Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Running Compliance in the Midst of an Emergency
Quick Take
On this week’s episode of Compliance Unfiltered, the CU guys take a hard look at a serious topic – Running compliance in the midst of an emergency or a natural disaster.
Despite catastrophe, your organization still needs to maintain compliance. Whether taking a look at the compliance impact of past events, or talking about contingency planning for the future, Adam breaks down the key elements you’ll face as the world around you is uncertain.
We’ll cover all these topics and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who is bound to make your compliance day better. Adam Goslin. Adam, how the heck are you? Oh, I guess you could say I’m feeling like a ray of sunshine today. That doesn’t shock me in the least whatsoever. Unfortunately, we’re here today to talk about a little bit less of a sunnier topic, and that is running compliance in the midst of an emergency. I don’t know, like the hurricane that happens to be pounding Florida in the south of the Atlantic right now, our thoughts and positive vibes go out to those folks for sure.
But tell me a little bit more about what’s going on in Florida and how it pertains to the compliance realm, Adam. Yeah, well, I mean, the reality is that the people that are down there, with Hurricane Ian basically blasting into the coast. I was actually talking to a guy yesterday and, I’m in Michigan. So, in Michigan, we’ll get like a storm, right? And, boy, oh boy, I’ll tell you what, it wreaks absolute havoc in Michigan if we’ve got 70 mile an hour gusts, right? Well, these poor people that got nailed with Ian hitting the coast, is, to put it into perspective for me, they were seeing sustained winds of 150 miles an hour. It’s like, yeah, holy crap, I can’t even imagine. I was watching YouTube clips and stuff, and there were these guys that they were in a car, they were sitting there looking down the street. Of course, this car’s parked, it looked like a mobile home park or something. But, all you’re seeing is, boom, this mobile home is like rolling across the road in front of them, palm tree gets torn down, and the roof comes off, and a wall gets ripped out. Yeah, that’s just nuts. Yeah, man, there’s nothing easy about that. You’re seeing millions of people without power. I mean, there were literal sharks swimming on the highway, man. It’s wild stuff. Yeah, well, and flooding, it’s just a gigantic mess. The reality is, is that in the security and compliance world, these businesses aren’t run by machines, they’re run by people. So, certainly being able to run your security compliance program, and having your personnel basically suffering through that, it’s bound to have an impact.
Now, what other examples of business impacts could come into play? Well, just start thinking about it, right? I mean, we’re talking about Ian and, some of the bigger ones, more notable ones that the listeners will go, oh yeah, depending on where they’re at. Certainly 911. Sure. Who saw that coming? , I mean, it was just absolutely nuts. Actually, I was thinking about, with 911, there was even a ripple impact across the entirety of the country. Now, the rest of the country certainly did not feel it like the regions, and cities that were directly impacted. But, I remember, I was just getting to work, and everybody was glued to TVs, and them basically shutting everything down for at least a day or two, just so that they could get their arms around what was going on. So, there’s some very short-term, wide range impacts. There was a power outage in 2003, the only reason I thought of this one is because I was directly impacted by it. There was a gigantic power outage in 2003, somebody tripped over the wrong wire, plugged the wrong thing in the wrong spot, etc. And poof, it caused this ripple impact that effectively impacted portions of Canada, and at least five, six different states in the Midwest slash Northeast. There were like 55 million people that were hit in total. I went and did a little bit of look up, the total impact was almost 2 weeks. For me, I was really lucky, we got our power back relatively quickly, but it’s things like that. We talk about Ian, you’re talking about Katrina, Sandy, Harvey, all of these big impactful hurricanes.
You go to a lesser extent, as you start playing scenario games, of what potential things could happen. You’ve got a critical vendor that goes out of business unexpectedly, losses of a subject matter expert that you have internally, losing them unexpectedly. There was a more localized Texas power outage in 2021. How many people did that killed? A couple hundred, right? A couple hundred plus? Yeah, it was tough. You’ve got folks that go on mid-range medical leave, whether it’s having a child, or dealing with some other type of medical issue. But sometimes, depending on what’s going on, you could have people out for eight weeks, you could have people out for six, nine months, maybe a year. So, you’ve got a lot of different things can happen to an organization.
