Every business needs to follow the rules, no matter its size or complexity.
Whether government regulations, industry standards, or contractual obligations, business requirements help ensure quality, privacy, security, and safety for customers and companies.
However, compliance can be tricky. Each industry has its own set of rules and some, such as the financial sector, have many sets.
What’s more, rules and regulations change. So staying current can be a real challenge. The alternative, however, is worse. Non-compliance can result in criminal charges, crippling fines, loss of privileges, reputational damage, and even business failure.
How Compliance Management Works
Compliance management is the art of juggling all the tasks and all the knowledge required to maintain a business’s industry, regulatory, and contractual compliance. Compliance management typically involves:
- A compliance officer.
- A board of directors.
- Managers of various business units.
- Your organization’s cybersecurity or information security and risk management team.
Compliance risk management, a subset of compliance management, puts the controls in place that help ensure compliance and monitors those controls to ensure they are continually effective.
Compliance management is essential for every organization with any rules to follow: labor law; environmental regulations; data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), or other rules or requirements.
How To Use This Guide
This handy guide is designed to help you navigate the complex, often-rugged compliance management landscape.
Are you a new board member trying to get a basic grasp on compliance as part of your management oversight duties?
Or are you a seasoned compliance officer looking for a solution to make your job easier?
We’ll help you understand which compliance frameworks pertain to your organization. You’ll know how to get and stay in compliance with applicable laws and standards. And if you have more questions? Our experts are happy to consult with you.
What is Compliance Management?
“Compliance management” means ensuring that a business conforms to applicable laws, regulations, standards, and contractual obligations set forth by lawmakers, regulatory bodies, standards-setters, and contracting entities.
Compliance officers and their teams, often comprising professionals from various business units, may use a formalized compliance program known as a Compliance Management System (CMS) to bring their company into compliance and keep it there. A CMS typically consists of plans, assessments (including risk assessments), compliance policies and procedures, controls, compliance training, monitoring, and corrective action.
Businesses may undergo regular compliance audits to verify that they’ve met compliance requirements. In some cases, these audits are required.
If compliance officers can provide to the auditor compliance documents such as policies and procedures, manuals, codes of conduct, and other evidence of their compliance activities, they will be more likely to attain needed compliance certification or an attestation.
Compliance Management Certifications: A List
Managing compliance requirements and responsibilities isn’t a task that amateurs should do. Your business’s reputation and its ability to operate are at stake.
To manage your compliance program, you may seek a certified compliance professional with one or more of these certifications:
- Certified Regulatory Compliance Manager Professional (CRCMP), from the International Association of Risk and Compliance Professionals (IARC), one of the most widely held (32 countries) compliance certifications in the world
- Certified Regulatory Compliance Manager (CRCM), from the American Bankers Association (ABA)
- Certified Regulatory and Compliance Professional (CRCP), from the Financial Industry Regulatory Authority (FINRA)
- Certified Risk and Compliance Management Professional in Insurance and Reinsurance, from the IARC
- Certified Compliance and Ethics Professional (CCEP), provided by the Compliance Certification Board (CCB)
- Certified in Healthcare Compliance (CHC), also from the CCB
- Certified Information Systems Risk and Compliance Professional (CISRCP), from the IARC
- Certified Cyber (Governance Risk and Compliance) Professional (CC(GRC)P), from the IARC
In addition, companies can achieve certification for compliance with ISO 19600:2014, Compliance management systems-Guidelines. According to ISO, ISO 19600 provides “guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization.”
Regulatory Compliance Management: What Is It?
The term “regulatory compliance” refers to your business’s meeting all the requirements imposed by regulatory bodies, often those appointed by state and federal governments.
As Tripwire points out, regulatory compliance is very similar to statutory compliance, which involves conforming to laws. However, regulatory compliance tends to be more complex because regulations, which don’t necessarily require votes by public bodies, change more frequently than laws.
Examples of statutory and regulatory requirements are:
- The European Union’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
Another type of compliance, which Tripwire calls “contractual compliance,” regards meeting the requirements outlined in contracts between a business and private parties.
Regulatory compliance management concerns itself with these requirements when they come from a sector or industry standards as a requirement for membership or certification.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) isn’t a law or regulation. Instead, it’s a set of data security rules that merchants must follow if they want to process debit or credit cards. Likewise, System and Organization Controls for Service Organizations (SOC 2) certification attests to the strength of an organization’s security controls.
Why Use Compliance Software?
Non-compliance with these requirements can lead to financial loss, reputational loss, fines, imprisonment, and other penalties. But laws, regulations, and standards are so complex and may change so frequently that companies -especially in finance, healthcare, manufacturing, and technology- often appoint teams of people to manage and oversee their compliance. Often, they use compliance software.
