Taking the First Steps Toward Systematic Compliance

by Noah Webster

Compliance is an all-or-nothing obligation. But achieving compliance, by contrast, can be a slow and systematic process.
Large companies with expansive HR departments and armies of lawyers can throw a lot of resources at the effort. For small and midsize companies, however, ensuring that compliance is comprehensive and consistent tends to be a lot more challenging.
Smaller companies have just as much incentive to avoid the fines, lawsuits, and bad PR that come from compliance breaches. Yet they often lack the staff, expertise, and time needed to fully realize and implement a perfect compliance approach.
Here’s the hierarchy of compliance proficiency:
  • Ad hoc: Compliance lacks structure, accountability, oversight, and understanding.
  • Fragmented: A compliance committee exists, but activities are siloed and monitoring is inconsistent.
  • Defined: Key risk officers ensure that compliance is conducted systematically and regularly reviewed for necessary updates.
  • Mature: A network for compliance management and oversight is in place so that the enterprise coordinates activities throughout.
  • Optimized: A company considers every decision it makes through a framework of compliance. Meanwhile, the company makes considerable effort to keep compliance updated and proactive.
No company can afford to be ad hoc, yet deploying optimized compliance can also be extremely difficult. However, it’s not impossible either, even for companies that lack expansive in-house resources. Ultimately, compliance is about having the right tools deployed in the service of a smart strategy.

Making Systematic Improvements

Furthermore, companies must reach several milestones in order to move up the compliance ladder. The first occurs between fragmented and defined. Many companies have compliance strategies, but they’re not strictly defined or even written down. As a result, compliance efforts end up fragmented because no one knows exactly what to do.
Defining compliance is the beginning of an enterprise-wide compliance initiative. In addition to coordinating everyone’s activities, written policies ensure that staff departures don’t lead to broken rules and/or unfulfilled roles. Institutional knowledge must be recorded so that the next compliance manager can continue things seamlessly if the wrong person walks out the door.
The next milestone occurs between defined and mature. As important as it is to have defined compliance policies, the nature of regulations means those policies will quickly become out-of-date and ineffective. Mature organizations make an ongoing effort to anticipate rule changes, to forecasts risk, and to proactively prepare for both.
In this way, compliance is a lot like the scientific method. Companies start with a basic hypothesis — we are fully compliant — that they rigorously test and retest to confirm its truth. Then, when differences are discovered, they systematically root out the problem. First, the written policies are amended, then staff training education is updated, and finally, the solution is tested again. Considering that compliance is a moving target, it’s essential to have a strategy that can effectively adapt.

Adding Necessary Tools

The need to create a compliance policy is universal, but the details of that policy are unique to every company. In most instances, regulations outline a set of rules that must be followed and outcomes that must be achieved. Then it’s up to companies themselves to determine when, where, why, and how those rules impact operations. Eventually, all of those insights are reflected in the companywide compliance policy, which is updated as necessary.
Something that often gets overlooked regarding compliance is that companies must understand themselves as well as they understand the letter of the law. Knowledge of both is essential for aligning internal policies with regulatory requirements. Yet companies, particularly smaller ones, often lack the appropriate tool set needed to adequately record their actions and decisions.
Having an archive that automatically captures, stores, and organizes business communications should be considered a prerequisite for compliance. Without a detailed record of the interactions between internal actors and the public, it’s impossible to guarantee compliance or to understand why and how compliance is breaking down. Once an archive is in place, companies have the data they need to systematically study this issue.
Having a unified search feature within the archive makes this analysis much more efficient. Companies then can quickly isolate and discover communications with specific keywords, between certain parties, or on exact dates. Along with ease of search, accessibility is paramount for archiving. If an archive cannot be quickly accessed and searched, its content is merely a useless mass of information.
ZixArchive is designed to help companies understand their current stances on compliance before reaching the level above. This technology makes collecting communications and leveraging insights equally easy. In the process, it makes drafting compliance policies much simpler and the policies themselves more effective.
This is just the first piece in a series about optimizing compliance. Many more tips and strategies are forthcoming, but until our next piece, take a critical look at where your compliance efforts are compared to where they need to be. That’s the first step.
Posted: 5/13/2019 6:33:02 PM by Mark Beebe | with 0 comments

Recent Posts


3 Keys to Effective Managed Detection and Response for Financial Firms

by Geoff Bibby

View Blog Post


Zix Positioned by Independent Research Firm Among the Top Enterprise Email Content Security Providers

View Blog Post


Evasive Resume Phishing Campaign Distributed Multiple Malware Payloads

by David Bisson

View Blog Post