Most certainly. Now, how does a contingency planning play into compliance at a high level? Well, I mean, certainly for most certifications, they have a requirement for going through and doing a risk assessment. And, the one thing that a lot of organizations will lose sight of, especially those that are just laser beam focused on wanting to, get through those type of things, is the fact that, generally speaking, this risk assessment isn’t intended to be, hey, let’s just go look at your technology stuff and see what stuff can go wrong there. There’s a lot of impacts, that can impact an organization that are well beyond the purview of technology. So, most of the certifications out there are requiring more of an organizational risk assessment, so that you’re accounting for things like, some of the stuff we’ve been talking about. Long-term losses of electricity, natural disasters, things along those lines, need to come into play.
Well, how should organizations approach planning? The way that I, okay, I’ve been, oh God, I’ve been involved in some cases where the organization was whitewashing their way through it in my early days. So, I’ve seen that play out. I’ve also seen the other end of the spectrum, which is, I’ve seen organizations that will quite literally spend their time, and they have this Bible, thousands, and, thousands, and thousands of pages of every single possible thing that could happen known to man. My approach in general is, that I don’t want to take the easy path, I’m not looking to hit the easy button. I also don’t want to be at the other end of the spectrum, where we’re going to be putting to much time and energy into it. I like to try to find a reasonable middle ground. So, usually what I’ll do is, I’ll recommend to folks, try to look at the scenarios more generically, so that you can then apply the circumstances against the generic buckets. So if you think about it, right, loss of power, does it really matter whether you lost power, because you had a natural gas explosion, you had a tornado rip through, you had an ordinance from a nearby military facility, that happened to take out the power, right? So, doing it in that fashion, where you’re taking a look at those scenarios, loss of power, loss of vendor, loss of a person. Another good generic scenario is, something has happened, and either your production hosting facility needs to switch from here to there, or something happened in the state of Ohio, and now all the people in Ohio need to be someplace else, type of thing. So, just look at those in a generic sense, and then play those scenarios out. If we ended up losing power, then what would we do? what’s the length of a power outage that’s acceptable? At which point in the game do we start having some conversations about, hey, maybe we need to go ahead and invoke change, realizing it’s going to take you fill in the blank period of time to enact that change. When do we want to pull the trigger on it? Thinking all of that through, about how you’re going to play out those scenarios that could come up, as well as associatively playing out, what is your backup plan? What is your approach strategy to those scenarios, and how would you handle it? Because then, you can basically put together a game book, where I can take the circumstance, apply it against the right bucket, etc. And of course, as with anything, whenever you’re doing your risk assessments, your disaster recovery planning, things along those lines, you just, you wanna make sure that you are constantly reevaluating for continuous improvement items. So, you might’ve forgotten, or missed an opportunity to go and present something. If you’re in the real world, you’re now faced with something net new that you hadn’t considered before, well, use that as a learning experience to go, and come back and make additional incremental updates to the documentation that you’ve got.
Now, in your vast experience, have you interacted with organizations that have actually had to deal with these types of scenarios? Yeah, I actually had one organization, they lost their main IT person. So this was a, small to mid size organization. They had this one IT dude that was the man, and this dude knew everything. And, that person unexpectedly died, right while they were approaching their initial compliance review, it really, really set things back for them. This week, I’ve literally been on the phone with numerous organizations, that have personnel that are down in Florida, and dealing with this fallout. I’ve had organizations that have lost a critical vendor, and they didn’t have an identified backup to them. They’re like, oh, well, this organization, they’ve been around for a while, we can just count on them, etc. And generally speaking, while yeah they were in business, yeah they were reliable, however, they suddenly went under, and now the companies left scrambling to try to figure out, what the hell do we do with this? So yeah, these scenarios are real. There is a notion for many organizations to put it off. I don’t know how to articulate it, but it’s almost like user documentation, right? Nobody wants to go write the fricking user documentation, it’s like a red-headed stepchild, right? They just keep pushing it down the road, pushing it down the road. At some point in the game, the lack of the documentation comes back to bite you in the ass, and then you’ve got a gigantic task that you need to do. It’s the same thing with the disaster recovery stuff. You get to hear the moans, and groans and whatnot. Oh God, why do we need to sit here and play out all these scenarios, and blah, blah, blah. Well, guess what? If you actually have to deal with one of these scenarios, which quite frankly, with the breadth of stuff we brought up, it’s not a bad idea to go ahead and get on that. But, it’s something that people tend to kick down the way, and put on the backburner.
