Organisational compliance is not a “black and white”, “yes or no” status but a “more or less”, “better or worse” continuous scale. Organisations that are 100% certain of organisational compliance should verify their belief by considering the questions in this article.
First the article title, you might have recognised the reference to a television show called “So you think you can dance?”. I am not a big fan of the show but I love the title. For me it holds both a challenge for the contenders to show “their stuff” combined with a high-level of “who do you think you are to think you are good enough to appear before us?” arrogance. And indeed, as expected, self-appointed experts and has-been celebrities in the jury will cut overconfident no-talent participants down to size.
Too often I have to think about this image when I see (IT) auditors’ fresh out of school present their audit findings passing judgement over the organisational compliance effort. Please do not misunderstand me, there is nothing wrong with the auditing profession as such, but at times we seem to forget that the audit reports describes the auditors’ opinion not the absolute truth.
I have no respect for auditors that think they can pass final (and absolute) judgement on the workings of an organisation based on a two week (or even shorter) audit period. Yes they might be able to find examples of what went wrong in the operations. And a good auditor will be able to form an opinion about the mentality and culture of the organisation in such a time frame.
However a great auditor will be the first to admit that his report is just an opinion. He will discuss his findings with the organisation he investigated and more importantly will have an open mind for arguments that might change his opinion.
Too often the equality between auditor and audited department is gone. It is the same with these talent shows, if the performance is ridiculously bad it might be warranted to put somebody “out of his misery”. However when it comes to judging those that clearly show promise and commitment judges should discuss “opportunities for improvement” instead of passing “final verdict”.
Granted, where the purpose of the audit is to assure compliance with an individual regulation or to issue certification to a standard, the end result will be a pass or fail “bottom-line” statement. My comment is related to the relationship and attitudes during the assurance process to deliver that verdict.
So when assessing the compliance status of your organisation there are a number of questions you should consider. By answering them truthfully you will probably find that 100% certainty of organisational compliance is both impossible and if possible undesirable.
Are you sure you are aware of all rules and regulations you are supposed to comply with?
Compliance is a requirement; somebody wants your organisation or department to comply with a set of rules and/ or regulations. For instance the financial administration of an organisation that handles credit card transactions has to comply with the rules set by the credit card companies (PCI-DSS). In turn the administration will have to articulate the security requirements for their relevant IT-services to the IT Department. In the same manner the finance department will react to the Sox regulations (if applicable). The HR and Marketing/ Sales departments might require compliance with Data Privacy regulations. The logistics department may have requirements based on import/ export regulations.
Off course IT itself has to comply with software and hardware license requirements. We have the requirements originating for fire, health and (personal) security. The industry specific regulations for instance Basel II for finance or Hipaa for US Health Care organisations might be an issue. There are local regulations regarding building, parking, signage, etc., etc. Just to name a few.
The list of organisational stakeholders with rules and regulations to comply with is endless. So how sure are you that you know all the compliance requirements you are supposed to meet as an organisation or department?
When answering this question it is important to realise: To be 100% certain you know all applicable rules and regulations you would need infinite resources to keep checking with every possible stakeholder. This is the first compliance risk: Not knowing of the existence of the requirement. So 100% certainty is both impossible and undesirable since one has or would want to spend infinite resources. The real question then becomes what is your organisational risk posture? How much risk are you willing to accept? And how much are you willing to invest to mitigate the risk of non-compliance due to unawareness?
Are you 100% certain of what you are supposed to do to comply with individual rules and regulations?
Most rules and regulations are created with the best intentions. That is, to try and limit the change that an undesirable event or situation occurs. But there are places were rules and regulations are created to support corruption.
The basic idea is that the requirements of these regulations are purposely impossible to meet and the only way not to get punished for non-compliance is to bribe those who create and enforce those rules. I have experienced these situations in the past and basically non-compliance and bribery is an accepted part of doing business in these places. Trying to achieve your goals in a fully compliant manner is a very expensive, inefficient, if not impossible task. Even more so in some cases, where it might put the organisation in an undesirable competitive disadvantage.
These days I see non-bribery policies with more and more (multi-national) organisations some of them active in these kinds of places. In a number of instances I believe the policy is more about “don’t ask don’t tell” than anything else. It is not my intention to advocate bribery but we do live in the real world and an ostrich should not claim 100% certainty of compliance.
