The most important but sometimes overlooked aspect of regulatory compliance is in getting the buy-in of the people who will be doing the work. Getting management buy-in is a pretty simple matter of discussing economics and the negative impact that non-compliance has on the business. ROI, cost benefit analysis, the impact of losses for fines, loss of consumer confidence, and other easily tangible negative financial impact is something that any manager can wrap their head around. The hard part is getting the message to the individual contributor who will be affected by any change process of implementing control objectives. Change is the hobgoblin of the individual contributors as change usually means disruption and chaos as the kinks in the process are worked out.
Once the control objective is defined and the process that will determine success for that control objective is developed, the individual contributor is responsible for its implementation. Some are easier for ICs to see the benefits and some are not. So the key to compliance adherence is two fold; communication and leadership. Most important, there must be a work to reward benefit to the individual contributor or the control objective becomes just another random management dictated task. One that is required for continued employment but not something that will allow for any sense of contribution or perceived benefit
The first key to compliance is to lead by example. No one in the organization is exempt from adherence to the control objective. This is the single greatest point of failure to any compliance policy because if the individual contributor senses that the policy only applies to them and not the rest of the company i.e. management, the policy becomes a bone of contention. Management has to forge a relationship based on trust to achieve compliance. Any perception that there is a double standard to compliance will have more negative impact than just lack of compliance to control objectives.
The next key is that selling compliance requires a benefit. The individual contributor needs to understand the benefit to their job or to the company as a whole for the change in their work habits to be justified. So the processes in the control objective should be created with some benefit to the individual contributor as well as to the company in mind. Some compliance processes and methodologies come with built-in benefits. The automating of some long standing manual process provides the individual contributor a tool to perform a task with a predictable outcome. This makes the job of the individual contributor easier. Making the individual contributor’s job easier and more predictable is a benefit that is an easy sell.
Not all automation is perceived as being good or beneficial however to the individual contributor. Everyone has seen how automation has led to downsizing or to the diminishing value perception that some individual contributors can get. Rather than reverting to a bully pulpit approach to regulatory compliance as part of your company’s framework, each control objective should be a well thought out process that provides tangible and attainable benefits to both management and to the individual contributor. Where there is no tangible benefit, the communication must be clear as to why this is important and how this benefits the company and then in turn benefits the individual contributor.
Auditors rely on repeatability to ensure tasks are performed in a way that each iteration is a part of a complete compliance picture. What tasks that can not be automated must be performed in a prescriptive manner where the results are predictable. Such adherence requires more than direction, it requires an understanding of the task and an understanding of the expected results. This understanding has value to the organization and needs to be cherished in a way that the individual contributor continues to feel valued. Pressure to adhere for compliance sake will be met with indifference because the understanding of the task and its results will be used to the individual contributor’s advantage and not the advantage of the compliance effort. So there has to be a compelling value proposition that will get ICs to want to help contribute.
The lynch pin between the individual contributor and the compliance effort is the front line manager. Communication with this level is crucial to any compliance policy implementation or change success. This is where the value proposition wrapper must have buy-in and where creativity for implementation must be fostered. Getting rank and file to adopt new processes effectively to achieve compliance must come from a level of cognitive awareness of the importance that compliance provides the company. So what front line managers will need to provide is the reinforcement of how the compliance benefits the individual contributor’s position, how the control objective provides them benefit, and how the change streamlines their work effort. The key to success at this level is not just dictating compliance but providing value to their job. The obvious dissention is that not all compliance control objectives will be a positive change on their work effort. In these cases compliance will need to be well communicated as to why this is necessary, the actual benefit value of the control objective to the company, and to enlist their feedback to develop a better way to achieve success in each control objective. Action on this feedback is critical as this is the measure the individual contributor will use to gauge how management views their contribution.
This may sound a bit contrite and on the surface I would say that it is. However, any control objective that is worth implementing is worth the effort to gain compliance at the individual contributor level. Implementers should be willing to take the time and effort to plan for compliance adherence by including this value proposition to the individual contributor. These are the constituents that will be ultimately responsible for compliance even if the control objective is as simple as logging out of their computers, locking their desk and file cabinet, and lock their office door before leaving as part of a change to the company’s asset security policy. The benefit to the individual contributor is that this provides that their work space will be as left it and that company assets which is their work, are protected.
I have just came across one website which provides a wonderful tool to comply with regulatory authority like HIPAA and it also helps in complying with many other regulations also. A crosswalk matrix poster between different regulations, a very useful tool for compliance team and risk management office. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada). http://www.compliancehome.com/symantec/
Enforcement of compliance regulation is must for many organizations but implementing, establishing and maintaining of same is a tough task due to complexity and cost. www.Training-hipaa.net website provides a wonderful and valuable template suite which any organization, small or big, can use to meet their compliance requirements for HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan.