How to Lower Your Compliance Costs: Just Add Risk

APIAPI IntegrationArticlesCase StudiesComplianceDashboard ReportingDoDFindingsGRCIssue ManagementReportingRisk AssessmentRisk ManagementSOC 2StrategiesVideos
Written By John Paul Tran

Compliance is costly, time-consuming and often frustrates one or many in the company. It should not. Here are simple mistakes to avoid and processes to build that will help your company climb the compliance mountain with relative ease. 

B2B “I need that SOC Report and I need it now!”

If you’re selling or buying B2B these days, audit firms love you, and , your company is likely looking at or already maintaining a certification for ISO 27001, AICPA SOC 2CMMC,  PCI DSSHiTRust and/or managing compliance an industry regulatory requirements, FFIEC, SOX, HIPAA, etc. 

It’s always a great moment when your sales rep asks you for your SOC report, right? You know you have finally arrived! 

Check out my VERY expensive…“free checklist!”

Many companies are advised or choose to approach implementation security standards through the lens of compliance. This is a typical compliance-guided approach:

  1. What does the standard require my company to do?

  2. Do I have a policy and control in place to what is required?

  3. How often do I need to do it?

  4. Am I or who is doing it?

  5. How can I demonstrate that it is being done?

It seems relatively simple on the surface, and a whole industry of “GRC Compliance” products are now available to help you implement your process. Many even offer a checklist, so here’s one we hope you will also find useful…

How can simple be wrong?

So, is it this simple? The answer is not only ‘no’ but ‘no, and if you are doing it this way, you may be costing your company a lot of time and money.” 

Why? Well, you are essentially forcing yourself to do any or all of the following:

  1. Creating a very expensive checklist

  2. Repeating processes year over year, generally in ‘panic mode’ to meet annual audit needs.

  3. Implementing controls that you do not need

  4. Adding unnecessary financial and workload burdens to your company and team

Risk as the Guiding Principle of Compliance Management

Before you hit that panic button and start building policies and controls against either the certification that your sales team needs, or your industry regulatory requirements, we encourage you to follow this process. It will save you time and money and create a continuum of compliance that is both meaningful and manageable. Our customers agree…

ASSETS: This will tell you what you need to protect.

  1. Make an inventory of the assets that need to be in scope for compliance. If you don’t have a building, why purchase sprinklers? Don’t start with controls – start with what needs to be protected…

  2. Rate each asset in terms of its value to the company (often referred to as an Impact Analysis)

RISK: This will help prioritize which controls to implement 

  1. Now, you know what you’re protecting, you need to decide what to protect it from. You might think of this in two layers:

  2. How “big” is the risk if I do nothing (often referred to as Inherent Risk and Likelihood)

  3. How “big” if I do something (Residual Risk and Likelihood)

  4. Often, the above are completed in a Risk Register. For more information on how to build a risk register, read this article.

Now you know both what to protect and which assets are most important, and what are your biggest risks, which assets they impact and, therefore, what should take priority. 

Armed with this information, you can now do the following:

  1. Build policies and controls that are meaningful to your organization

  2. Limit the scope of your compliance work to save time and money

  3. Limit the scope of your audit to reduce the opportunity for discovering costly corrective actions

Continuous Monitoring – Our cherry on top of your sundae

Much as by following this process you are limiting the amount of data under management which will save time, it is likely, nonetheless, that there will be a significant amount of data to manage. Importantly, how do you keep track of this on a year-round basis? 

Remember, certification and compliance is not a one-off. Most require annual recertification, or at least surveillance audits. 

These three core automated processes can alleviate a major burden to your team:

  1. Risk Mitigation (mitigation of findings/corrective actions)

  2. Evidence Collection

  3. Policy Review

Automation is simply right

If your processes for any of the above are manual in any way, you will lose time. That’s why C1Risk provides a fully integrated, automated platform to manage your regulations, assets, risks, policies, controls and issues.

Why manage any of that data in isolation? 

In conclusion, security begins with good governance and rarely does one process exist in isolation, so our humble advice to you is to build a process, not push panic buttons, and use a solution that supports the full lifecycle of that process. 

Related Articles:

How to advocate for your security compliance and risk management program

Five ways to stop burnout among your security professionals

John Paul Tran
Previous

On-Demand SSP and POA&M Reports
Next

The FDIC Incident Reporting Rule is No Small Challenge for Financial Institutions