Every business, no matter its size or complexity, needs to follow the rules.
Whether they’re government regulations, industry standards, or contractual obligations, business requirements help ensure quality, privacy, security and safety for customers and companies.
However, compliance can be tricky. Each industry has its own set of rules—and some, such as the financial sector, have many sets.
What’s more, rules and regulations change. Staying current can be a real challenge. The alternative, however, is worse. Non-compliance can result in criminal charges, crippling fines, loss of privileges, reputational damage, and even business failure.
How Compliance Management Works
Compliance management is the art of juggling all the tasks and all the knowledge required to maintain a business’s industry, regulatory, and contractual compliance. Compliance management typically involves a compliance officer, board of directors, managers of various business units, and your organization’s cybersecurity or information security and risk management team.
Compliance risk management, a subset of compliance management, puts the controls in place that help to ensure compliance, and monitors those controls to be sure that they are continually effective.
Compliance management is essential for every organization with any rules to follow: labor law; environmental regulations; data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), or other laws or requirements.
How To Use This Guide
This handy guide is designed to help you navigate the complex, often-rugged compliance management landscape.
Are you a new board member trying to get a basic grasp on compliance as part of your management oversight duties?
Or are you a seasoned compliance officer looking for a solution to make your job easier?
We’ll help you understand which compliance frameworks pertain to your organization. You’ll know how to get, and stay, in compliance with applicable law and standards.And if you have more questions? Our experts are happy to consult with you.
What is Compliance Management?
“Compliance management” means ensuring that a business conforms to applicable laws, regulations, standards,and contractual obligations set forth by lawmakers, regulatory bodies, standards-setters, and contracting entities.
Compliance officers and their teams, often comprising professionals from various business units, may use a formalized compliance program known as a compliance management system (CMS) to bring their company into compliance and keep it there. A CMS typically consists of plans, assessments (including risk assessments), compliance policies and procedures, controls, compliance training, compliance monitoring, and corrective action.
Businesses may undergo regular compliance audits to verify that they’ve met compliance requirements. In some cases, these audits are required.
If compliance officers can provide to the auditor compliance documents such as policies and procedures, manuals, codes of conduct, and other evidence of their compliance activities, they will be more likely to attain needed compliance certification or an attestation.
Compliance Management Certifications: A List
Managing compliance requirements and responsibilities isn’t a task that should be left to amateurs. Your business’s reputation and its ability to operate are at stake.
To manage your compliance program, you may seek a certified compliance professional with one or more of these certifications:
- Certified Regulatory Compliance Manager Professional (CRCMP), from the International Association of Risk and Compliance Professionals (IARC), one of the most widely held (32 countries) compliance certifications in the world
- Certified Regulatory Compliance Manager (CRCM), from the American Bankers’ Association (ABA)
- Certified Regulatory and Compliance Professional (CRCP), from the Financial Industry Regulatory Authority (FINRA)
- Certified Risk and Compliance Management Professional in Insurance and Reinsurance, from the IARC
- Certified Compliance and Ethics Professional (CCEP), provided by the Compliance Certification Board (CCB)
- Certified in Healthcare Compliance (CHC), also from the CCB
- Certified Information Systems Risk and Compliance Professional (CISRCP), from the IARC
- Certified Cyber (Governance Risk and Compliance) Professional (CC(GRC)P), from the IARC
In addition, companies can achieve certification for compliance with ISO 19600:2014, Compliance management systems—Guidelines. According to ISO, ISO 19600 provides “guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization.”
Regulatory Compliance Management: What Is It?
The term “regulatory compliance” refers to your business’s meeting all the requirements imposed by regulatory bodies, often those appointed by state and federal governments.
As the news site Tripwire points out, regulatory compliance is very similar to statutory compliance, which involves conforming to laws. Regulatory compliance tends to be more difficult because regulations, which don’t necessarily require votes by public bodies, change more frequently than laws.
Examples of statutory and regulatory requirements are:
- The European Union’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
Another type of compliance, which Tripwire calls “contractual compliance,” regards meeting the requirements outlined in contracts between a business and private parties.
