Compliance Sucks! If that’s how you approach compliance, it probably does suck. However, if executed properly, a good compliance program cannot only allow management to sleep soundly at night, but it can also provide a competitive advantage. “Blasphemy,” you shout! Nay, I speak the truth. I can assure you that the benefits of a good compliance program far outweigh the negatives.
There are several ways to approach compliance initiatives. You can:
- Plan, prepare, and execute your compliance strategy.
- Fail to plan, but be nimble in preparation and execution (disruptive and no guarantee to pass).
- Fail to plan and fail to execute (missing out on current and future opportunities).
Of these three strategies, the first is by far the best. Planning your compliance initiatives allows your company to build in compliance as part of your normal business planning process. Planning ahead of time allows you to minimize both hard costs (dollars spent on your compliance program) and soft costs (internal resource time spent on your compliance program). Once your strategy is planned out, next comes preparation. Here is the sticking point. Frankly, when it comes to knowing how prepared you are to undergo a compliance audit; you don’t know what you don’t know. For many compliance audits, including SSAE 16 and SOC 2 audits, most first time auditees begin with a Readiness Assessment. This allows the auditor to come onsite, review documentation, and identify gaps in your documentation or control structure. If you don’t have a control in place, you have time to remediate and implement the control before the audit period begins. Once you receive the green light to enter the audit period, you can now execute the audit with a high likelihood of passing.
Here is a story of one of our clients who followed this strategy to create a competitive advantage in the marketplace:We received a call from the CEO and COO of a startup company. They were two of the company’s three employees. They inquired about the SSAE 16 audit – the benefits, costs, deliverables, etc. We walked them through the process and explained that for many start-ups, the difficulty tends to be enhanced due to the fact that so few employees wear so many hats. They explained they had an angel investor willing to invest in the start-up, but one of the requirements for the investment was to undergo the SSAE 16 audit. This was because the angel investor had a significant amount of experience in the industry and knew the go-to-market value of the audit. Clearly, the investment in time and money were both important factors to take into consideration, but the CEO and COO came to the realization that if they were going to invest time and money, they might as well invest time and money into their own business. We are proud to say that three years later, the company has expanded to five separate locations and has plans to add ten new locations over the next two years. They used the SSAE 16 not only to gain a competitive advantage in the marketplace, but also as a tool to reassure the angel investor that the business had the proper controls in place to reduce investor risk. The moral of the story: Plan to win by winning with a plan.
How many times have you woken up in the middle of the night thinking about the unknown? Sitting up wide-awake in a cold sweat is no way to live. For those who fail to plan for compliance, the fear of the unknown can be crippling. Will a new regulation require us to complete a specific compliance initiative? Will the RFP we receive next week require a SSAE 16 or SOC 2 audit to be completed by my company? Or worst yet, will one of our existing customers call me tomorrow and require we undergo the SSAE 16 or SOC 2 audit? You vehemently reply “impossible” to the last question. You say your relationship with customers is too solid for a simple audit to get in the way of our long-term relationship. “Bull-pucky,” I say. Compliance initiatives are heading your way and if you fail to plan, you better hope your company is nimble enough to implement requirements quickly.
Here is a story of how one of our clients failed to plan, but was nimble enough to come out of the ordeal smelling like roses:One of our client prospects had a customer relationship for 30 years. This customer was a government entity and was required to go out to bid every five years. As this was a lucrative customer, the competition to retain the relationship was becoming increasingly fierce. One competitor was able to develop a relationship with the customer’s compliance department. Unbeknownst to our client prospect, the compliance department included a requirement for all vendors to undergo the SSAE 16 audit on an annual basis. Since this SSAE 16 language was never a requirement in previous contracts, our client prospect uncovered the new language with less than 30 days to perform the audit and have a report in their hands. The client prospect called our firm in a panic asking if obtaining a report in less than 30 days was even an option. Luckily, this is where an SSAE 16 Type I audit comes in handy. The client prospect engaged our firm and was able to deliver the SSAE 16 Type I report to the customer by the deadline. Fortunately, the client ran a tight ship and had a solid control environment, or this story may not have had a happy ending. The customer, as most do, ultimately required an SSAE 16 Type II audit, which our client performed six months later. The client was able to retain the relationship with their customer and continues to service them to this day. The moral of this story is to be proactive with your compliance programs, because your competitors are ready and willing to swoop in and lure your customers away. The moral of the story: Jack be nimble, Jack be quick, don’t let your guard down and get hit by the compliance stick!
Finally, there is the group that poo-poos compliance and basically says, “I am taking my ball and going home.” Well, for those companies, there are plenty of your competitors who are more than happy to take their place in line. Let’s face reality, compliance initiatives – whether driven by regulators (the CFPB), customers, competition, or internal actions implemented to gain a competitive advantage over competitors who don’t have the audit – are not going away. It’s not a gimmick or a fad; it is here to stay. And no, I am not a doomsayer, I am a realist. The compliance train has left the station, and for those who have not climbed aboard, be sure to stop behind the gates and flashing lights, because that train is going to pass you by.
Here is a story of one of our client prospects who had a very lucrative relationship, but failed to undergo the SSAE 16 audit, which led to dire consequences.A client prospect reached out to our firm because a big player in the utilities market was requiring a SOC 2 audit. A few of the big players in the industry recently performed the audit and were maximizing their ROI by actively touting the fact they had recently undergone the audit. The utilities customer had recently hired a new director of compliance. That person’s first step was to beef up the vendor management process to ensure all third party vendors had the SSAE 16 or SOC 2 audit in place. Since the task being outsourced involved Personally Identifiable Information (PII) being managed by the client prospect, it was a natural fit for them to undergo the audit. However, the CEO of the client prospect did not feel it was a necessary expense for the company, even though the client’s value to the company was worth 20 times the cost of the audit. Needless to say, the utilities client pulled all their work and moved on to a different service provider – one who had the SOC 2 audit. The moral of the story: Don’t trip over dollars while chasing pennies!
In conclusion, for those who say “Compliance Sucks!” it probably does. However, if your company properly plans, prepares, and executes the compliance initiative with a solid audit firm, you may end up saying, “I love compliance!” Okay, perhaps that’s an exaggeration, but you will at least be able to agree that compliance can be an integral part of your corporate strategy.