“We’ve got someone for that.”
I hear it all the time. When in doubt, a manager will explain that they have a person who has mastered something, and because they have that person, they are no longer at risk of exposure to a particular outcome or threat.
The problem with this thinking is that it assumes you can rely on a person in the absence of a process. And on occasion, that’s true. People solve problems all the time. But when it comes to risk management, relying on a person is no substitute for a process. Regulations and requirements are evolving too quickly and the costs associated with surprises discovered during audits are too high.
I’ll give you an example. A national retailer relies on an individual to manage its PCI compliance. The individual is well-versed in PCI language, controls and standards. They understand the information architecture behind the transaction process and diligently study the protocols required to maintain compliance.
But the individual is not omniscient or omnipresent. To be PCI compliant, cardholder data not only needs to be secured – along with systems that touch it – but also any system that could potentially see the transaction.
Without the compliance individual’s knowledge, the retailer changes its cashwrap configuration and exposes itself to unforeseen risk. Without real-time, all-the-time transparency into their compliance status, organizations fall victim to best practices that no longer apply to reality.
In other words, people failed where a process would have succeeded. The root of the problem is that individuals, such as a Compliance Officers, do not have the ability to enforce policy across organizations without process. In many cases, departments within an organization violate compliance regulations or contractual obligations impacting the company negatively, and the Compliance Officer is the one held responsible despite not having organizational accountability and process. Process makes everyone accountable for adhering to the company policies and procedures.
In many ways, the argument for Continuous Compliance & Assurance (CCA) and outsourced expertise is less about criticizing in-house teams and more about recognizing the natural limitations that prevent them from being successful. Without tools to make risk management transparent and predictable and without the expertise that anticipates and understands the complexities of modern transaction environments, the in-house team is doomed. And oftentimes, it isn’t really their fault.
Savvy companies have a process for risk management that includes people, both in-house and outsourced, to support it.
By Jeff Brown, VP Sales & Marketing