Saturday, February 16, 2008

Compliance as a Service Round 2

I just took a wander over to my buddy Ian Glazer's site as he has posted a retort to my compliance as a service rant.

I have offered one back, and of course 30 seconds after I hit submit, I realized I forgot something, a distinction that is key. Compliance is a state of okay-ness delivered through transparency (documented okay-ness) and determined by a set of standards generally developed by people with less expertise than those who the standards must be accepted and implemented by.


Ian, I always love mixing it up with you.

I will respectfully argue that compliance is not about people other than the operational change a person must execute to be compliant. I will also argue that because people are involved, the more risk is present to not be in compliance.

Compliance in its purest form is group behavior modification that comes about by one’s behavior (’One’ referring to a company/organization/person) being made transparent and available for scrutiny. It is designed to make us honest, keep us honest, and provide a set of rules we all need to play by. In a way it’s a lot like art - people will interpret the same painting, sculpture, etc. different ways.

That is why the less we involve people in compliance the less margin for mis-interpretation can exist and the better off we can be.

Compliance is 100% cost at the end of the day, and companies who have figured out that it is in their best interest to automate every process to be compliant, and automate the measuring of that process, and communicate that the right process exists, will be followed, and if it’s not, people all over the company will know, and know quickly.

It is different lenses looking at the same thing…

Wednesday, February 06, 2008

CaaS - Compliance as a Service

Compliance as a Service – The new frontier

I was stuck in Chicago the past two days thanks to mother nature, and I got to see parts of Michigan I had never seen (Saginaw), care of United Airlines. This meant I had lots of time to think about what ifs. The big idea I thought about was something I had blogged about a while back – Compliance as a Service.

There is one absolute truth about compliance that is not open to interpretation –

The costs of Compliance are 100% costs to a business

What does a company get out of compliance that help drive sales and generate revenue?

Is compliance merely insurance designed to keep us humans honest and insure that we do what we say we do, and that there is a safety on the Howitzer?

I will say that the intent of compliance is good – increase transparency within an organization, set standards for what the transparency level needs to be and make sure that a few bad apples are known about as early as possible before they bring down entire companies.

What I don’t like about compliance is that the guidelines for the most part, are open to interpretation. It’s what happens when people with little operational knowledge (lawyers and politicians) come up with ways to insert operational best practices into a system they know nothing about. It’s like me trying to improve on the intent of communism – in theory it’ll work. In reality it’s a cluster-f*** waiting to happen.

So what are alternative solutions to this spend? Reduce costs. Period. The interpretation will be there, however in what I have lived through personally in the compliance realm (HIPAA, SOX, PCI) I have come to believe one thing above all else – do something. If the guidelines are open to interpretation, interpret them in a way that gives you and your auditors a defensible position and monitor and improve the processes to reduce costs.

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency. If the candidates out on the campaign trail do away with SOX, that would also be a great way to lower cost...

Labels: ,