editione1.0.0
Updated October 9, 2023For most of us, compliance schemes are a natural part of growing. There are hundreds of different regulations and compliance schemes around the world, and you may find your organization is subject to a number of different schemes depending on elements of your business model and operations.
Let’s take a look at the relationship between your business operations and the compliance schemes it may need to comply with.
| Operational Detail | How Does It Relate to Compliance? |
|---|---|
| Your customers’ location | Regardless of where your company is located or registered, many compliance regimes are based around the idea that the location of your customers is more important than where you are. Often these regulations are set by the country or location in which these customers live. Examples: • Sales tax • Privacy law |
| Your company’s registered location | When registering your company, you agreed to follow the local laws and regulations of that place. These regulations often cover: • Company management • Director responsibilities • Taxation • Employment laws • Health and safety • Environmental protection |
| Your industry | From finance to health, and from food production to mining—almost all industries have some form of regulation of compliance. Sometimes this is built to protect people and keep them safe, sometimes this is about regulating markets and preventing financial incidents. Whatever your industry, it pays to know what compliance schemes apply. |
| The type and quantity of data you store | Not all data is created equal and as you will remember from our discussions on classification, the risk posed by collecting, processing, and storing some types of data can be severe. Data types with considerable compliance or regulations include: • Health and medical information • Personally identifiable data • Intellectual property |
| The way you handle payments | Whether you handle credit card payments or do national or international transfers, there are compliance schemes and regulations you need to follow. Some of these come from the banking industry, some from national governments, and some from the credit card providers themselves. Getting these wrong can be the difference between frictionless payments and a lot of headache (and fines). |
| How your company trades | Whether you are publicly or privately owned changes the way you have to operate. Once your company lists publicly, you are held to the regulations of the stock exchange in which you are trading. These regulations are enforced from your initial intention to list and all the way through your lifetime on that market. |
There are two different regimes you should be aware of when working with a compliance scheme. The first regime covers the activities needed to achieve and maintain certification, the second regime is triggered in the event of a security breach or incident. Hopefully this second kind remains something you never experience, but it’s always best to understand what you would need to do if the worst were to happen.
Let’s take a look at each regime at a high level.
Identify the scheme and level of compliance required. The first rule of compliance is to take compliance schemes one at a time. While they may all have some common themes, they each express themselves differently and it’s easy to conflate standards when you are rushed or dealing with many at once.
Decide with your executive team which standard to pursue and make sure you have time, money, and people budgeted to get it done and maintain it each year.
(Optional) Find specialist assistance to conduct a gap analysis of your current position. If this is your first compliance scheme or audit, or your team hasn’t got prior experience with the particular scheme you would like to achieve, it may be worthwhile to engage an advisory firm to help you understand how your current processes and operations compare to the controls and requirements you need to meet. While this process isn’t a formal audit, it will review your operations in enough detail to capture any remediation you need to do before attempting the full audit.
Create a prioritized plan and make improvements. If you have had a gap analysis (or have done a review yourself) you most likely have some work to do before you can get through the audit. Make a plan and get to work. Remember that you need to make measurable improvements to your processes, not just superficial gestures. Auditors are really good at spotting a fake.
Gather evidence and prepare for the audit. The time of your audit is approaching and it’s time to get ready. This involves two sets of actions.
Gathering evidence of the policy and processes you have in place to meet the compliance requirements.
Working with team members to prepare them for audit.
Remember that the more organized your evidence is, the easier it will be to audit. Rock out your spreadsheets, reference specific evidence against controls, and don’t forget to add modification and review dates to your documents as you go.
Go through the audit. In most cases, major compliance schemes will require your organization to be audited by a qualified and certified auditor. While not always the case, many organizations will use former or current chartered accountants for this role. This audit will be evidence-based and will compare the “as built and evidenced” controls and processes you have in place to meet the requirements of the scheme. For complex or large environments, they may sample your systems, only reviewing a random number of the total technology platform or team.
There are a small number of compliance schemes that allow smaller (low-risk) organizations to self-assess instead of doing an audit. This can be a great way to make compliance more accessible to smaller teams, however, remember that in the event of an incident, the full incident review and audit process will still be triggered, so it’s in your best interests to take self-assessment seriously.
Plan remediation for gaps. If the audit finds any gaps or controls that haven’t been met, the auditor will typically outline the gaps and work with you to plan remediation and reassessment within a certain time frame.
Achieve certification. When happy that the controls have been met (or the risks identified have been managed or remediated), the auditor will recommend you for certification. In some cases, this is simply the issuance of a certificate that can be shared as a credential for the company. In other cases, the auditor will assume some liability for incidents should a breach occur in this newly certified company. It’s sort of like an auditor saying, “I think this place is good and I’m willing to stake my reputation (or insurance) on it.”
Comply with reassessment as needed. You may need to repeat this certification or audit process on a regular basis (commonly annually) or when there is a significant business change.
Breach events often come in two forms. The first is a self-disclosure, where you find you have made a mistake and failed to comply with an element of the scheme. You are obligated to report this to your governing body and they may choose to respond. In the second case, the failure may have been identified by a third party and disclosed to the governing body first, in which case an investigation will typically be launched.
Identify the cause and resulting impact of the incident. Just like we discussed in our chapter on handling the unexpected, lapses in compliance or data breaches need immediate attention and investigation. Use your incident response plan to understand, identify, and isolate the cause of an incident as well as its impact (both internal and on customers or users).
Notify the regulatory authorities as required for the scheme in question. If the breach relates to a failure to protect data or information that is protected by a compliance scheme or mandated as critical by a regulatory body, this incident might be “notifiable.” Notifiable incidents are ones that must be reported to the regulatory authority so that they can investigate and determine whether further action needs to be taken.
Examples of regulatory or compliance with notification requirements:
GDPR (General Data Protection Regulation). Privacy breaches including personally identifiable information.
HIPAA. Breaches exposing or involving health information.
Financial markets. Breaches impacting the material value or operating ability of a publicly listed company.
PCI DSS. Data breaches involving credit card information.
danger This is by no means a complete list, and you should check your compliance requirements carefully to understand if and when you would need to notify a third party.
Submit to a post-incident review/audit. In many cases, notifying a regulatory or compliance authority will result in that agency conducting a moment-in-time audit of your organization and processes. The aim of this activity is to understand if you were still compliant with the controls required at the time of the incident. If you are found not to have been compliant, there may be repercussions for your organization, directors, or operations.
After this review is completed, the regulator will decide whether remediation work is required and whether your organization can continue to operate under their mandate.
This section doesn’t provide everything you need to get compliant with one or more schemes but it should be enough to get you started.
danger Though we won’t ever admit it to our friends, both authors of this book are former auditors, so before we wrap up this section, here are some common mistakes we have seen in this space.
Poorly documented evidence that is impossible to replicate.