Why Compliance Cannot be Delivered as a Service

My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.

Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.

The trouble is that Mark refers to Compliance as if it is an IT service that can be delivered like outsourced help desk or security management. Compliance, the Big “C,” cannot be delivered as a service. The Big “C” is the interplay between people, processes, and IT systems to achieve the mission of the business in the context of regulatory and market pressures. It isn’t binary; it isn’t something you have one day and not the next. This dynamic interplay requires continuous measurement and feedback loops to ensure that deviations are corrected and, ideally, prevented.

Compliance is a matter of controls – instituting a variety of controls and then charting the business’ distance in relation to those controls at all times. Let’s take a simple common non-business example. When a cop pulls you over for speeding, you often get asked two questions:

  1. Did you see that speed limit sign?
  2. Do you know how fast you were going?

This is a simple example of controls in daily life. To track towards Compliance, first, you have to know about the control – awareness of the speed limit. Second, you have to be aware of your relationship to the control – how fast you are going. Finally, you, as a safe driver and responsible citizen, have to continually measure your relation to the control – keep your eye on the speedometer, unless you want a visit from auditors or enforcement agencies.

Expressing, understanding, monitoring, and enforcing controls CAN be delivered as a service. These services, including controls documentation and controls management, address automated and manual controls for IT and non-IT systems and processes. And it is the delivery of these capabilities as a service that can reduce the cost of compliance.

Matt Flynn get’s in on the action and provides a crucial point, if indirectly:

I think there are definitely organizations out there that would love to have a third party who is willing to be an expert and own compliance for them.

It’s people! Compliance is People! This is the other piece of the puzzle and as Matt says, it can be delivered by a third party. Service providers, with deep domain expertise, armed with controls documentation and management tools, can provide holistic compliance services, and with a little creative thinking, a bit of indemnity insurance, they can truly own compliance for an enterprise.

The Big “C” Compliance cannot be delivered as a service, nor by Santa Claus, not for all the tea in China. But that being said, compliance experts and expertise bolstered by controls management and documentation services can help organizations track towards Compliance and be able to adapt as any of the variables in the Compliance equation shift.

(Originally posted over on Audit Trail.)

4 Replies to “Why Compliance Cannot be Delivered as a Service”

  1. Ian, I always love mixing it up with you.

    I will respectfully argue that compliance is not about people other than the operational change a person must execute to be compliant. I will also argue that because people are involved, the more risk is present to not be in compliance.

    Compliance in its purest form is group behavior modification that comes about by one’s behavior (‘One’ referring to a company/organization/person) being made transparent and available for scrutiny. It is designed to make us honest, keep us honest, and provide a set of rules we all need to play by. In a way it’s a lot like art – people will interpret the same painting, sculpture, etc. different ways.

    That is why the less we involve people in compliance the less margin for mis-interpretation can exist and the better off we can be.

    Compliance is 100% cost at the end of the day, and companies who have figured out that it is in their best interest to automate every process to be compliant, and automate the measuring of that process, and communicate that the right process exists, will be followed, and if it’s not, people all over the company will know, and know quickly.

    It is different lenses looking at the same thing…

  2. I have to say I agree with Mark – the less people are involved with the issue of Compliance, the better, and the more it can be systemised, the better.

    We have a tricksy issue with compliance our iPhone insurance for Financial Services Authority regulation (UK government body). And it is ALL about systemising the process – and that involves systemising people – as cold as that sounds. We have done it successfully, but it has taken a vast and expensive amount of time.

    And I remain unconvinced as to whether it has helped the consumer in any way, shape or form.

Leave a Reply