Regulatory compliance management concerns itself with these requirements when they come from sector or industry standards as a requirement for membership or certification.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) isn’t a law or regulation. Rather, it’s a set of data security rules that merchants must follow if they want to process debit or credit cards. Likewise, System and Organization Controls for Service Organizations (SOC 2) certification attests to the strength of an organization’s security controls.
Why Use Compliance Software?
Noncompliance with any of these requirements can lead to financial loss, reputational loss, fines, imprisonment, and other penalties. But laws, regulations, and standards are so complex, and may change so frequently, that companies—especially in finance, healthcare, manufacturing, and technology—often appoint teams of people to manage and oversee their compliance. Often, they use compliance software.
Compliance software works within compliance frameworks to attain and maintain your organization’s compliance with applicable requirements. Devised by industries or regulatory bodies to guide companies through the often-thorny compliance process, frameworks can help your company to know what it needs to do to reach compliance.
Not all frameworks are created equal, however. Some, like PCI DSS, are highly prescriptive, spelling out not only the “what” but the “how” of compliance. Others are more vague, giving you more leeway to interpret the rules but also, perhaps, leaving you feeling a bit uncertain about exactly what’s required. A good GRC software can help interpret and will adjust its parameters as regulations and standards change.
Elements of a Successful Compliance Management Program
The multinational consulting firm Deloitte suggests that compliance management programs do the following:
- Identify the laws, rules, codes and standards applicable to your operating environment. Does your enterprise accept credit card payments? Then you’ll need to comply with PCI DSS. Are you a healthcare provider? If so, compliance with HIPAA is a must. And so on.
- Integrate compliance obligations into daily processes and procedures. A “culture of compliance” company-wide is essential to successful, ongoing regulatory compliance, and it starts at the top. Thomson Reuters Legal recommends the six elements for instilling and maintaining a culture of compliance:
- Effective technology
- Incident reporting and case management
- Monitor compliance controls.
- Conduct regular compliance reviews, and report compliance internally.
- Train staff to know and follow the rules.
- Respond to failures with appropriate corrective action, including internal controls.
- Develop and nurture relationships with regulators.
Which Activities Does Compliance Management Include?
An effective compliance management program comprises many people, business units and functions, and activities all working together throughout the year.
Compliance management activities include:
- Developing policies and procedures to ensure compliance
- Compliance training company-wide
- Internal audits
- Third-party audits to ensure that vendors and contractors are also compliant
- Security procedures and controls
- Compliance reporting
- Compliance tracking and monitoring
- External audits, when appropriate
- Corrective actions
- Consumer complaint response
What Is Compliance Tracking and Monitoring?
Falling out of compliance, even for one day, can be disastrous. It can cause loss of certifications or status, fines and penalties, lawsuits, and reputational damage to your business. To ensure that you’re always following the rules, monitor your controls and activities to validate your compliance with the laws, regulations, and standards pertinent to your enterprise.
Being everywhere at once, all the time, is impossible, however—for a compliance officer or team. That’s why most organizations use compliance management software to follow their activities and controls as well as those of third-party vendors and contractors to ensure that there are no lapses, gaps or compliance failures.
In the end, however, your compliance efforts are only as good as your evidence. As you perform the myriad activities required to get, and stay, in compliance, you’ll need to track those actions and document every one.
That’s a lot of paperwork, but it’s worth it.
A thorough and detailed audit trail will make your compliance audits much more efficient, and help guarantee that you’ll pass with flying colors. So, when choosing a compliance management system or software, make sure it will collect and store your compliance documents for easy retrieval at audit time.
Why Compliance Programs Fail
When compliance programs fail, the result can be devastating. A data breach because of noncompliance with PCI DSS can result not only in enormous fines, but also in the offending enterprise’s loss of credit card privileges. Not being able to accept card payments can be a death knell for business.
Noncompliant cybersecurity leaves you vulnerable to IP theft or costly downtime because of ransomware or other disruption. Fraud and other forms of corruption can cost an enterprise millions, and the arrests and fines that result can destroy consumer and shareholder confidence.
The heartbreaking thing is that the compliance team could have avoided many compliance failures with proper due diligence.
