the critical need to improve compliance processes · crackdown on cyber security lapses, which it...

Depending upon one’s perspective, compliance activities are either a fortunate fact of life for most organizations because they can minimize the risk associated with running afoul of various governmental and best practice obligations; or they’re an unfortunate part of doing business because of the cost and effort required to manage them properly.

The research discussed in this survey report paper found that most organizations must comply with a large and growing number of compliance obligations. However, compliance is time-consuming and takes already limited staff time away from other tasks, it’s fraught with risk because of the potentially severe consequences associated with a failure to adequately satisfy these obligations, and the current processes in place in many organizations are not adequate to meeting current compliance obligations, nor are they scalable to meet future ones. In short, compliance is necessary, but most organizations have not implemented the processes and tools necessary to manage the compliance process efficiently.

Executive Summary• The research conducted for this report found that a significant number of regulations and regulatory frameworks are important to the organizations whose compliance staff responded to this survey.

• The research also found that a large proportion of the individuals surveyed spend a large percentage of their time focused on compliance- or audit-related tasks, as shown in Figure Q1.

The Key RegulationsIn the United States, there are a number of important regulations that impose requirements on organizations, such as the following:

Financial ServicesThe Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Dodd-Frank Act, PATRIOT Act, and Gramm-Leach Bliley Act (GLBA) – as well as other requirements – impose various obligations on financial services organizations. FINRA, for example, establishes requirements on the capture, monitoring, and archiving of broker/trader communications, and demands a supervisory review process. The Dodd-Frank Act has created the Financial Stability Oversight Council and implements a variety of supervision and oversight controls on financial institutions. The PATRIOT Act specifies an identity trail for customers opening new accounts.

GLBA imposes rules on the privacy of financial information about customers and sets standards on how to protect this information.

HealthcareThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes various requirements on Protected Health Information – information about an employee’s health that can be linked to his/her identity. There are various technology, policy, and procedural requirements to safeguard such information when stored and transmitted.

Designated High-Risk OrganizationsChemical manufacturing and energy distribution facilities, along with transportation operations, are designated as high-risk operations under the Homeland Security Act. Such organizations have security and recordkeeping requirements to which they must adhere.

Publicly Traded OrganizationsSarbanes-Oxley (SOX) requires that the financial records of publicly traded companies be retained for up to seven years and available for review by the SEC at any time.

Organizations that Serve the US Federal GovernmentThe Federal Acquisitions Regulations (FAR) require that contractors to the US federal government retain all records, both hard copy and electronic, for between two and four years. This covers organizations providing both goods and services.

Federal, State and Local GovernmentsThe Freedom of Information Act (FOIA) gives citizens the right to request access to records held by any federal entity other than Congress or the Judicial branch (most states and many local governments have similar provisions known as “open-records” or “sunshine” laws). The current administration has directed federal agencies to work in a spirit of cooperation with requesters under FOIA. While agencies can respond to FOIA requests in the order in which they are received, there are situations where expedited processing is required.

One of the problems with managing so many compliance policies is that the management problem is not linear. Because there are interrelationships between policies, such as managing the same data sets in different ways, managing 10 different compliance policies is more than twice as difficult and complex as managing just five. Consequently, the growing number of compliance policies that organizations must address means either that a growing share of IT resources must be devoted to managing these policies, or that new ways of compliance management must be found.

The research also found that most organizations must track a significant number of internal controls and business processes in order to become compliant with the various regulations and regulatory frameworks to which they are subject. As shown in Figure Q6, about six in 10 organizations must track in excess of 25 internal controls and business processes, and one in eight must track more than 100.

Here again, the growing number of internal controls and business processes that must be managed for compliance will consume a growing share of IT resources in order to properly manage unless a new way of managing these policies is implemented.

Compliance Management Requires Significant EffortInternal and/or external audits to verify compliance can be a painful and arduous experience. Compliance management requires significant effort and these audits can be frequent and time consuming, making them painful and arduous for those involved with them. As discussed later in this report, most decision makers would like a better way to approach the auditing process.

As shown in Figure Q7, the vast majority of organizations surveyed go through at least two internal and/or external audits each year, but more than 15 percent go through six or more such audits each year.

Tasks And Stakeholder Involvement Has To Be Properly ManagedThere are a number of tasks and various issues associated with stakeholder involvement that have to be managed as part of a compliance program. As shown in Figure Q5, the vast majority of the organizations surveyed have between one and five employees who are involved in compliance or audit tasks. However, more than one-quarter of those surveyed have at least six people involved in compliance audit tasks, while one in 14 have more than 20 people involved.

• The penalties associated with a failure to comply with the various regulations to which organizations are subject can be significant and can create a variety of both financial and non-financial consequences.

• The research found that one-third of organizations maintain more than 25 published policies and more than two-thirds maintain more than five such policies.

• The research also found that most organizations must track a significant number of internal controls and business processes in order to become compliant with the various regulations and regulatory frameworks to which they are subject.

• The vast majority of organizations surveyed go through at least two internal and/or external audits each year, but more than 15 percent go through six or more such audits each year.

