A new paper from C2 Labs tackles the two conflicting challenges that occupy most of the time of compliance officers: fear of failing an audit versus the costs of running effective compliance programs. While organizations increasingly see compliance with regulations relating to cybersecurity as a high priority item, there continues to be substantial pressure to reduce costs even when it may mean a responsibility is not being adequately addressed.
Based on findings from a number of recent studies, the paper provides compliance officers at all levels of organizational size with strategic pointers and suggestions for establishing macro-level compliance processes.
Compliance with regulations: Opportunity cost vs cash-in-hand
Compliance officers face constant pressure from both directions; failing an audit or a situation that leads to fines for the company is a constant threat, but so is the perception that the compliance program is inefficient or using too many resources.
The pressure tends to increase the farther down the ladder a company is in terms of size and revenue. Small organizations are held to the same standard in terms of compliance with regulations and risk management, but must make everything work on a much smaller budget. Some larger organizations that rely on many subcontractors, such as the US Department of Defense, are having serious concerns about being able to field a full deck of vendors that are able to keep up with government cyber security regulations.
The C2 Labs paper describes this as the “fear vs. cost cycle.” The paper’s objective is to demonstrate how to break this cycle by reducing costs while simultaneously minimizing risk and improving productivity.
The first step is in pinpointing exactly what the main drivers of both regulatory cost and fear are. The first is simply the increased number of cyber attacks, which more than doubled in 2020. The second is the simple increase in regulations, both at the national and industry-specific levels. Not only is the amount of regulation increasing, but the costs of fines are as well; for example, HIPAA violation fine amounts increased by nearly 2% last year.
There are other significant drivers, however. One is that corporations are tending to shy away from using cloud storage after too many high-profile data breaches in recent years, at least for the purpose of storing proprietary information. Another is a general increase in maintenance costs; new systems are more complex than ever, and it’s more costly to try to maintain connectivity with legacy systems that are difficult to replace.
Surveys also show that compliance officers are having trouble focusing on the actual job of compliance with regulations. For example, 26% of the typical officer’s time will be spent establishing a liaison with different intra-organization control functions in contrast with a mere 4% spent on amending policies and procedures. In general, compliance officers spend much more time responding to requests than they do keeping up with regulatory changes and proactively implementing necessary new measures. This problem becomes more acute as one moves farther down the scale of organizational size, with the CEOs of small companies often expected to personally shoulder a good deal of this burden in addition to their other duties.
Automate and digitize the process of compliance with regulations
So how is this cycle broken when the main drivers only increase in potency over time? C2 Labs believes the secret is in a formula that breaks the process of compliance with regulations into four components, and then automates and digitizes these components as much as possible.
The first component is the addressing of developments in regulations, something that eats up a lot of a compliance officer’s time in terms of reactive and often unproductive action. Automation here consists of a digitization engine that can take in unstructured documents and feed them to digital objects with real-time APIs.
The second component is the various data silos that exist around the organization, repositories that hold things like Word documents and spreadsheets. Compliance officers generally have to interface with department members to manage access to these troves and workflow. Automation in this area consists of a centralized platform composed of modules for each of these business units, which can in turn be accessed by the compliance team independently and as needed.
The third component of compliance with regulations is customer applications, and the central problem here tends to be that they are addressed manually. Automating this process creates an obvious efficiency benefit.
The final component, deriving outputs from the various business units, ties into these previous points to some degree. As with the conversion of data silos to modules managed by a centralized system, the central idea here is to have reports and dashboards available to the compliance team from across the organization as needed.
Naturally, C2 Labs offers a compliance management software product that does all of these things. But even if one is not interested in their particular product, the ideas presented in the paper are sound and might inspire organizational decision-makers to start thinking about similar software solutions to aid in compliance with regulations and even provide a competitive advantage.