Compliance software works within compliance frameworks to attain and maintain your organization’s compliance with applicable requirements. Devised by industries or regulatory bodies to guide companies through the often-thorny compliance process, frameworks can help your company to know what it needs to do to reach compliance.
Not all frameworks are created equal, however. Some, like PCI DSS, are highly prescriptive, spelling out the “what” and the “how” of compliance. Others are more vague, giving you more leeway to interpret the rules but may leave you uncertain about what’s required. A good GRC software can help diagnose and will adjust its parameters as regulations and standards change.
What is IT Compliance Management?
The primary purpose of IT compliance management is to guarantee that IT operations are working correctly by ensuring that the appropriate IT governance rules, controls, standards, and risk management frameworks are appropriately managed.
Data collection and management, audit trails, workflows, database administration, data and security testing, internal and external fraud, supplier management, system availability, and service delivery are all part of this.
However, reaching this objective is a challenging task. Because the laws do not include a detailed roadmap, several industry-specific recommendations, and best practices are published to give clarity and assistance.
Other issues include:
- insufficient training for employees
- Shadow IT problems, including individual mobile devices that bypass corporate IT infrastructure.
- Unapproved applications
- Issues with service providers (cloud services and data centers)
- The Use of Social Media
- The number of existing rules, revisions, and new legislation
Elements of a Successful Compliance Management Program
The multinational consulting firm Deloitte suggests that compliance management programs do the following:
- Identify the laws, rules, codes, and standards applicable to your operating environment. Does your enterprise accept credit card payments? Then you’ll need to comply with PCI DSS. Are you a healthcare provider? If so, compliance with HIPAA is a must. And so on.
- Integrate compliance obligations into daily processes and procedures. A “culture of compliance” company-wide is essential to successful, ongoing regulatory compliance, starting at the top. Thomson Reuters Legal recommends the six elements for instilling and maintaining a culture of compliance:
- Effective technology
- Incident reporting and case management
- Monitor compliance controls.
- Conduct regular compliance reviews, and report compliance internally.
- Train staff to know and follow the rules.
- Respond to failures with appropriate corrective action, including internal controls.
- Develop and nurture relationships with regulators.
Which Activities Does Compliance Management Include?
An effective compliance management program comprises many people, business units and functions, and activities all working together throughout the year.
Compliance management activities include:
- Developing policies and procedures to ensure compliance
- Compliance training company-wide
- Internal audits
- Third-party audits to ensure that vendors and contractors are also compliant.
- Security procedures and controls
- Compliance reporting
- Compliance tracking and monitoring
- External audits, when appropriate
- Corrective actions
- Consumer complaint response
What Is Compliance Tracking and Monitoring?
Falling out of compliance, even for one day, can be disastrous. It can cause loss of certifications or status, fines and penalties, lawsuits, and reputational damage to your business. To ensure that you’re always following the rules, monitor your controls and activities to validate your compliance with your enterprise’s laws, regulations, and standards.
Being everywhere at once, all the time is impossible however-for a compliance officer or team. That’s why most organizations use compliance management software to follow their activities and controls, as well as those of third-party vendors and contractors, to ensure that there are no lapses, gaps, or compliance failures.
In the end, however, your compliance efforts are only as good as your evidence. So as you perform the myriad activities required to get and stay in compliance, you’ll need to track those actions and document every one.
That’s a lot of paperwork, but it’s worth it.
A thorough and detailed audit trail will make your compliance audits much more efficient and help guarantee that you’ll pass with flying colors. So, when choosing a compliance management system or software, ensure it will collect and store your compliance documents for easy retrieval at audit time.
Why Compliance Programs Fail
When compliance programs fail, the result can be devastating. For example, a data breach because of non-compliance with PCI DSS can result in enormous fines and the offending enterprise’s loss of credit card privileges. In addition, not being able to accept card payments can be a death knell for the business.
Noncompliant cybersecurity leaves you vulnerable to IP theft or costly downtime because of ransomware or other disruption. In addition, fraud and other forms of corruption can cost an enterprise millions, and arrests and fines can destroy consumer and shareholder confidence.
The heartbreaking thing is that the compliance team could have avoided many compliance failures with proper due diligence.
An article in Harvard Business Review states that compliance programs most often fail because no one is monitoring or evaluating them:
“Companies routinely produced large binders of policies and procedures and counted the number of controls in their financial systems. And yet they offered no evidence of having tested those policies, procedures, and controls, nor did they track how many breaches they had experienced. A company might cite its long-standing internal whistle-blower program, for instance, but not have data on the program’s rate of usage by employees.