• Nearly two-thirds of the organizations surveyed are using spreadsheets to manage their compliance process, but the use of spreadsheets is an inefficient way to manage the compliance- and audit-related tasks for all but the smallest organizations.

• Most organizations have not evaluated compliance and audit management products, but most are interested in the use of SaaS-based applications that would reduce the time required to satisfy their compliance goals and that would significantly reduce the costs associated with compliance management.

About This Survey and ReportThe survey discussed in this report was created, conducted and managed by KnowBe4. The survey was conducted with 1,872 individuals during December 2017.

As shown in Figure Q4, a wide range of organization sizes was included in the survey: 47 percent of those surveyed were small organizations (up to 100 users), 39 percent were mid-sized (101 to 1,000 users), and 15 percent were enterprises (more than 1,000 users). The goal of the survey was to understand compliance problems and practices across a wide range of organization sizes and industries.

Regulations And Compliance Are ComplexProper management of regulatory and legal compliance is complex. There are many regulations and compliance requirements for all organizations, and an awareness of these is essential to avoid the various penalties and other consequences that can result from non-compliance. Unfortunately, there is no single overarching regulation for all organizations, nor any single compliance action that will deliver everything that is necessary. The complexity is such that:

• Compliance regulations differ by nation, industry, legal jurisdiction and business function. For organizations that operate across multiple nations or across multiple industries, defining an internal compliance approach is fraught with complexity. It is a challenging task to reconcile the differing requirements and decide on the best way forward.

• Regulations can be in conflict and inconsistent, and so each regulation must be managed according to its own specific set of requirements in many cases. In the case of data retention, for example, the duration of retention for one regulation might require a data type to be retained seven years, while another regulation may require only three years of retention for that same data type.

• Compliance is a dynamic field, where new regulations are introduced to right certain wrongs, or regulations are revised to consolidate past attempts and bring them up-to-date.

Consequently, organizations must give high priority to proper compliance management capabilities to ensure that they are operating in alignment with current requirements and best practices. This is especially important given the changing nature of the regulatory landscape.

The General Data Protection RegulationProtecting personal data has been an important issue in the European Union (EU) for more than 20 years, and the General Data Protection Regulation (GDPR) takes data protection to a completely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes data on residents domiciled within the EU, including permanent residents, visitors and expatriates. Compliance is thus predicated on the geographical location of the individuals about whom an organization holds personal data, not the domicile of registration for the organization.

This represents a sea change in how organizations must protect the personal data of anyone in the EU, and it may have implications for how they protect the personal data of non-EU residents, as well. Hence, the “General” Data Protection Regulation could better be called the “Global” Data Protection Regulation, and in light of the financial penalties associated with non-compliance, requires serious attention and action from all organizations doing business across Europe (including the United Kingdom post-Brexit), both in the EU and in the European Economic Area (EEA).

The Penalties Of Non-ComplianceThe penalties associated with a failure to comply with the various regulations to which organizations are subject can be significant. As just a few examples:

• The GDPR may impose major penalties for organizations that violate the rights of EU data subjects: €20 million or four percent of total global revenue for a list of serious offenses, and €10 million or two percent of total global revenue for less serious ones. Both fine tiers are levied based on whichever is higher.

• In December 2016, twelve firms were fined $14.4 million by the Financial Industry Regulatory Authority (FINRA) for their failure to retain records in a write once-read many (WORM) format. While this fine was ostensibly a failure of these firms’ archiving obligations, it is just as much an issue for the security of these records. The multimillion-dollar fine is in line with FINRA's broader crackdown on cyber security lapses, which it communicated earlier in 2016 as a regulatory and examination priority.

• The HIPAA Omnibus Rule of 2013 introduced changes to various privacy and security requirements in HIPAA in order to bring them into alignment with the Health Information Technology for Economic and Clinical Health (HITECH) Act. New provisions include elevating the duty of care for protecting personal health information among business associates and their subcontractors (in addition to covered entities), increasing the penalties for noncompliance to a maximum of US$1.5 million per violation, adding genetic information to the definition of personal health information, and expanding the coverage of types of electronic media, among others.

We anticipate that the penalties of non-compliance will become increasingly painful and expensive as existing regulations are modified and as new regulations are added to the mix.

The Problems of Compliance ManagementOrganizations Maintain A Large Number Of Published PoliciesThe research found that most organizations maintain a significant number of published policies. As shown in Figure Q8, one-third of the organizations surveyed maintain more than 25 published policies and more than two-thirds maintain more than five.

SURVEY REPORT:The Critical Need to Improve Compliance Processes

The Growing Role of ComplianceRegulatory obligations are increasingly the norm in a large and growing number of nations. Information subject to these retention requirements should be treated with care, much like information subject to eDiscovery, because of the potential penalties and fines for not following the various laws the dictate proper retention, encryption and other management of data. Data subject to compliance requirements that is not managed and retained in compliance with these regulations can trigger government information requests, which can quickly transform into expensive legal proceedings, fines, and even jail time in some cases.