An article in Harvard Business Review states that compliance programs most often fail because no one is monitoring or evaluating them:
“Companies routinely produced large binders of policies and procedures and counted the number of controls in their financial systems. And yet they offered no evidence of having tested those policies, procedures, and controls, nor did they track how many breaches they had experienced. A company might cite its long-standing internal whistle-blower program, for instance, but not have data on the program’s rate of usage by employees.
“Firms also routinely reported how many times they had trained wrongdoers on the very topic of their misconduct, apparently blind to the irony of defending their compliance efforts that way.”
Merely checking off the items on your compliance framework list isn’t enough. To do compliance management right, you’ve got to really care about it. There’s no excuse for doing a less-than-stellar job at rooting out and resolving compliance issues before they become problems.
Best Practices for Approaching Compliance Management
The best compliance management programs work on a firm foundation of good planning and forethought. When your enterprise embarks on compliance management, taking a comprehensive, enterprise-wide, risk-based approach can ensure its success.
1. Determine your end goals at the start.
Knowing where you’re going enables you to take the more direct and effective path, and to develop your compliance program with clarity. The Commodities and Futures Trading Commission (CFTC), applies to infosec and privacy in the financial sector but is applicable to any industry. It recommends evaluating compliance management programs in three areas:
- Prevention: preventing fraud, errors, breaches, and other risks from materializing. To meet this goal, the CFTC recommends
- Written policies and procedures
- Employee training
- Remediation of existing issues
- Dedication of the resources (budget, staff, expertise) needed to ensure success
- The structure, oversight, and reporting of the compliance function
- Detection: using real-time alerts, internal audits, and other mechanisms to know when compliance issues arise. The CFTC’s list of mechanisms for this goal are
- Internal surveillance and monitoring
- An internal-reporting system
- A system for dealing with complaints
- Procedures to detect unusual activity and evaluate its risk
- Remediation: assessing and addressing whatever actions caused or allowed the misconduct as well as deficiencies in the compliance management system. The CFTC recommends that remediation include:
- Assessing the impacts of noncompliance
- Determining when and how to discipline those responsible for compliance issues
- Resolving gaps or weaknesses in the compliance system
2. Know the rules for your industry.
The composition of regulations, laws, and standards your business should (or must) follow may be very simple—PCI DSS if yours is a retail shop that accepts credit card payments and has no online store. Or it may be very complex, as is the case for financial institutions and in the healthcare and manufacturing sectors. Knowing which apply to you and choosing the right frameworks to help you comply with them is a critical early step in developing your compliance management program.
3. Write strong, clear internal policies and procedures.
Your staff, contractors, senior management, and board members all need to know precisely which rules to follow, and how to follow them.
4. Enforce accountability.
Build checks and balances into your system, and hold people accountable for their errors or misconduct.
5. Train your personnel.
Many non-compliance issues arise because of errors that could easily be avoided with thorough, engaging, interactive training. Do your research, and make sure the compliance training you provide is effective.
6. Audit yourself.
A strong program needs a strong foundation, and you need a baseline to know where to focus your compliance efforts—and to avoid duplicating them. Many compliance frameworks overlap, so meeting the requirements of one regulation, law, or standard will likely put you on the path to compliance with others. Knowing your controls and your vulnerabilities at the start will help you develop your compliance management program more easily and make it as strong as can be.
7. Manage compliance for risk, not only for compliance.
Checking off items from a list of compliance requirements to satisfy regulators or auditors might seem the easiest path, but it could short-change your business. Suppose you’re going to spend time and money in pursuit of certifications. Why not go the extra mile and work to minimize and mitigate the risks to your organization? Protecting your enterprise, systems, data, and customers should be your end goal.
8. Maintain an audit trail.
A “paper” trail documenting all your compliance activities will not only be invaluable should you need audits, but could help you avoid stiff penalties should a breach or other noncompliance issue occur. Collect and keep all your evidence in one place so you can easily retrieve it when needed—or use a quality GRC software to do this for you.
Compliance Audits: Best Practices & How to Prepare
Compliance audits, like death and taxes, are inevitable—but yours need not be intimidating. You should sail through your audits if your enterprise has a strong compliance program and you’ve documented all your compliance activities.
