Compliance is often an overused term, used to describe many different things. This can be a vexing problem for modern businesses to get on top of because they are beset by a bewildering number of compliance requirements acting upon them. A good place to start is the dictionary definition, but even that can vary:
· The act of complying with a wish, request, or demand; acquiescence (American Heritage)
· A disposition to yield to or comply with others (Collins)
· The act or process of complying to a desire, demand, proposal, or regimen or to coercion, or conformity in fulfilling official requirements (Merriam-Webster)
· The action or fact of complying with a wish or command, or the state or fact of according with or meeting rules or standards (Dictionary.com)
There are many others along a similar theme, but they all seem to have things in common as they relate to business. And these are that some party has a “requirement” that needs to be met, and the organization concerned must be able to “evidence” that they meet it. For the purpose of this blog I’ll be using a definition I’ve created:
“The act or state of an entity demonstrably meeting a singular or set of requirements, by means of evidence” (Ralph O’Brien)
There are different requirements that an organization must be able to evidence they “comply” to. These can come from multiple sources, such as:
· Policy – Management intentions (a “Health and Safety” policy)
· Procedure – Internal process documents (a “new starters procedure”)
· Contractual – Requirements specified by customers and partners, such as a requirement to settle accounts within 90 days of purchase
· Regulatory – Normally set by a regulator, like the United Kingdom’s “Financial Standards Authority”
· Industry – Specific standards created by peers for a sector, such as the Payment Card Industry, Data Security Standard (PCI DSS)
· Legislation – Laws such as the United Kingdom’s “Data Protection Act 1998 c29”
· Standards – These can vary from internal standards, through to national and international standards, such as ISO 9001:2008, the international standard requirements for a Quality Management System.
Complying with either of these may prove to be different things depending on the context. For example, some laws and standards are binary YES/NO decisions.
Consider the following statement: “The organization SHALL have an annually reviewed policy." An organization could provide evidence to support this, or be unable to evidence this statement, leading to a clear statement of conformity or nonconformity.
However the statement “The organization SHOULD have an annually reviewed policy” does not have a mandatory requirement, and therefore there is nothing to “comply to.” (Also note in neither case does the statement look at the quality or content of the policy, simply its existence and review cycle).
Not all requirements are created equal, and while some are very prescriptive and exacting in their requirements, others require interpretation and mean that the organization must work out what the requirements mean for them specifically. Generally speaking, the more focused and smaller group the requirement applies to, the more specific it can be (for example, an internal standard on a computer build), and the wider the requirement is, the less specific it can be (for example, an international standard on management systems). Conversely, the wider the requirement and the more general it is, the more consensus and recognition is achieved. Smaller requirements, which can be much more specific and demanding, do not have the same level of recognition, as a lower number of individuals typically sign up and recognize their value.
Generally four types of evidence exist, each with a different level of weighting attached to them.
· Documents – Policies and procedures
· Records – Evidence that a document has been carried out
· Interviews – Individuals’ understanding of specified requirements
· Observations – Things seen and noted, such as physical observance to requirements
So taking the example of physical security requirements, perhaps in terms of documentation there could be an access control policy, and a handling visitors procedure. For records there may be CCTV tapes or visitors log books. We may interview the security officer and receptionists/security guards, and finally observe the process, watching the handling of visitors, checking if people sign in and out, wear ID badges, are issued with access tokens, etc.
Not only can each of these types of evidence be gathered and compared against the requirements the organization faces, but also internally compared against each other for internal process conformity. It is useful for the organization to secure continual improvement to assess not only if its documentation meets an external standard, but internally, whether individuals are aware of the requirements that influence their delivery and observe whether they take place in working practice. Often proving compliance is reduced to an exercise in documentation. This is rarely enough, as in the example above, an access control policy is not enough to show whether the practices are in place and operating effectively.
Demonstrating compliance can be difficult for organizations, and “knowing yourself” in terms of business intelligence is often resource intensive and ignored. It takes a good management team to “listen” as much as they “talk”, and take action to achieve continual improvement. The question that most businesses have to answer is twofold:
1) Who do we have to prove compliance to?
2) What level of assurance do they require?
In answer to the first question, the stakeholders will vary according to the requirement, but can be the following:
· Internal Management
· Independent third parties
And for the second question, the assurance levels tend to be grouped into 1st, 2nd or 3rd party assurance:
· 1st Party – Internal assurance and self-certification, such as audits, measurements and metrics
· 2nd Party – Partner verification, such as supplier audits and customer Service Level Agreements (SLAs)
· 3rd Party – Independent assessments from a regulator, standards body, external consultant
Clearly these are all relationships that require the verification of trust between these parties, and both the “level of compliance” and “success criteria” should be specified to the target organization before any assurance mechanism is delivered. The output should be transparent and usable to allow organizations to improve.
Clearly compliance is a massive issue for organizations in “proving” their credentials, trustworthiness, and ability to perform in today’s business environments. This places a large overhead on businesses, and compliance often becomes a dirty word within an organization, as meeting requirements and proving that they are in place all takes up resources. However, what most organizations miss is the advantages they can achieve by putting in place robust measures to achieve compliance. Organizations can stand out in their marketplace, achieving competitive advantages, trust, and assurance, enabling them to go to market with confidence and defeat competitors who operate with less transparency.
Within a collaborative environment, where users can create their own content and are given great degrees of leeway in how this content is to be managed, creating, proving, enforcing and maintaining compliance can be difficult. Obviously the more control you try and deliver, the harder it becomes to carry out the basic business functions, and the less control you introduce the greater the risk of non-compliance and suffering harm as a result – be this legal action, regulatory fines, policy breaches or otherwise.
Here at Avepoint, we created AvePoint Compliance Guardian, our solution to enable compliance professionals to scan content, report on compliance issues and fix areas of non-compliance – and more than this, ensuring that rules are enforced to educate and direct user behavior. Our goal is to make it easier for individuals to be compliant than non-complaint and to ensure that compliance can be repositioned from a “business problem” to a “business enabler” through automated solutions.
Interested to learn more about Compliance Guardian? Visit our website today.