Escape the Compliance Checklist Trap
by Liesl Geier
Humanity invests at least $4.3 trillion in compliance annually, over 5.7% of Gross World Product.1 What return do we get on that spend? A cynic would claim some combination of reduction in regulatory fines, reputational risk and other related threats to the orderly functioning of a business.
Not a compelling justification for that level of expenditure, particularly if you consider that banks alone have paid $321 billion in fines since the financial crisis2 and suffered a devastating blow to their reputations.
I would argue that the true point of compliance is to empower decision making to the benefit of all stakeholders, via the mechanism of reasonable due diligence.
It is impossible to make sound decisions in the absence of information, and sound decisions are generally forgiven when they turn out to be wrong. On the other hand, irrational decisions that go south are viewed as avoidable, understandably drawing the ire of society and therefore the attention of the political class. This is why the compliance myth, the assumption that checking boxes is satisfactory proof that the resulting decisions were truly informed, is so dangerous. No one is buying it, especially bank regulators apparently.
Related: Cover Compliance With A Risk-Based Approach to TPCRM
The few industries that have managed to self-regulate avoid heavy government intervention and enjoy the privilege of dictating their own standards of what constitutes reasonableness. In turn, these standards tend to be well designed, thereby improving decision making, enhancing productivity and adding value.
The rest of the economy is caught in a downward spiral of externally dictated standards that rarely provide value, and therefore inevitably encourage firms to do the bare minimum to meet those standards in the name of efficiency. This diverts resources, resulting in further unjustifiable crises, which then lead to even more counterproductive regulations.
We need to escape this mentality and demand more in return for our astronomical investment in compliance. We need to evolve beyond the psychology of the cost center and actively seek opportunities to add value.
One of the best examples of outmoded thinking is the allegory of the checklist.
On January 1st, every year, compliance teams around the world start with a blank checklist. They work furiously all year to check off every item before December 31st. Then, the next day, they start with the same blank checklist as if they had used disappearing ink.
With the sheer volume of boxes to tick, there is little opportunity to generate value from that activity during the year, and armies of unfulfilled employees are stuck in an endless cycle.
At CyberGRX, we see this purgatory all the time in the third-party risk management space. Some of our largest customers have tens of thousands of suppliers, let alone other third-party relationships. A literal mountain of work between business cases, credit reviews, reputational risk assessments, license and tax compliance checks, SLA negotiations, and other internal approvals.
Then all this complexity and effort typically hits a wall when it comes to the dark arts of an IT risk assessment, needing to form an opinion on security, privacy and resiliency. It is not uncommon for it to take 18 months to shuttle a potential vendor through the process, which means only the highest performing organizations can do more than a single review at onboarding for anyone other than their most critical relationships.
Managers respond by working tirelessly to streamline their checklists, reducing the number of boxes and redefining what constitutes a tick. However, their efforts are usually frustrated by additional requirements dumped onto their laps, generally netting in longer checklists despite the investment in shortening them.
But what if we switched to permanent ink? What if we explored ways to permanently gather the necessary information to empower the rest of the organization to make sound decisions, to permanently conduct due diligence?
Related: The Annual Vendor Risk Assessment Is Dead
Compliance and risk officers need to look beyond static checklists and reports, and towards dynamic data streams. We all learned how to write a report in school. They involve conducting research and summarizing your findings. They are inescapably frozen in a point in time, which leads to the disappearing ink problem. What was once current slowly grows stale, and eventually no longer constitutes reasonable due diligence and needs to be redone.
Alternatively, that energy could be redirected to establishing a data stream once. Even if that is more effort than writing a single report, it is a prudent long term investment that will quickly pay dividends. The work will never have to be redone, decision makers will never be hamstrung by sort-of-outdated information, and policy makers will not have to grapple with the difficult question of what constitutes too stale.
But this can’t be accomplished with half measures. Integrating a data stream into a report still results in a report. You will be left with additional effort and none of the projected benefits. The promised land can only be reached after 40 years in the wilderness, only after you are willing to let go of the status quo and identify a way to replace all of what you previously sought in a data stream. The journey to unlocking trillions in value will be worth it.
Watch Now: How CyberGRX Is Helping Enterprises Say Goodbye to Annual Shared Spreadsheets
1) Conservative estimate based on World Bank data and Competitive Enterprise Institute survey and normalization of various US compliance cost estimates. Assumes US compliance spend as share of GDP is accurate for North America and Europe, with zero compliance spend in rest of world.
2) Source: Boston Consulting Group
To learn more about how CyberGRX can help you manage your third-party cyber risk, request a demo today.