Sure. Now, specifically on a compliance engagement, what should, I mean, I guess, what should folks be considering? Well, we talked about the high level notion of, succession planning. Just Look for the people, and entities that you interact with, interface with, deal with, etc., just look at the various folks that you have those conversations with, right? Don’t leave it with just one person in IT, who’s their backup? You look at departments, maybe you typically would deal with this one particular individual, Mary, in fill in the blank department, make sure that you’ve got somebody else that can back up Mary. Look at, really look at, the inputs that you’ve got for your compliance engagement, and look at where those are coming from. If you’re gathering up elements of evidence from a particular vendor, as an example, if you always deal with so-and-so at the vendor location, even with them, pushing them to go ahead and have somebody else involved, so we’ve got redundancy there and streamlining, etc. One huge element, is just going through your various folks that deal with compliance information, and making sure you’ve got redundancy there.
The other is having your documentation in place. First off, it’s critical. And, it’s unimaginably helpful to have one place to put all your compliance stuff, your activity, your evidence. This means that, if the worst happens and you’ve now lost that subject matter expert unexpectedly, well, at least you’ve got all the records where they’re at. You extend it out to procedural documentation, this is something that, is obviously more applicable to the folks that are going through compliance than, the consultants and Assessor arena. But making sure that you have procedures for, step-by-step, how-to guides, of where am I pulling fill-in-the-blank evidence from. It doesn’t have to be compendiums, and reams, and blah, blah, blah. But, just some notes on, hey, I grabbed this from this screen of this system, it was located here, that type of thing. Unimaginably helpful, when you’re coming in to go look at it, even if it’s coming in to look at it a year down the road, right? Making sure that you’ve got that procedural documentation on how to do the compliance task, that’s really helpful. And, especially when it comes to organizations that go into operational mode for their compliance, where we’ve now gotten there the first time, now we’re doing ongoing, care feeding management, and maintenance, make sure that you plan out those alternative personnel for supplying evidence in a timely fashion. Because, especially when you’re going through an operational mode track, you have your tasks spread out over the course of the year, so you can have a sane program in place. But, in the same sense, you can’t just put it off, the data and evidence collection for weeks at a time, over the fact that somebody’s having a challenge internally with having competing responsibilities, or some urgent fire, that the head honcho says that you need to go get taken care of, and so, pulls them off of evidence collection. There’s, little things like vacations that people actually like to go in and take during certain portions of the year, etc. So, when you’re in that operational mode, it’s a really good idea to have your game plan for that redundancy there as well.
Any parting thoughts and shots on this one, Adam? Well, certainly good luck to the folks that are in Florida, dealing with the fallout of Ian. I believe that those that are on the coast, I think it crossed over, now it’s headed up to the Carolinas. I don’t believe they’re going to have as bad of a time as the folks in Florida. But, I just really feel bad, when you see some of the stuff that those folks are going through, so I hope that they recover faster than they fear.
Certainly, for organizations, I would strongly encourage them to re rethink the priority of doing this type of planning, it’s literally the difference between having a plan ,and having to attempt to figure out what the hell do we do when you’re under varying degrees of potentially extremely difficult circumstances. So, it’s always a whole lot easier to have, at least high level legwork up front, so that you’ve at least brainstormed it through, and you’ve got a notion of what are we going to do if, etc.
The last thought that I’ve got is, if your compliance process is not using your own compliance management system, then rethink it. I mean if you think about it, one of the things that we were just talking about, losing a critical vendor, well what happens if you spend years putting your stuff in your assessor systems, and all of a sudden, the assessor goes under, or gets bought out by somebody else, and you decide that you need to go switch and change. Well, now you’re stuck, you don’t have that golden repository, so make sure you have your own management system. You have cases where, these organizations, like the one I was talking about earlier, that have personal that pass away, or even in today’s environment, leaving the company on short notice, they go get another job, or get hawked by your competition or whatever. For the companies that have their own compliance management system, the advantage is, is that they get to be able to go in, look at the history of what’s happened within this one stop shop, everything’s sitting right there, and they can tell precisely who did what, when did they do it, what did they grab, what evidence did they supply, what additional commentary did they give, you’ve got that literally at your fingertips. Where, if this happens, and you don’t said system, well, now you’re trying to piece everything together, you’re trying to do it from scratch. Depending on, where you’re at in the continuum, you’ve got quite possibly enormous pressure on you to get it done quickly, and yet you don’t have a prayer being able to do this quickly. It’s just a really crappy situation to find yourself in, and I would hate like hell for our listeners to be in that position.
Most definitely. That is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less