Compliance Impacts A Wide Range Of IndustriesThe research conducted for this report found that a significant number of regulations and regulatory frameworks are important to the organizations whose compliance staff responded to this survey. As shown in Figure Q2, various cybersecurity frameworks were important to the majority of those surveyed, but compliance obligations like HIPAA, PCI and various banking regulations are also important to a large number of organizations. Of course, specific regulations will be more or less important to an organization depending on the industries in which it participates, but increasingly there are regulations that affect virtually all industries, such as those focused on cybersecurity frameworks, healthcare and data protection.

Organizations Need a Better Way of Managing the Compliance ProcessConsolidating Everything In One Tool Can Simplify The Compliance ProcessThe research found that many decision makers would be interested in a cloud-based compliance management solution that solved their current problems. As shown in Figure Q14, slightly more than one-half of those surveyed are somewhat or very interested in an affordable, SaaS-based application that would effectively reduce the amount of time required to satisfy their compliance goals.

Although commonly used for compliance management, spreadsheets are simply not a best practice and can lead to a number of problems. While spreadsheets may be adequate for managing a small number of static compliance obligations by one individual, they suffer from several problems, including:

• Difficulties in synchronizing activities among multiple stakeholders, especially as the number of stakeholders grows over time.

• Problems in scaling when new compliance obligations must be addressed.

• Problems in adapting to changing business needs.

• Problems as regulations become more complex.

• A lack of automation capabilities.

Many Organizations Have Not Implemented Tools To Manage The Compliance ProcessOne of the fundamental problems in using tools for compliance management is that many of these tools are quite complex and require significant time to learn and manage. The result is that many organizations have not implemented tools to manage the compliance process, and many of those responsible for compliance management have never even evaluated new tools or approaches for improving the efficiency or efficacy of the compliance process. For example, as shown in Figure Q12, 42 percent of those surveyed have never evaluated any compliance and audit management products, while another 40 percent have done so, but only in the past. Only one in seven organizations are currently evaluating these tools.

Compliance management is not an inexpensive undertaking. For example, assume that a 1,000-employee organization has just three employees devoted to compliance management, and that each of these employees spends one-quarter of their time focused on compliance and audit tasks. If each of these employees has a fully burdened salary of $85,000 per year, that means that the organization will spend $63,750 per year just on compliance and audit tasks.

Lots Of Internal Controls And Business Processes Must Be TrackedThere are a significant number of tasks that are involved in the management of corporate compliance processes. As shown in Figure Q3, most organizations consider risk assessments, managing policies and acknowledgements, and tracking vulnerabilities to be the most critical tasks for compliance-focused staff, although a number of other tasks are considered relevant and important to the majority of organizations.

Tools for Compliance Management are Not Adequate

Most Are Using Spreadsheets For Compliance ManagementOur research found that nearly two-thirds of the organizations surveyed are using spreadsheets to manage their compliance process, while one-half are using a ticket tracking system, as shown in Figure Q10. We also found that fewer than one in five organizations are using other tools for compliance management, such as on-line services or in-house applications. Interestingly, we found that one in eight organizations are not using any sort of tool to help manage their compliance management process.





“Nearly two-thirds

of the organizations

surveyed are using

spreadsheets to

manage their

compliance

process...”

1

SURVEY REPORT: The Critical Need to Improve Compliance Processes






















































2






















































“Increasingly there are

regulations that affect

virtually all industries,

such as those focused

on cybersecurity

frameworks,

healthcare and data

protection.”

3






















































4






















































5






















































6






















































7






















































8



























































































9






















































10






















































11













12

What Are The Results Of Consolidation?Consolidating all compliance and audit management activities in one tool can simplify the compliance process and provide a number of important benefits, including more efficient audits, lower costs, decreased overhead, and less time and resource impact on IT and compliance staff. Perhaps more importantly, consolidation of compliance management that offers a holistic view of all compliance activities can significantly reduce risk. This is particularly true in light of recent compliance obligations, such as the GDPR, that impose enormous penalties for non-compliance.

Summary and ConclusionsCompliance management is difficult and onerous, yet most organizations are using only basic tools like spreadsheets to manage all of their compliance obligations. Use of inadequate tools for the compliance management process increases corporate risk and IT costs, and simply will not scale properly as the number and complexity of compliance obligations grows. We recommend the use of a purpose-built compliance management capability that will enable reduced risk and impact on the compliance management function.

About KnowBe4KnowBe4 Compliance Manager (KCM) is a cloud-based compliance management tool that helps streamline and centralize audit and compliance processes across your entire organization. KCM simplifies the complexity of achieving compliance and eases the burden of demonstrating compliance to auditors and stakeholders; minimizing the busy work commonly associated with audits and compliance, eliminating the hassle of evidence collection from multiple departments, while simultaneously allowing your team to remain productive and functioning as usual. Finally, an affordable and easy-to-use compliance management tool... See how you can get audits done in half the time at half the cost.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

www.knowbe4.com/kcm

To learn more visit:

the critical need to improve compliance processes · crackdown on cyber security lapses, which it...

Documents