The Four Compliance Commandments
We’ve spent a lot of time working on and thinking about Governance, Risk Management and Compliance. Whole books have been written on this subject and there are graduate-level university courses on it as well. But in the practical world, for most businesses we think the whole GRC universe can be boiled down to four basic principles that we call the Four Compliance Commandments:
1) Know Your Risks
2) Ensure Your Policies Mitigate Key Risks
3) Trust, But Verify
4) Prove It
Every CEO and Board worries about this stuff … or should, so let’s break the commandments down:
Compliance Commandment I : Know Your Risks
Every organization must understand the risks it faces if it wants to survive. Organizations tend to get in trouble when they mis-perceive the risks they are up against. Many organizations falter because they under-estimate a risk, but over-estimating a risk can be just as bad, causing an organization to miss a key opportunity.
Over the years, society has created rules designed to limit organizations from taking risks unnecessarily or unknowingly. Often these rules come from the government, but there are other rules, like the SOC2 framework, that come from other sources, like accountants or professional associations. Good examples of these include:
- Banks or credit unions must comply with regulatory requirements
- Service providers must comply with external frameworks like SOC2
- Health care providers need to show compliance with HIPAA requirements
Essentially these frameworks are checklists of risks to consider. These lists can run to a hundred or more items. Reviewing each item and assessing trends can be quite time consuming.
At Strunk we have extensively automated these checklists, making them easier to assess, easier to delegate and easier to summarize.
Compliance Commandment II : Ensure Your Policies Mitigate Key Risks
To keep your organization healthy everyone needs to understand what risks to avoid, what risks to take and under what circumstances. This is where policies come in. Policies communicate what is appropriate risk-taking behavior to your organization.
Strunk recommends organizations evaluate their policies versus the risks. Do you have policies in place that adequately address your key risks? If not, you might want to update your policies. Conversely, do you have policies that don’t really map to any of your key risks? If the answer is yes, then consider simplifying or eliminating that policy.
Strunk provides an automated tool for mapping your policies against your risks. At a glance you can then see which risks are not covered by any policies and which policies are not covering any risk. Strunk Policy Manager organizes all your policies into a relational database, with extensive version tracking, granular ownership assignment, and PDF reports for board or external use.
Compliance Commandment III : Trust, But Verify
Policies are pointless unless the organization follows them. Human nature being what it is, there is a natural tendency for people to cut corners. Too many times organizations let months or even years go by assuming that a policy is still being followed when, due to turnover or distractions or work pressure, that is no longer the case. To maintain policy effectiveness you must test periodically. You can only expect what you inspect.
Our Controls Manager automates the verification process. You create a set of control procedures for testing compliance with your policies, establish a testing schedule for these controls and assign responsibility. The system automatically schedules the testing, creates a calendar showing the month’s tests at a glance, generates alerts on upcoming or overdue tests and provides a dashboard summarizing testing status, including highlighting tests that are overdue or have failed.
You can map your controls to your policies. One control can cover more than one policy and one policy may be covered by more than one control. You can then use the maps to identify policies which need controls or controls which are no longer covering a policy and perhaps should be discontinued.
Compliance Commandment IV : Prove It
Unfortunately it is just not enough to adhere to commandments I through III. You must also be able to prove your adherence, which means abiding by what we call “the law of physical evidence”: a thing isn’t done until you can provide physical evidence that it occurred. You can’t just say you did it; your board, regulators, auditors and customers are going to want proof that you did it.
Many organizations approach this process somewhat haphazardly. They do some kind of paper-based risk assessment, write some policies, set up some checklists, fill out some forms, put some basic tracking in place … easy. The result is a patchwork of Word documents and PDFs and spreadsheets. Then they start emailing them around, and storing different versions on different computers and pretty soon you have a mess: multiple versions, unclear responsibilities, status hard to track. Managing risks, policies and controls is not rocket science by any means, but it really helps to stay organized.
We believe the best way to stay organized is to get out of spreadsheet land and move everything into a modern relational database. A relational database helps connect all the dots so you can keep track of the status of different policies and policy versions, know who is responsible for each compliance activity, log changes, produce consistent reports, provide a single source of truth, with fine-grained control over access and edit rights.
With a system like Strunk Access, when your auditors show up for their exam, you have at your fingertips your latest risk assessment, your compliance map showing how your policies map to your risks and your controls map to your policies, your log of all the changes to your policies over the past year, and a complete record of all your control testing. The result: fewer surprises, your auditors can get their work done more quickly, and your staff spends less time responding to auditor requests.