The position of compliance manager is more important in today’s business landscape than at any other point in time. What, exactly, is their function? Borrowing a reference from the smash hit Star Wars movie franchise, compliance managers function as the mindful C-3PO androids that oversee the ethical and legal standing of a company. Not only do they implement the necessary standards as derived from industry policies, they also have the capacity to enforce them.
As a business owner or upper management employee, you recognize the central importance of risk management; the compliance manager is actually the gatekeeper of all commensurate activities surrounding risk management.
At its root, compliance simply refers to the following of certain mandates that have been set out by an authority. By extension, then, compliance managers are overseers of the process of fulfilling directives; there are a handful of functions for which they are responsible in order to meet these goals. The development of controls to manage business risks is essential to this process because it allows weaknesses to be quickly and efficiently discovered, reported and handled via continuous monitoring.
As you can imagine, compliance tends to arrive in different forms – dependent on the particular industry; although, of course, the general forms are similar to each other. Nonetheless, the compliance managers in your office should be technically familiar with the various types, and be able to smoothly transition between them. Star Wars is again useful here: the android computer box C-3PO was able to communicate in at least six million different languages, which of course aided whoever it was helping at the time in their interstellar liaisons and trades. The point is, your compliance manager should be equivalently fluent when it comes to the different compliance regulations.
Specificity: Government Regulations and Compliance
The interplay of government regulations and compliance is as intertwined as it gets. As such, compliance managers must be familiar with their particular industry-specific federal regulations as well as have a broad overview of the general ones. Since the laws overlap, you won’t be able to properly instantiate the necessary controls without keeping abreast of them. Let’s take a look at a few examples:
- HIPAA: the Health Insurance Portability and Accountability Act, which as instantiated into law in 1996, oversees the provision of data privacy insofar as safeguarding medical information is concerned. As you can tell by the name, it is primarily for the healthcare industry.
- ISO: This series of regulatory mandates is the Industrial Standards Organization, and was first established as ISO-27001 in a bid to develop compliance controls over the Information Technology landscape.
- PCI DSS: This is a regulatory mandate set forth by the Payment Card Industry Security Standards Council as a joint venture between the major credit card services. This includes Discover, American Express, Visa, MasterCard and JCB International, in 2006. It sets the standards for consumer security for businesses that engage in varying levels of credit card interactions per year.
- SOX 2002: This refers to the Sarbanes-Oxley Act of 2002, and again targets compliance in the healthcare industry, with the added caveat of invocation of financial penalties for companies that run afoul of the compliance mandates.
Together, SOX and HIPAA are essential to the Information Technology landscape, in that they standardize the controls with which compliance managers need to be familiar.
The Difference Between Government Regulations and Industrial Standards
In addition to the elevated authority that government regulations have over industry standards, there’s also the difference that industry mandates do not come with financial penalties. Government regulations, on the other hand, often come with these. Of course, it is more accurate to say that not following industry standards does not come with direct penalties; however, in a competitive environment, your company will suffer the indirect penalty of lost customer and B2B interactions if your practices are not up to standard as determined by the regulations.
If the C3PO android was missing the ability to speak fluently in several hundred languages, interstellar consumers might opt for one that does – it provides the competition with fodder to brag about, at the very least. It can be tempting to think that being just a few hundred languages short of six million is forgivable; but not if your competition can do it – and advertises the fact. In sum, then, make it a point to satiate both government and industry regulations.
Assessing Risk: A Compliance Director’s Method
As a full-scope position, compliance officer covers both risk, and compliance with multiple regulations. In fact, risk management serves as the springboard for the resulting compliance management program. Oftentimes, as with PCI DSS compliance, you require an assessment of risk before you can even begin to establish a program of the necessary scope to account for it. Once identified, your compliance manager needs to convene with the Board of Directors and the rest of the c-suite to apprise them all of the company’s level of risk tolerance.
One example of the types of decisions that need to be made is workstation data storage. Storing company info on a computer that is never connected to the internet tends to be much more secure than similar data stored on a workstation that is in constant use by employees – especially if it is Wi-Fi-enabled. There will be protocols within the compliance management system on how to deal with different situations by first applying a risk level to it; regulatory rules then make it easy to allocate protective measures.
Mitigating Risks with a Compliance Management System
Ultimately, a compliance management system is all about risk tolerance identification, and subsequent management – especially as your business grows, and more risk factors are introduced to it. You’ll have to keep abreast of the new regulations and standards that manifest with corporate growth. Management software often plays an essential part on the process and can serve as the backbone of your compliance system.
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.