IT compliance: When regulations get too diverse, they become roadblocks has been saved
Perspectives
IT compliance: When regulations get too diverse, they become roadblocks
Can an integrated approach bring some relief?
The rules and regulations that ensure how we secure and control information technology (IT) are as diverse as the world itself. An integrated approach can help solve the IT compliance conundrum. Explore how.
Diversity can be a source of strength, knowledge, and creativity. However, there is one realm where much of the business community laments global diversity—the area of regulatory and legal compliance. Around the world, the multiplicity of standards, laws, and regulations that establish expectations for how IT systems are secured and controlled present a major challenge to organizations that operate across industries or beyond their home borders.
IT compliance: A complexity only getting compounded
The ubiquity of and our dependence on IT, overlaid with numerous jurisdictional, industry, and even contractual obligations, can create a daunting labyrinth for organizations to navigate as they pursue profitability and growth. Entering new markets, expanding to new geographies, developing new products or services, and cultivating new clients get trickier in such a scenario.
Unfortunately, many organizations take an “everyone for themselves” approach to compliance. This practice rarely yields good outcomes, as it lacks continuity and focus, dilutes responsibility, drains internal resources, increases costs, and creates a drag on competitiveness and profitability.
Larger entities tend to operate across multiple geographies and thus must deal with greater complexity and its associated costs. Also, heavily regulated sectors such as finance and health care would seem to have more incentive to get their compliance houses in order, yet the sheer volume and complexity of applicable laws and regulations often overwhelm the best intentions. With few organizations having fully optimized their IT compliance programs, will an “integrated” approach to IT compliance management work better? We think so and here’s why.
IT integrated compliance: A holistic approach for a streamlined system
Imagine a business that has operations in both Europe and the United States. Its American division is responsible for meeting the requirements of the California Consumer Privacy Act (CCPA), while the European unit addresses the EU General Data Protection Regulation (GDPR), with no collaboration between the two. This siloed approach, while perhaps making sense from an operational standpoint, fails to recognize the many overlapping requirements of the two laws, nor does it leverage the similar controls and reporting requirements of each.
One look at the entire universe of IT-related rules, laws, and regulations that govern the activities of multinational organizations, and an abundance of commonalities would emerge. And with it, the opportunity to leverage them for competitive advantage. When an integrated IT compliance program is functioning effectively, redundancies are eliminated, efficiencies gained, resources optimized, and risks reduced.
Adopting integrated IT compliance—daunting but doable
Global regulations, regardless of jurisdiction, typically focus on similar threats and require similar mitigating strategies, making the global compliance challenge more manageable than it may seem at first. Here are a few observations and suggestions to get things rolling:
Involve and educate relevant stakeholders across your organization to define a formalized governance structure for your compliance program as early as possible.
Take inventory of your compliance requirements and understand how they align across the organization—and not just within IT.
Create a plan that is reasonable and manageable and matches your personnel and budget. Set attainable milestones and closely track progress.
Oftentimes, key personnel—finance, IT, in-house counsel, etc.—don’t know what claims are being made to partners, customers, regulators, and other stakeholders. This disconnect can present significant problems if left unaddressed.
Compliance roles, responsibilities, and impacts extend far and wide, both within and outside the organization. Take a full inventory of all stakeholders.
Roll into your calculation the cost of controls, tools, reporting, personnel, etc. If it’s larger than you expected or hoped, action may be warranted.
In some cases, integration activities may have already taken place, which will put you ahead of the game. Use any previous or ongoing integration initiatives as a springboard.
The next steps: Doing things right across multiple dimensions
As you embark on your integrated IT compliance journey, consider taking these steps:
To develop a clear picture of your present status, inventory existing risks, and controls; identify current roles and responsibilities, and compile current reporting requirements.
Examine and document risks across the entire legal, regulatory, and contractual universe, to determine your exposure and to reprioritize consistent with your risk appetite.
Find similarities and overlaps across all your documented risks, controls, and reporting requirements.
Take a hard look at your compliance frameworks, tools, policies, procedures, processes, and controls. Identify redundancies and opportunities for consolidation.
To drive accountability for the overall program, create a governance structure, including the reallocation of roles and responsibilities, as needed.
Develop an integrated testing framework that includes relevant and useful metrics and KPIs.
Develop education and communication plans to support your integrated compliance efforts.
Early warnings and timely interventions can prevent small problems from escalating.
Just as you mapped and consolidated controls, do the same for your reporting requirements.
Integrated compliance will require an alliance
While regulatory requirements may seem disparate and convoluted from afar, upon closer scrutiny, many commonalities may be identified that can be leveraged to advantage. A thoughtful analysis that maps and correlates IT-related requirements across a company’s geographies and frameworks can be eye-opening, revealing the untapped potential for efficiencies and effectiveness.
Leaders need to recalibrate their thinking around IT compliance, devoting upfront time and resources to develop a well-thought-out plan. Roles must be clearly defined; accountability for the day-to-day program and its progress must be established. Many organizations have found that the use of consultants can provide needed expertise and specialized skills to help ensure the program rests on solid footing and that the long-term outlook is positive.
Comply, then fly.
Get in touch
Brandon Brown |
Chad Phillips |
Dasha Seleznyov |
Recommendations
Third-party reporting proficiency with SOC 2+
SOC2+ reports and the focus on trust services criteria
Third-party assurance optimization
Value creation strategies for service providers