“Firms also routinely reported how often they had trained wrongdoers on the very topic of their misconduct, apparently blind to the irony of defending their compliance efforts that way.”
Merely checking off the items on your compliance framework list isn’t enough. To do compliance management right, you’ve got to care about it. So there’s no excuse for doing a less-than-stellar job at rooting out and resolving compliance issues before they become problems.
Best Practices for Approaching Compliance Management
The best compliance management programs work on a firm foundation of good planning and forethought. When your enterprise embarks on compliance management, taking a comprehensive, enterprise-wide, risk-based approach can ensure its success.
Determine your end goals at the start
Knowing where you’re going enables you to take the more direct and effective path and to develop your compliance program. For example, the Commodities and Futures Trading Commission (CFTC), applies to InfoSec and privacy in the financial sector but applies to any industry. It recommends evaluating compliance management programs in three areas:
- Prevention: preventing fraud, errors, breaches, and other risks from materializing. To meet this goal, the CFTC recommends
- Written policies and procedures
- Employee training
- Remediation of existing issues
- Dedication of the resources (budget, staff, expertise) needed to ensure success.
- The structure, oversight, and reporting of the compliance function
- Detection: real-time alerts, internal audits, and other mechanisms to know when compliance issues arise. The CFTC’s list of mechanisms for this goal are
- Internal surveillance and monitoring
- An internal-reporting system
- A system for dealing with complaints
- Procedures to detect unusual activity and evaluate its risk
- Remediation: assessing and addressing whatever actions caused or allowed the misconduct and deficiencies in the compliance management system. The CFTC recommends that remediation include:
- Assessing the impacts of non-compliance
- Determining when and how to discipline those responsible for compliance issues
- Resolving gaps or weaknesses in the compliance system
- Prevention: preventing fraud, errors, breaches, and other risks from materializing. To meet this goal, the CFTC recommends
Know the rules for your industry
The composition of regulations, laws and standards your business should (or must) follow may be very simple-PCI DSS if yours is a retail shop that accepts credit card payments and has no online store. Or it may be very complex, as is the case for financial institutions and healthcare and manufacturing sectors. Knowing which applies to you and choosing the right frameworks to help you comply with them is a critical early step in developing your compliance management program.
Write strong, clear internal policies and procedures.
Your staff, contractors, senior management, and board members all need to know precisely which rules to follow and how to follow them.
- Enforce accountability
- Build checks and balances into your system, and hold people accountable for their errors or misconduct.
- Train your personnel
Many non-compliance issues arise because of errors that could easily be avoided with thorough, engaging, interactive training. Therefore, do your research and ensure the compliance training you provide is effective.
A robust program needs a strong foundation, and you need a baseline to determine where to focus your compliance efforts and avoid duplicating them. Many compliance frameworks overlap, so meeting the requirements of one regulation, law, or standard will likely put you on the path to compliance with others. Knowing your controls and vulnerabilities at the start will help you develop your compliance management program more efficiently and make it as strong as possible.
Manage compliance for risk, not only for compliance
Checking off items from a list of compliance requirements to satisfy regulators or auditors might seem the easiest, but it could short-change your business. So instead, suppose you’re going to spend time and money pursuing certifications. Why not go the extra mile and work to minimize and mitigate the risks to your organization? Protecting your enterprise, systems, data, and customers should be your end goal.
Maintain an audit trail
A “paper” trail documenting all your compliance activities will not only be invaluable if you need audits but could also help you avoid stiff penalties should a breach or other non-compliance issue occur. Collect and keep all your evidence in one place so you can easily retrieve it when needed, or use quality GRC software to do this for you.
What Are the Benefits of Compliance Management?
There are many benefits to taking compliance management seriously. Here are some of them:
Minimize Your Legal Risks and Save Money in the Future
Compliance will assist your organization in avoiding legal liabilities. Settlements and lawsuits can potentially cost you millions of dollars. Fines and other restitution fees might also pile up.
Even if you can cover these expenses, your sales may suffer significantly. If you safeguard your clients’ credit card information and fraudulent purchases, you will most likely retain consumers who no longer trust your brand.
Restoring your company’s reputation might take years. It’s hard to say how much financial harm it can do. It is preferable to adopt solid data protection and avoid a compromise entirely.
Increase Your Customer Base’s Trust
Compliance with federal regulations will demonstrate to your consumers that you care about their safety.
While litigation or penalties will harm your reputation, a track record of compliance will demonstrate that you operate a trustworthy business.
