Do You Have Double Compliance Standards?

logonewHave you ever had that sinking feeling the day before an audit from a client? The wave of panic as you run around at the eleventh hour trying to collate and create evidence to prove you have a diverse and robust compliance program, that your staff training regime is second to none and that your business continuity plan was fully tested just last week! That sinking feeling comes from the fact that you are not ready for the audit; and by ‘not ready’, I don’t just mean ‘not prepared’! I mean that you should not have invited the client to audit your adherence to regulatory laws and rules or even tendered for their work in the first place!

Sound harsh?

Not really! Not when you consider the implications and consequences of forging ahead within the financial services and consumer credit industries without the proper adherence to or regard for the compliance standards that have been laid out across the globe by regulators, laws and governing bodies such as the FCA, ICO, PCI, HIPAA, FISMA, CCA, FDCPA – the list goes on, but you get the message. Compliance is starting to become a word that is so over-used that it is in danger of becoming a nuisance. As new regulators have taken over in the UK and more and more compliance and security breaches occur worldwide, the term ‘compliance’ is everywhere, and any term that becomes over-used, can and will eventually end up being ignored or overlooked as it’s saturation levels peak.

Risk takingLooking At Compliance A Different Way

There are millions of organisations who consider compliance to be a part of their organisation and industry, but ‘compliance’ in itself is a very vague term and what it means to one sector differs greatly from what it means to another. For the purpose of this article, I am using compliance as a term, not just a word, with the assumption that it covers any area of business that involves following a set of standards, rules, laws or even guidelines. Examples range from information security and data protection, through to treating customer fairly and PCI compliance. The question at the start of this topic is “Do You Have Double Compliance Standards?” – so what do I mean by that? Answering honestly, if you work in an industry where compliance is a part of what you do, has there ever been a time (even once), when you, a colleague, a manager, a senior manager or a director, referred to compliance as a negative? Comments such as “Compliance costs so much and takes so much time, I wish we didn’t have to bother”, “I hope the auditor doesn’t want to see too much evidence because we haven’t been recording everything”, “Why are these regulators so strict, don’t they know we’ve got a business to run”, “Cancel the compliance training this week, we are behind on target and that is more important”. I could literally go on all day with this list, but I don’t need to as I can guarantee that everybody reading this will remember some situation when compliance was a pain in the backside. I also bet that if the next client or regulator who audits you comes along and just brushes the surface of your compliance program, doesn’t really go too deep and agrees with you that the rules and regulations are a little overwhelming and that what you are doing on the surface seems to be okay – you would be more than a little relieved. But what you should be is insulted, outraged! You should feel cheated if every single client and auditor through your door does not pore over your paperwork, systems and processes with a fine tooth comb; actually looking for gaps and areas that need to be improved, because that is the very culture that the compliance industry needs to insist upon and and start to cultivate. If we do not assess our peers against the same standards and expectations that we have for ourselves, the sanctity of security and fair treatment will go down hill very rapidly.

Every Cause Has An Equal Effect


Let’s go back to the section where the client or regulator lets you off the hook with your compliance audit and just treats it as a tick box exercise. You may be relieved, excited that your organisation has been awarded with whatever certificate or licence you were being assessed for; jubilant that you just secured that high profile client by achieving a green light from their auditor. Are you still excited and jubilant when you realise that the big, new client is part of the healthcare industry and somewhere in their databases are copies of your private medical records? How about the regulatory auditor who just gave you the green light. Did you know that his next audit is with your bank? Not everybody works in an industry dictated by compliance, but I guarantee you that everybody is a customer of such an industry and your personal, private and sensitive information is out there, in the hands of the very people who 5 minutes ago you were grateful to for not doing their job thoroughly. It may seem like a harsh explanation, but when you really think about it – it is the truth. Compliance can be a pain when businesses think about it in terms of the money that have to spend, the (wo)man hours they lose to it, the extra effort, training, procedures that it necessitates. But you would be one of the first people to be up in arms if you found out that your doctor, bank, hospital, insurer, mortgage provider, had these same thoughts.

When you cut corners, look for the quickest or cheapest way through or put compliance at the bottom of your list – I guarantee you that a company somewhere who is holding information about you, is doing exactly the same!   

compliance tickWhat Compliance Should Be

The truth is that compliance is not just ‘another’ part of your company or another box that you have to tick. It cannot and should not ever be a section of what you do in your organisation, it should be everything that you do. There is NO organisation trading today, no matter how big or small, who can guarantee that they are 100% compliant in all areas. I know this because it is physically impossible! Every company on Earth has people at it’s core and people by the very definition of being human, make human errors. It is an unavoidable fact of life and it happens each and every day. What a company can and should be able to do however, is assure you that they are working 100% of the time towards being compliant in every area and that they have the adequate systems, controls, training, internal audits, compliance teams, processes, policies and risk assessments in place to ensure this. The old stigma that has been surrounding compliance for the past few years needs to change and it has to start with you. It doesn’t matter if you are at the top or the bottom of the organisation in which you work, what matters is that you think about your businesses compliance in exactly the same way as you think about your own information or the way you want to be treated by the businesses with who you have a relationship. I guarantee you that when you start putting compliance at the top of the agenda, build everything else (included your revenue) around your commitment to compliance, your company will soar, because every cause has a like effect and you will forge yourself a reputation among clients, regulators and customers of being a company who puts those in a working relationship with you first. This is what great organisations are built on – not how much money you brought in last month or how many sales you made yesterday. Being able to have compliance audits at the drop of a hat and not even break a sweat because you know, with 100% certainty that at any given point, you are doing everything possible to ensure compliance. You should be challenging those clients or 3rd party organisations (such as suppliers or agents) who do not want to see your compliance evidence, who do not look deeper than the surface during audits, so that raising the standards or compliance starts with you and filters throughout every industry dominated by it.