The fact of obeying a particular law or rule, or of acting according to an agreement – sounds mildly better than Cambridge’s other definition, the act of doing everything that someone tells or wants you to do. In this third installment, we want to explore compliance further as it arguably receives the most attention in GRC programs. Important, yes. Critical, yes, for many organizations subject to heavy regulatory hand, and as we dive in we’ll demonstrate not only the importance of compliance but how it is both complimentary to and distinctive from risk.  

The Basics

Compliance efforts and related programs cover a broad ecosystem for many organizations including not only their ability to meet their external regulatory requirements but also their internal policies and procedures designed to ensure proper – legal, ethical, and organizationally consistent – conduct. The compliance team may also manage internal audit and oversight teams responsible for evaluating the performance of various functions.

External compliance requirements vary by industry or region, but there are broad categories that affect most:

  • Data protection and privacy regulations
  • Financial reporting standards
  • Industry-specific regulations with oversight from local, state, or federal agencies
  • Environmental regulations
  • Employment laws
  • Anti-corruption laws
  • Health and safety

Internal compliance is also varied and typically a function of organizational size, maturity, and complexity:

  • Code of conduct policy
  • Governance policies
  • Policies defining an internal process such as service-level-agreements
  • Quality control standards
  • Procurement and supply chain procedures
  • Financial controls

Compliance Risk

So, what happens if we’re non-compliant. Let’s get the obvious out the way – for some, although the numbers are increasingly sliding towards the many, it can lead to fines, legal action, or cause an operational disruption. Organizations are therefore at risk for being non-compliant. Here are some overlapping examples:

  • Regulatory Risk – failing to comply with laws, regulations, and industry standards applicable to the organization's operations.
  • Operational Risk – inadequate or failed internal processes, people, and systems
  • Legal Risk – lawsuits, fines, and other legal penalties due to non-compliance
  • Financial Risk – financial losses, fines, and penalties resulting from non-compliance.
  • Reputational Risk – damage to an organization's reputation and brand due to compliance failures
  • Data Privacy and Security Risk – mis-handling sensitive data or experiencing data breaches that violate privacy regulations.
  • Corruption and Bribery Risk – employees or third parties engaging in corrupt practices that violate anti-corruption laws.
  • Quality and Safety Risk – failing to meet product/service quality and safety standards, potentially leading to recalls or penalties.
  • Social Responsibility Risk – failing to meet stakeholder expectations around ethical business practices and social responsibility.

If we’re at risk of being non-compliant, then why is there a tendency to overemphasize a binary approach to compliance management? Sure, there are any number of compliance controls that require a simple check-the-box approach to ensure adherence – either yes we are doing it, or no we are not. There are however an increasing number of controls requiring what historically was defined as a more mature approach, but in reality, mean adopting risk-management best practices. By treating compliance in the same manner as other enterprise risks, we can measure and evaluate the effectiveness of our compliance actions to advance us beyond legacy efforts of demonstrating only completeness.

Security, Compliance & Risk

As a key organizational function, security is not immune to compliance pressures. External requirements are only increasing with demands that have moved well beyond basic reporting and control adherence metrics. Material cyber incidents now require detailed accountability. Organizations must demonstrate their cyber risk management strategies with evidence that extends beyond binary controls. While this is challenging, it creates an opportunity for security teams to partner more collaboratively with their compliance and enterprise risk management partners to build a more effective internal controls environment. Like any other business function, security requires oversight and mechanisms like internal audit (or inspection, oversight & control) teams should not serve as a point of friction, but rather as methodical and consistent approach in monitoring control adherence and evaluating how well the control supports related cyber risk management objectives.

For security teams, an investment to improve self-awareness through continuous monitoring and evaluation (1) integrates compliance into the broader fabric of risk-based security posture management so that (2) we can actually demonstrate the efficacy of controls (and/or the actions we need to take) in reducing the organization’s cyber risk exposure. A key objective at Pellonium is helping organizations realize the benefit of an operationalized GRC effort where each element is not viewed in isolation, but as a unified whole where security is aligned to the business (i.e. as an enabler against its key objectives), continuously maturing and confidently adaptive to an ever-complex and dynamic environment.

To learn more, please visit www.pellonium.com.