Think Outside the Box

How to get past checklists and find real ROI in regulatory compliance


Common factors of successful compliance programs include:

  • Management sponsorship;
  • Assessment of program status and requirements;
  • A set of management-approved goals and objectives;
  • Evaluation of business risks and shortcomings;
  • Participants with assigned roles and responsibilities;
  • A plan for measureable business improvements;
  • A plan for implementation; and
  • Performance reviews and recommendations for improvement.

Note that these items are common aspects of business operations — everyday elements and actions not exclusive to compliance. This is one of the “secrets” to the management system approach — it can easily be made a part of standard business operations, which makes it sustainable.

Get Support and Involvement from the C-Suite

A management system is an outstanding way to obtain not just management support — but also active management involvement in the risk and cost decisions relating to security and regulatory compliance. An ever-popular seminar topic is “selling management on security,” but a much better approach is to engage management actively as part of the security management process.

A close examination of the mission of security reveals why this is important and also why it is easy to accomplish. The mission to reduce security risks to acceptable levels, at an acceptable cost, prompts two questions:

  • Who decides what security risks are acceptable?
  • Who decides what security costs are acceptable?

These are actually management decisions, not the decisions of the security director. Most security practitioners would accept the idea that their job is to perform asset protection for the organization — even if the assets being protected do not belong to security.

Dr. Gerald L. Kovacich and Edward Halibozek, authors of the book Security Metrics Management: How to Manage the Costs of an Assets Protection Program explain: “Remember, it is corporate assets and not security assets! Executive management makes the risk decisions!”

Specifically this means that business assets are the property of the business owners; that ownership has delegated the care and protection of those assets to the executive management team; and risks to business assets — and risk decisions — are ultimately the responsibility of executive management. Thus, it is the security practitioner’s job to enable management to make the right decisions. The security practitioner does not own the risk — management does — but only if they are accurately informed and advised by the security department.

An effective approach is to engage middle management first, creating a middle-management-approved risk treatment plan that can be brought to senior management. This makes the plan not just security’s, but a plan created by the business with recommendations from middle management.

By establishing a security management process that involves middle management — the operations-level decision-makers — a realistic appraisal can be developed of security risk tolerance, cost tolerance and compliance program needs across the business. The resulting risk and compliance plan is aligned with the operational needs and objectives of the business, and has support of middle management — a plan that senior management can confidently approve. Additionally, senior management can provide high-level and board-level insight and, if appropriate, adjust the planning to align with high level thinking and planning that hasn’t yet been shared with middle management.

Thus, the management system is the framework by which management makes the risk and cost decisions at appropriate levels, and through which security executes the security and compliance initiatives and programs.

Management System Maturity Model

One of the drawbacks of rushing to meet a compliance deadline is that it results in a “do everything in one big effort” situation. This is one of the factors that contribute to the checklist compliance approach, because in the face of the fast-approaching deadline, both the compliance team and management have no basis for confidence in any other method.