-III is a contributing technical editor to STE magazine and the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS, visit www.go-rbcs.com or call 949-831-6788.