Assuming the intentions behind the regulations are good that does not mean the actual requirements are clear. Many laws and regulations are supposed to last over a longer period of time and cover a wide area. It would be impractical to describe the do’s and don’ts for each individual situation and even impossible to predict how the situation will evolve over time. As a result numerous rules and regulations are purposely written with room for interpretation. It is left to the individual judges and juries to fine-tune the rules by creating jurisprudence. But until jurisprudence has been created there is no way to be 100% certain what the exact requirements are.
This is the second risk of compliance, the risk of misinterpretation of the requirements. It is always good to get assistance of a regulations expert when assessing the requirements of individual regulations. Expert involvement will reduce the risk of misinterpretation. However in a number of cases all an expert can offer is an expert opinion which is not the same as the absolute truth.
Again, risk management offers additional means to manage this risk. The risk avoidance response would suggest you adopt a “worse case” interpretation of the rules and act accordingly. In this case the chances the judge and jury rules the organisation broke the rules is clearly lower than when the organisation “lives close to the edge”. However rules and regulations, by nature, limit the organisational flexibility and agility. They limit the number of possible responses to a given situation. So again, the organisational risk appetite for non-compliance due to misinterpretation is important. In turn this will tell “how close to the edge” the organisation is willing to operate.
Are you 100% sure your organisation actually acts according to the policies, processes, controls and procedures?
Once we know what the applicable rules and subsequent requirements are the daily compliance of the operational organisations is ensured by creating policies, processes, controls and procedures. These tell individual employees how to conduct their tasks and duties so they do not (inadvertently) break the rules. Everybody knows however people can have unexpected behaviour that deviates from the described actions. In this context it is important to realise often such a deviation is for the best of reasons and not always because of ignorance, fault or malice.
So the third risk of compliance is deviation from design/ expected actions resulting in breaking the rules. By training, testing, coaching, etc. we can mitigate the risk of unexpected/ undesirable actions by man or machine. But again this is a risk: How much uncertainty is the organisation willing to accept? How many resources will the organisation make available to mitigate the risk? With people there is another consideration.
We value the creativity of people, in this context I mean their ability to think of actions and solutions for unexpected situations. But if the situation is unplanned for the reaction as a result of human creativity is clearly unplanned for as well. So the creativity we value so much might easily be at odds with organisational compliance.
The only way to ensure actions resulting from on the spot creativity align with the compliance requirements is to make sure people do not only understand what they should or should not do but also why.
What are the underpinning regulations and requirements? Based on that knowledge those on the spot can than decide on creative solutions that fit within the regulatory requirements. Empowering people with that kind of knowledge means you can enhance the flexibility and agility of your organisation while ensuring a higher certainty of organisational compliance. But again this empowerment can be resource intense so once more the organisation needs to strike a balance between empowerment (lowering the risk of non-compliance) and the cost involved.
What is the consequence of non-compliance?
The moral of this article is that Compliance is a requirement and non-compliance is a risk and should be treated accordingly. In the same way we cannot exclude all risk from the organisation, 100% certainty of organisational compliance is an illusion. Any organisation will have to think about the level of non-compliance risk it is willing to accept.
A popular way to categorise risk is to look at both likelihood and impact. Identifying the sources of uncertainty is the first step to assess likelihood. I have seen strategic statements and policies that claim “the organisation will comply with all applicable regulation” or something to the same effect.
What this statement does not say but what is does imply is “at all cost”. In practise however most organisations will assess the impact of public non-compliance. They will look at possible fines, reputational damage and other possible negative consequences. Even though very few organisations will come out and say it, they will look at the negative consequences of non-compliance before they decide how many resources are committed to ensure compliance (and thus mitigate the risk of non compliance).
At one time I came across a courier that made speed of delivery their unique selling point. They worked for broadcast companies for example. They ensured the fasted possible transfer of physical news footage arriving at the airport to the television studios. Before the digital age, with breaking news, this transfer time was a valuable commodity. So valuable even that the drivers were instructed (never in writing off course) to break traffic regulations in favour of speed and the company would cover the possible fines.
There are very few people that live by the credo that “everything goes as long as you do not get caught”. On the other hand there are very few people that will ensure compliance at all cost. For organisations risk (of non-compliance) is just another risk that they should manage but risk management does not necessarily mean risk elimination.
Arno Kapteyn is a management consultant and a leading expert in the field of IT Governance, Risk and Compliance (GRC) and the integration with Information Management, IT Security and IT Service Management.