Engage with Your Staff
When it comes to compliance management, employees may be a significant headache. For example, a breach can occur when an employee opens an email they should have deleted. In addition, they may be irresponsible with passwords and other sensitive information.
Mobile gadgets may derail your security measures. For example, your corporate network may be completely secure, but a breach is feasible if your workers enter essential information on their mobile phones and laptop computers.
Bring your staff into the process as you seek to improve your cyber security. Inform them that they are essential to your business and its data. Use the chance to teach them how to safeguard firm data and consider rewarding those who do so.
Build a Fantastic Story to share with Your Customers
A trustworthy and safe business reputation is a significant positive public relations source.
The finest public relations strategies avoid bad press and generate good stories about your firm. Inform your customers if you have enhanced your data security! They’ll feel more comfortable submitting credit card information if they know their accounts are secure.
Compliance Audits: Best Practices & How to Prepare
Compliance audits, like death and taxes, are inevitable-but yours need not be intimidating. On the contrary, you should sail through your audits if your enterprise has a robust compliance program and has documented all your compliance activities.
The compliance auditor is usually a certified professional from an independent external firm. They will examine your policies and procedures, risk management controls, complaints, and other evidence to determine whether your enterprise adheres to applicable laws and standards.
The auditor may also peruse your financial records and statements or your security controls depending on the compliance audit type.
Auditors who work in the compliance office of your organization may perform internal audits to ensure ongoing compliance or even, in some circumstances, to self-attest compliance with a regulation or standard. Quality GRC software can perform these internal audits for you.
How Compliance Audits Work
A compliance audit may encompass the entire company or a single business unit. The auditor will typically interview people from various areas of the enterprise, particularly managers, and will review documents and logs to determine whether the entity under audit complies with the regulation or standard in question.
The auditor may work on-site, interviewing managers and other pertinent personnel, or remotely. Often they will issue questionnaires. Rather than examine every detail, they may take a sampling of logs and records from which to extrapolate.
A compliance audit typically follows these steps:
- Your enterprise selects an auditor qualified under the framework you want to demonstrate compliance. Compliance auditors aren’t “one size fits all”: different agencies and standards have additional requirements and certifications.
- At the first meeting, the auditor details the guidelines they will follow and provides a checklist to help you prepare.
- If the auditor is working remotely, they will send questionnaires that you’ll answer and request that you send them any necessary documents. If on-site, the auditor may peruse papers at your offices, walk through areas they need to see and conduct in-person interviews.
- The auditor will issue “findings,” or a report describing where your organization complies and doesn’t, and recommends filling gaps or correcting deficiencies. They’ll present their information at a final meeting and suggest a timeline for corrective actions.
- When your organization has followed the auditor’s recommendations, they’ll follow up to verify that you are now in compliance and issue a new finding to that effect.
What Do Compliance Audits Look for?
Compliance audits look for evidence that your organization is, or isn’t, in compliance with the regulation, law, or standard with which the audit is concerned.
The auditor will examine your systems, controls, and documentation and conduct interviews to determine whether you have appropriate policies and procedures to enable your organization to comply and whether those policies and practices are being followed.
Exactly which questions the auditor asks depends on the framework in question.
Overall, compliance audits verify the following:
- The completeness, accuracy, and integrity of your financial statements (SOX)
- The security of your IT systems (NIST, FedRAMP, COBIT, ISO 27001, PCI-DSS, SOC 2/3)
- How well your enterprise manages overall risk (COSO)
- The effectiveness of your quality controls (ISO 9001)
- How well do you protect the privacy of personal data (GDPR, CCPA, HIPAA)
How Can I Prepare for a Compliance Audit?
Getting audited is the easy part. Preparing for it is more demanding, requiring much organization and planning. One financial professional recommends taking a three-step approach to compliance audit preparation: design, organize, and plan.
- Design, in which you map the requirements you must comply with and who’s responsible for each; access points to your facilities and systems; systems architectures and telecommunications designs; and all systems components.
- Organize, during which you gather evidence from past audits and delegate current evidence collection to those responsible for specific requirements. Schedule a periodic review of your systems so that you can update your architecture documents when your systems architecture changes.
- Plan, during which you organize your evidence; document compliance gaps and your efforts to remediate them; and automate these tasks and your communications as much as possible.
To guide your preparation efforts, answer these five questions:
- What is the scope of the audit? Narrowing your scope is one of the most important things you can do to increase the audit’s efficiency. Segment your systems. Understand which are critical for compliance and which are outside the scope. Perhaps diagram your essential business processes so you understand how everything interacts.
- Have the findings in previous audits been corrected? Why or why not?