The compliance auditor is usually certified professional from an independent external firm. They will examine your policies and procedures, risk management controls, complaints, and other evidence to determine whether your enterprise adheres to applicable laws and standards.
Depending on the type of compliance audit, the auditor may also peruse your financial records and statements or your security controls.
Auditors who work in the compliance office of your organization may perform internal audits to ensure ongoing compliance or even, in some circumstances, to self-attest to compliance with a regulation or standard. Quality GRC software can perform these internal audits for you.
How Compliance Audits Work
A compliance audit may encompass the entire company or a single business unit. The auditor will typically interview people from various areas of the enterprise, particularly managers, and will review documents and logs to determine whether the entity under audit is in compliance with the regulation or standard in question.
The auditor may work on-site, interviewing managers and other pertinent personnel, or remotely. Often they will issue questionnaires. Rather than examine every detail, they may take a sampling of logs and records from which to extrapolate.
A compliance audit typically follows these steps:
- Your enterprise selects an auditor qualified under the framework with which you want to demonstrate compliance. Compliance auditors aren’t “one size fits all”: different agencies and standards have different requirements and certifications.
- At the first meeting, the auditor details the guidelines they will follow and provides a checklist to help you prepare.
- If the auditor is working remotely, they will send questionnaires that you’ll answer and request that you send them any documents they need. If on-site, the auditor may peruse documents at your offices, walk through areas they need to see, and conduct interviews in person.
- The auditor will issue “findings,” or a report that describes where your organization complies and where it doesn’t, and recommends how to fill gaps or correct deficiencies. They’ll present their report at a final meeting, and suggest a timeline for corrective actions.
- When your organization has followed the auditor’s recommendations, they’ll follow up to verify that you are now in compliance, and issue a new finding to that effect.
What Do Compliance Audits Look for?
Compliance audits look for evidence that your organization is, or isn’t, in compliance with the regulation, law, or standard with which the audit is concerned.
The auditor will examine your systems, controls, and documentation and conduct interviews to determine whether you have proper policies and procedures to enable your organization to comply, and whether those policies and procedures are being followed.
Exactly which questions the auditor asks depends on the framework in question.
Overall, compliance audits verify:
- The completeness, accuracy and integrity of your financial statements (SOX)
- The security of your IT systems (NIST, FedRAMP, COBIT, ISO 27001, PCI-DSS, SOC 2/3)
- How well your enterprise manages overall risk (COSO)
- The effectiveness of your quality controls (ISO 9001)
- How well you protect the privacy of personal data (GDPR, CCPA, HIPAA,)
How Can I Prepare for a Compliance Audit?
Getting audited is, in some ways, the easy part. Preparing for it is harder, requiring much organization and planning. One financial professional recommends taking a three-step approach to compliance audit preparation: design, organize, plan.
- Design, in which you map the requirements with which you need to comply and who’s responsible for each; access points to your facilities and systems; systems architectures and telecommunications designs; and all systems components.
- Organize, during which you gather evidence from past audits and delegate current evidence collection to those responsible for specific requirements, and schedule periodic review of your systems so that, when your systems architecture changes, you can update your architecture documents.
- Plan, during which you organize your evidence; document compliance gaps and your efforts to remediate them; and automate these tasks as well as your communications as much as possible.
To guide your preparation efforts, answer these five questions:
- What is the scope of the audit? Narrowing your scope is one of the most important things you can do to increase the audit’s efficiency. Segment your systems. Understand which ones are critical for compliance, and which are outside the scope. Perhaps diagram your critical business processes so you understand how everything interacts.
- Have the findings in previous audits been corrected? Why or why not?
- How will you handle the results of the audit? Who will resolve issues, and how? How will you monitor so that compliance issues stay resolved?
- Is there proper management in place to make sure the audit moves efficiently?
- How will the audit affect your bottom line? How will the audit help increase revenue or reduce costs? How will it manage your risks? Compliance is great, but a better-run business is even better.
How Much Do Compliance Audits Cost?
The cost of a compliance audit depends in part on the complexity of the regulation, law, or standard with which you’re striving to comply, in part on the size and complexity of your organization, and in part on your own advance planning and audit-trail documentation.
