Compliance professionals have a quiet struggle every day.
If you talk to them, you’ll hear that fear and uncertainty are constant companions. They’re worried that they’re going to miss something in a compliance review. What happens if you miss a critical problem in compliance? At a minimum, you look bad to your boss. It can quickly get worse though. You might have to tell auditors, government regulators, and others about the problem.
How do they go about solving that problem? They dive deep into manual compliance work and discover why it doesn’t scale up.
Are You Suffering the Pain of Manual Compliance?
On a certain level, heroic manual compliance work is admirable. You see a compliance analyst building checklists, interviewing other employees, and checking systems. Then, the next morning, he double-checks everything again. From a certain perspective, this approach works. Yet, it’s painfully manual. At a certain point, you just can’t ask employees to log any more hours or use out-of-date tools.
What happens if you continue to operate with a manual compliance process? Your department will struggle to take on more work as the company expands. You’ll be forced to explain why compliance, which is already perceived to be a cost center, needs yet more funding. To avoid those awkward conversations, take a step back.
What Does Effective Compliance Look Like?
The answer will depend upon your industry, risk perspective, and capabilities. Let’s say you’re in a large bank. That’s one industry where you face high expectations for compliance. An effective program will generally include the following:
- Compliance policies and procedures: Do you have a clear policy that sets out principles for compliance? Keep in mind that these documents have to be easy to understand and written in business terms.
- Compliance testing: Question whether compliance staff members get out of their cubicles and test the compliance of other staff members.
- Compliance systems and tools: Ideally, you want to use automated compliance software that automatically keeps records. If you rely upon spreadsheets, you’re likely to have problems with data integrity. Unless you have robust training, it’s easy to make mistakes in formulas and data in a spreadsheet.
- Continuous improvement program: No compliance program is perfect. That’s why we recommend you set aside regular time to identify improvements.
- Human resources issues: There are two dimensions to this element. First, question whether the compliance department is properly staffed with qualified staff. Second, what’s the quality of your compliance training?
Honestly, running a full program is difficult. You need to find a way to save time without compromising the quality of compliance.
How to Automate Compliance
There are several ways to automate compliance activities. Job number one: identify and eliminate low-value compliance tasks. If you skip this step, you’ll automate tasks that just don’t matter. For more background on this step, we recommend, The 80/20 Principle by Richard Koch. Start by looking at any paper-based processes, as those tend to have a high degree of waste and duplication.
After you’ve eliminated those areas, look for automation opportunities. Use the following list of ideas to start your automation journey:
- System testing: You can use automated processes to evaluate all your systems. For example, schedule a task to randomly test servers for compliance with your IT policies.
- Outstanding audit issues: Some audit findings are more complicated to close than others are. If you have a significant audit finding, a major automation overhaul may be a smarter choice. Invite your auditors to participate as a stakeholder in the process.
- Compliance records: Are you still manually filing compliance emails, access records, and data? Those activities are likely the easiest ones to address.
Some of you might object that your IT department has no spare capacity. It’s a common excuse we hear when compliance automation comes up. The answer is to leverage new technology to free up time.
Ways to Leverage Docker Containers
Docker containers weren’t built for compliance departments. If you approach this technology creatively, it does help compliance to win. Will container technology eliminate the need for testing and training? No; instead, containers help to automate compliance in a few other ways:
- Save time on repetitive tasks: What’s the difference between an assembly line and an IT department? If you make IT staff do the same configurations over and over again, then there’s not much difference. Use containers to eliminate configuration work effort.
- Reduce IT attrition: What happens to IT productivity if you’re constantly losing employees? You’ll feel like you’re always falling behind on your goals. By using containers and other innovation technologies, you’re likely to reduce attrition. Further, you’ll have a more engaged IT workforce that’s eager to take on new challenges.
- PCI compliance: Maintaining PCI compliance is critical if you accept credit card payments. You can automate aspects of this compliance work by building containers.
If you’re running a software company, leveraging container technology is even more important. Your developers are going to expect it to happen.
After You Start Saving Time, What’s Next?
Let’s say you save 10 hours of work effort per month with automated compliance. That’s not enough of a reduction to change staffing levels. However, it’s enough to warrant other options. What other projects could you pick from your wishlist? Let’s say you’re concerned with risk and security issues across the enterprise. Consider working on the following issues:
- Improve the employee experience: Security doesn’t have to mean a degraded employee experience. Use a single sign-on software solution to save time for employees.
- Address password practices: Are your employees subject to password reuse disease? It’s one of the most common problems in the corporate world.
Reduce access privileges: If you give everyone the same access privileges, you’re going to face a problem. Use the principle of least access to address this situation.