- How will you handle the results of the audit? Who will resolve issues, and how? How will you monitor so that compliance issues stay resolved?
- Is there proper management in place to make sure the audit moves efficiently?
- How will the audit affect your bottom line? How will the audit help increase revenue or reduce costs? How will it manage your risks? Compliance is excellent, but a better-run business is even better.
How Much Do Compliance Audits Cost?
The cost of a compliance audit depends in part on the complexity of the regulation, law, or standard with which you’re striving to comply, in part on the size and complexity of your organization, and in part on your advance planning and audit trail documentation.
A PCI DSS audit, for instance, can cost more than $70,000 for a Level One merchant that processes more than 1 million credit card transactions a year. A HIPAA audit can cost as much as $250,000. A SOC 2 audit’s price tag depends on a number of variables. And so on.
Perhaps a better question is, “How much would non-compliance cost?”
Fines, penalties, fees, remediation costs, reputational damages, loss of privileges, and other results of non-compliance can potentially cripple or even destroy a business. And without cybersecurity compliance certifications, your business could get locked out of markets or missed revenue opportunities while your certified competitors take full advantage.
Is the price of compliance worth it to you?
How To Get Started with Compliance Management
Instilling a culture of compliance is the first step toward a successful compliance management program. Next, you’ll need buy-in from the top down, including your CEO and board.
Make sure everyone knows your company’s commitment to following the rules and the intentions behind those rules, such as cybersecurity, data privacy protections, product quality, and financial integrity.
Plan on adding a full-time position to oversee compliance at your organization. Some companies have GRC teams devoted to managing risk and maintaining regulatory and industry compliance.
At a minimum, you’ll need a compliance officer or compliance manager to coordinate the many required tasks and a system or software to automate as many tasks as possible, track workflows, gather and store your documentation, and monitor your systems for continual compliance.
Your next steps will include the following:
- Determine which laws, regulations, standards, and contractual requirements your company needs to comply with, then prioritize them.
- Don’t try to do it all at once: pick one or two to start.
- Establish a relationship with a qualified auditor and your internal audit team if you have one.
- Conduct a compliance risk assessment to determine where to focus your compliance efforts.
- Update your policies and procedures, or develop new ones.
- Establish a training program for your employees.
- Delegate compliance activities and responsibilities among appropriate people and teams.
- Establish procedures for addressing non-compliance issues as soon as you become aware.
- Establish a system for reporting and audit trail documentation.
- Periodically conduct internal audits to ensure continued compliance.
What Is a Compliance Management System?
A Compliance Management System (CMS) comprises all the documents, processes, controls, functions, and tools that bring an organization into legal, regulatory, and industry-standard compliance and help maintain that compliance.
A CMS may include the following:
- Policies and procedures
- System diagrams and mapping
- Risk assessments
- Audit-trail correspondence
- Financial statements
- System and organizational controls
- Third-party contracts and agreements
- Complaints and resolution records
- Internal and external audit reports
- Compliance management solutions
Maintain Compliance with Reciprocity ROAR
Getting to compliance is a challenging task.
Frameworks help, but even then, a timeframe of a year or more is typical to establish compliance with a single standard or regulation. In addition, there are updates with which to stay current, new frameworks to be concerned, and changes in your systems that demand attention.
Even companies with dedicated compliance teams use software to help them manage their compliance programs. The best software alerts you to compliance gaps and updates its databases as regulations and standards change, helps you manage workflows, and collects and keeps your audit trail documentation.
The Reciprocity® ROAR Platform has all these features and more:
- Our software-as-a-service analyzes your systems, protocols, and controls and tells you where you comply and fall short.
- User-friendly, color-coded dashboards make it easy to see your organization’s compliance posture in one glance and to track workflows task-by-task.
- ROAR compares and contrasts compliance requirements of more than a dozen frameworks to help you avoid repetition, making compliance more efficient.
- Vendor surveys help ensure third-party compliance. ROAR generates and sends these for you and collects and compiles responses.
- Incident management ensures that you respond to compliance issues as they arise quickly and effectively.
- With Reciprocity ROAR and ZenRisk, you integrate risk management and compliance activities with all your business applications.
- Unlimited, in-a-click self-audits keep you apprised of your compliance posture and help prepare you for certification and regulatory audits.
- Our “Single Source of Truth” repository collects and stores all your audit-trail documentation for easy retrieval at audit time.
There’s a reason why some of the world’s leading companies rely on Reciprocity ROAR for top-notch, always-on regulatory, legal, and industry-standard compliance. Worry-free risk management and compliance is the Zen way. Contact us today for your free consultation.