A PCI DSS audit, for instance, can cost more than $70,000 for a Level One merchant that processes more than 1 million credit card transactions a year. A HIPAA audit can cost as much as $250,000. A SOC 2 audit’s price tag depends on a number of variables. And so on.
Perhaps a better question to ask is, “How much would noncompliance cost?”
Fines, penalties, fees, remediation costs, reputational damages, loss of privileges and other results of noncompliance can potentially cripple or even destroy a business. And without compliance certifications, your business could get locked out of markets or missed revenue opportunities while your certified competitors take full advantage.
Is the price of compliance worth it to you?
How To Get Started with Compliance Management
Instilling a culture of compliance is the first step toward a successful compliance management program. For that, you’ll need buy-in from the top down, including your CEO and board.
Make sure everyone knows your company’s commitment to following the rules as well as to the intentions behind those rules, such as cybersecurity, data privacy protections, product quality, and financial integrity.
Plan on adding a full-time position to oversee compliance at your organization. Some companies have entire GRC teams devoted to managing risk and maintaining regulatory and industry compliance.
At minimum, you’ll need a compliance officer or compliance manager to coordinate the many tasks required as well as a system or software to automate as many of those tasks as possible, track workflows, gather and store your documentation, and monitor your systems for continual compliance.
Your next steps will include:
- Determine which laws, regulations, standards, and contractual requirements with which your company needs to comply, then prioritize them.
- Don’t try to do it all at once: pick one or two to start.
- Establish a relationship with a qualified auditor as well as your internal audit team, if you have one.
- Conduct a compliance risk assessment so you know where to focus your compliance efforts.
- Update your policies and procedures, or develop new ones.
- Establish a training program for your employees.
- Delegate compliance activities and responsibilities among appropriate people and teams.
- Establish procedures for addressing noncompliance issues as soon as you become aware of them.
- Establish a system for reporting and audit trail documentation.
- Periodically conduct internal audits to ensure continued compliance.
What Is a Compliance Management System?
A compliance management system (CMS) comprises all the documents, processes, controls, functions, and tools that bring an organization into legal, regulatory and industry-standard compliance and help maintain that compliance.
A CMS may include:
- Policies and procedures
- System diagrams and mapping
- Risk assessments
- Audit-trail correspondence
- Financial statements
- System and organizational controls
- Third-party contracts and agreements
- Complaints and resolution records
- Internal and external audit reports
- Compliance management solutions
How to Stay on Top of Compliance Management
Getting to compliance is never an easy task.
Frameworks help, but even then, a timeframe of a year or more is not uncommon just to establish compliance with a single standard or regulation—and then there are updates with which to stay current, new frameworks to be concerned about, and changes in your own systems that demand attention.
Even companies with GRC teams use software to help them manage their compliance programs. The best software not only alerts you to compliance gaps but updates its databases as regulations and standards change, help you manage workflows, and collect and keep your audit trail documentation.
ZenGRC has all these features and more:
- Our software-as-a-service analyzes your systems, protocols, and controls and tells you where you are in compliance, and where you fall short.
- User-friendly, color-coded dashboards make it easy to see your organization’s compliance posture in one glance, and to track workflows task-by-task.
- Zen compares and contrasts compliance requirements of more than a dozen frameworks to help you avoid repetition, making compliance more efficient.
- Vendor surveys help ensure third-party compliance. Zen generates and sends these for you, and collects and compiles responses.
- Incident management ensures that you respond to compliance issues as they arise, quickly and effectively.
- Our ZenConnect plug-in lets you integrate risk management and compliance activities with all your business applications.
- Unlimited, in-a-click self-audits keep you always apprised of your compliance posture and help prepare you for certification and regulatory audits.
- Our “Single Source of Truth” repository collects and stores all your audit-trail documentation for easy retrieval at audit time.
There’s a reason—many of them, in fact—why some of the world’s leading companies rely on ZenGRC for top-notch, always-on regulatory, legal, and industry-standard compliance. Worry-free risk management and compliance is the Zen way. Contact us today for your free consultation.