Compliance can add value to a business. It plays a vital role in ensuring an organisation moves in its desired direction — yet too often it is seen as a burden rather than an asset to the business. True compliance goes well beyond simply meeting the requirements of regulatory frameworks. It should be viewed as a statement of organisational values and an investment in future growth.
Obtaining the full value from compliance means that it must starts in the boardroom. Once an organisation has defined its corporate objectives and strategic plans, the next logical step should be to define and implement the governance policies to support them, which requires commitment and buy-in from the board or senior management. They need to understand the importance of adopting and complying with an effective governance framework and what this means. In summary, it is to align business strategy, objectives and values with operational and IT functions through management systems, whilst complying with industry standards and best practices.
Putting effective compliance in place begins with a clear understanding of what it involves. There are three types of compliance:
1. Standards, or external compliance — the mandatory regulations and standards that organisations have to comply with to effectively operate their business, such PSN, PCI, HSCN, ISO 27001 and Cyber Essentials Plus.
2. Organisational compliance — internal compliance to business objectives and business values.
3. Supplier compliance — such as trust in the supply chain.
Standards compliance may open up new opportunities
Compliance to external standards is the most widely understood aspect of compliance, and ensures that an organisation has implemented what is universally seen to be best practice. It can enable processes to be simplified and, if audited regularly, is likely to be more enforceable and applied more consistently. However, while external standards provide a basic framework, the policies and processes that support them must be streamlined and tailored to the organisation’s specific needs and strategic direction to extract their full value.
Achieving and maintaining industry standards also comes at a cost. Once an organisation has met a standard, customers expect this to be maintained, which requires regular audits and updates. However, achieving specific standards may open up new business opportunities and hence support new revenue streams. For example, Cyber Essentials is increasingly required when pitching for public sector contracts.
Implementing a system to comply to one standard or regulation will also create interfaces to other standards. For example, if an organisation has to create an access control policy for Cyber Essentials Plus, this could be written and implemented in a way that conforms to ISO 27001, which may be required in the future. Similarly, creating an incident management policy for compliance to ISO 20000 could include workflows to manage security incidents that align to ISO 27001.
One effective approach to help streamline standards governance and compliance is to consolidate security, quality, environmental and service management systems (ISO27000, ISO9001, ISO14001, and ISO20000). This enables an organisation to have single policies to manage in many areas instead of multiple policies across different systems. A streamlined environment with no or minimal non-conformance means a lower spend on remediation.
Internal compliance helps to set your business roadmap
Internal compliance can be summarised as ‘here’s a list of the things we do as an organisation and the proof that we actually do them’. These might include both company values and behaviours, which frame how staff operate, and the operational functions through which the organisation carries out day to day operations. This is the value of compliance in helping to set out the roadmap for how an organisation does business.
Done properly, this provides assurance to customers that an organisation’s systems and values are visible, secure and viable, and could give it competitive advantage over its rivals if they cannot provide the same assurance.
There are internal benefits too. It ensures that everyone in the organisation understands their roles and responsibilities and cements accountability, reducing costly mistakes and making any lack of performance visible to senior management. Operating best practice policies and processes that are externally audited also generates internal confidence, improving morale and increasing staff retention.
Internal compliance should also incorporate the organisation’s attitude to risk into policy and practice. Every organisation has its own appetite for risk, which depends on its ethical stance and culture, the legal and potentially moral frameworks it operates in and its security requirements, which will to some extend depend on its sector. Each organisation needs to invest in the right level of resistive strength to balance against the increasing threats and threat vectors.
Being averse to risk can be extremely expensive, as overbearing restrictions mean a slow response to changing situations. However, getting it wrong can be even more costly, as too few restrictions can put an organisation’s future in jeopardy. Effective, streamlined processes will promote security and minimise mistakes, and compliance will demonstrate organisational commitment.
Extending compliance to customers and suppliers increases trust
Another aspect of compliance is to increase customer trust by bringing them into the compliance regime and encouraging their tailored adoption. It is important to ensure that this trust can be validated by working with customers to understand their business and provide additional, add-on solutions to support the new digital landscape. Embedding an organisation with its customers with an environment of mutual trust and understanding creates an open and trusted relationship that shares risk and profit.
The behaviour of an organisation’s suppliers can have a critical impact on its customers. Hence it should work closely with its major technology suppliers to ensure long term security and stewardship of strategic assets.
Suppliers should be categorised depending on the organisation’s reliance on them, with critical suppliers having, at a minimum, the same security governance and compliance. Organisations should aim for a cost-effective partnership on agreed standards and the joint operation of governance, risk and compliance.
Each supplier needs to be considered separately. A large IT supplier will typically have a long and well-established compliance process which is extremely secure but comes at a high cost. A SME will be more agile and may find it easier to adapt the scope of governance to work in a tailored way with each individual supplier.
The buyer has to assess whether the resulting risk of working with that SME is acceptable and find the right balance between risk and restriction, which is where it obtains best value services. Both parties need to agree on how they grade each risk so that the right amount of resources are assigned, and then audit the process to ensure governance.
Compliance will add value
With the correct policies and controls that are aligned to your organisational goals and are integrated, interactive, streamlined and verifiable, compliance can be considered as an investment and not a burden, as it will apply added value to your business.