Many companies are so focused on developing products and running their business that they ignore the growing need for a compliance management strategy.
According to the Verizon 2012 Data Breach Investigation Report, 92% of data breaches were discovered by third parties. This statistic tells me that most businesses only focus on compliance management when customers or partners tell them about a breach that has already occurred, or even worse, they see themselves on the news. By that time, however, it is already too late.
According to the same report, 97% of those attacks were easily avoidable. But if you’ve ever had to prepare for a compliance inspection, you know how easily it turns into a frantic scramble. So let me repeat: 97% of those attacks were easily avoidable. It’s not rocket science, it’s just sound business. Compliance directives encourage companies to act responsibly towards their customers, employees and business partners; to consider their environment and shareholders.
Consequences of a Compliance Violation
Remember the reason your customers, business partners and employees hand over their personal information and/or confidential business data to your organization. It’s because they trust you.
If their data is stolen because you don’t have the proper security measurements in place, then it’s you who must face the potential consequences. These consequences include hefty fines and penalties. And don’t forget the legal costs, the loss of reputation and the loss of your stakeholders’ trust and loyalty. Ultimately, you may face the possibility of losing your business. So, while the upfront costs of compliance might seem too much for your business at first, consider the ultimate costs if you don’t comply.
Requirements of an Effective Compliance Program
There are a number of compliance and legal issues of which you need to be aware (e.g, Foreign Trade Act, Payment Card Industry Data Security Standard (PCI DSS), SOX, Data Privacy, IT Compliance, Competition Protection Act, etc.). Although it appears to require a lot of work to create an effective compliance program, it doesn’t cost a fortune. You just need to keep the following seven points in mind as you build your compliance strategy.
1. Establish a tone from the top that supports compliance. Management participation is a crucial aspect of a compliance program. A strong commitment from upper management is necessary for your organization to effectively develop and implement a working compliance program.
2. Evaluate compliance directives and risks based on the products, services, markets and countries with which you organization interacts. Before starting a program, it is necessary to conduct a compliance risk inventory and assessment. This way, you can examine the risks your business could potentially face. Ask yourself questions like, “What troubles hit other companies in my industry?” “Where did my company almost fail?”
3. Study industry standards. Examine best practices as well as public comments and discussions about the compliance directives and risks you have already identified. You don’t have to start from scratch because most compliance directives are widely discussed and are available to the public.
4. Authorize external sources like consultants, lawyers, regulators, insurance companies or service providers. Use external sources like those just mentioned as a resource for guidance and for answering compliance questions. You can also use them for transferring the risk or part of the responsibility to a third party.
5. Train employees. Compliance training is essential not only to maximize employee compliance with laws and rules but to also minimize the risk of fines, litigation and adverse publicity due to non-compliance.
6. Involve compliance staff (e.g. compliance manager, security officers, data protection officers and legal) in the development process of new products and services to fully address the risks associated with these products and offerings.
7. Ensure the effectiveness of the program. Support an effective compliance audit function that identifies new or changing compliance issues. The audit should have the frequency and intensity commensurate with the organization’s complexity and size.
Keystone: By acting diligently and creating complete transparency within your organization or business, you invariably discover and resolve many hidden risks, saving you and your organization from easily avoidable losses.
Daniela Hagen is the compliance director at cleverbridge.