Compliance is critical for many industries. Finance, banking, healthcare — virtually all companies, at least in the United States, beyond a certain size or publicly owned face compliance rules. And with GDPR coming on May 25 and new regulation emerging worldwide, compliance is an issue the world over.
Penalties for violations can be huge, and non-compliance is practically a welcome mat for cybercrime, resulting in loss of reputation and financial disaster.
Whether you are an IT pro or service provider, you cannot create a compliance plan unless you understand the current state of your business. That requires an in-depth and disciplined assessment.
RapidFire Tools Inc., which supplies HIPAA-compliance assessment tools, surveyed MSPs about the value of assessments. It found that service provides use these assessments to start conversations with new prospects, and ultimately gain new clients. One MSP respondent increased revenue by over $12,000 a month.
According to the Kaseya 2018 MSP Benchmark Survey, 52 percent of MSPs worldwide (and 55 percent in EMEA) offer compliance assessments. These assessments benefit the MSP and its customers, providing the MSP with opportunities for new revenue streams as well as awareness of changes that must be implemented to protect both businesses.
Accounting, consulting, and technology firm Crowe Horwath has a step-by-process that starts with defining the goals. “Assessments work to determine the scope of compliance activities throughout the organization, the effectiveness of the compliance program, and to what extent the organization’s culture is conducive to compliance activities. An assessment can give the organization an idea of its compliance program’s strengths, weaknesses, and areas in which it can improve,” the firm explains.
Assessors should have to start from scratch but rely on existing documents related to compliance. “Examples of relevant documents that typically are collected and reviewed during an assessment include:
- Organizational charts of executive leadership and the compliance office
- Policies and procedures related to the compliance office or high-risk areas
- Examples of employee compliance training exercises and samples of communications made to employees about compliance code of conduct
- Samples of compliance monitoring and compliance work plans
- Previous compliance program assessments
- Compliance risk assessments and compliance risk assessment policies”
Getting to Know the Players
Assessors need to not only understand the organization’s structure and roles, but also get to know the people themselves. This can be done through interviews. The document review helps prepare assessors for these conversations. The goal is to understand how well key players understand compliance and if they are able to define their risks and take action to mitigate them.
Individuals who might be interviewed include people directly responsible for managing compliance, employees whose jobs requiring following compliance guidelines, and business leadership.
Conducting Gap Analysis
A Gap Analysis will show where the organization is already in compliance and what steps need to be taken to ensure complete adherence. The analysis “should reveal existing compliance program trends within the organization, including program strengths and opportunities for improvement. In addition, the assessor should make recommendations to the organization based on best practices observed in leading organizations that are of a similar size and structure to the one being assessed,” the firm explains.
This should all be codified in a final report that defines what is good and recommends specific improvements.
Financial advisory firm Deloitte explains why compliance assessment isn’t enough in its whitepaper, “Compliance risk assessments: The third ingredient in a world-class ethics and compliance program.”
Many organizations may think they are all set with compliance because they have performed a risk assessment. However, compliance and risk, while related, require different processes. “How is a compliance risk assessment different from other risk assessments? Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial, and compliance risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks – those that could impact the organization’s ability to achieve its strategic objectives,” Deloitte explains.
“The compliance risk assessment will help the organization understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. An effectively designed compliance risk assessment also helps organizations prioritize risks, map these risks to the applicable risk owners, and effectively allocate resources to risk mitigation.”
Who Does What?
Once you identify who is who and who does what, you can define clear assignments. “Establish clear risk ownership of specific risks and drive toward better transparency: A comprehensive compliance risk assessment will help identify those individuals responsible for managing each type of risk, and make it easier for executives to get a handle on risk mitigation activities, remediation efforts, and emerging risk exposures,” Deloitte advises.
Part of this is an assessment that calls for clear steps. “Make the assessment actionable: The assessment both prioritizes risks and indicates how they should be mitigated or remediated. Remediation actions should be universally understood and viable across borders. Be sure the output of the risk assessment can be used in operational planning to allocate resources and that it can also serve as the starting point for testing and monitoring programs,” the firm concludes.
Compliance work is never done, Deloitte cautions. “Treat the assessment as a living, breathing document: Once you allocate resources to mitigate or remediate compliance risks, the potential severity of those risks will change. The same goes for events in the business environment. All of this should drive changes to the assessment itself,” Deloitte writes. “Periodically repeat the risk assessment: Effective compliance risk assessments strive to ensure a consistent approach that continues to be implemented over time, e.g., every one or two years. At the same time, risk intelligence requires ongoing analysis and environment scanning to identify emerging risks or early warning signs.”
To discover more best practices for surviving a compliance audit, download the whitepaper, “Compliance: How a Layered Approach Helps you Breeze Through Audits,” and to see how MSPs can turn assessments into a revenue stream, attend the on-demand webinar, “Compliance Audits: The Opportunities and Risks for MSPs.”