Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Why does managing compliance suck for Consultants and Assessors?
Quick Take
On this episode of Compliance Unfiltered, Adam goes to bat for the assessors and consultants out there. The guys give a full breakdown on what it’s like for the brave folks out there tasked with managing compliance for other organizations.
Everything from coordination struggles, to primary communication issues, to storage challenges with things literally all over the place. The CU guys have got you covered, all on this week’s episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Vermouth, to your compliance martini, Mr. Adam Goslin. How the heck are you, sir? Oh, I am one martini short, apparently. That is an easily rectifiable problem, as I understand it. You know what, it may make this a lot more exciting. Indeed, today we’re going to talk about something that’s quite exciting, and that is why, specifically, managing compliance for consultants and assessors sucks.
So tell me at a high level how things typically work for the poor soul that has to wrangle compliance for the consulting and assessing organizations. Well, at a high level, you’ve got to figure there’s different, and we’re kind of covering two different groups, but really, it’s the same problem, right? We’ll say more about that. It depends on the workflow of the client that you’re working on. So if you’re a consulting organization, then you are acting in typically one of two capacities, either A, you’re working on a client engagement where they do not have an assessor, and you’re effectively acting like they’re internal assessor type of thing. Or behind door number two is you’ve got a client where you are, yes, helping them get, manage, maintain their compliance, and they have to go through a third -party assessment. So you’re basically middleman between the client activities, your normal rigmarole, and then coordinating the annual assessment for that organization.
If you’re an assessor, you’re just in that position of assessing the organization and further ahead of you in the workflow or earlier in the workflow, it might just be the client is passing things to you or the client could be passing to their consultant passing it to you.
The number of layers in the workflow will certainly work to increase the complexity type of thing, but it really just depends on the circumstances but the problems for consulting houses, the problems for assessors, you have really fallen into a similar bucket when all is said and done. Both of those organizations are really their focus is on the same types of things. It’s just whether or not they’ve got additional complications of furtherance in the workflow effectively. Now, for those consulting and assessor organizations, they’ve got a pretty challenging task. When they’re going through their engagements, depending on how the consultant or assessor organization set up their annual engagement, they’re either actively coordinating working with the target organization all year long or they’ve compressed their work effort into a certain period of time, typically centered around the end of that client’s compliance track. It’s kind of high pressure, high pressure, compressed timeframes, etc. I’ve seen organizations in the space do it both ways. It really just kind of depends on the organization themselves, their clients, how they perform their services, etc. but at a high level, somebody has to ultimately carry the baton for that client engagement in terms of coordinating. you know, coordinating all of their activities. And that makes sense. Now, speaking of coordination, what are some of the coordination challenges that these companies face? Well, when it comes to the coordination that these guys have to do, it really comes in two arenas. So one, they’re trying to herd the cats of the, you know, of the client, if you will, and keeping in mind, depending on the customer, you could have all sorts of different, you know, complexity there. You could have the need to coordinate, you know, evidence across multiple departments, multiple locations. There could be, you know, kind of different client -based reporting structures for personnel. There could be a multitude of vendors involved. You know, and meanwhile, you know, you’re looking across hundreds of requirements with, you know, kind of lots of different, states that each particular requirement could be in. So it could be sitting in the client’s hands. It could be going through client QA. If you’re an assessor, it could be sitting with the consultant. It could be sitting for an assessment organization. It could be sitting with the assessor themselves, or it could be sitting with your QA. So you’ve got a lot of different intersections. That’s a lot of moving parts, man. John, I’m telling you what, especially when you’re dealing with, dealing with a certification, or tried and true PCI, right?
In that, you’re literally dealing with 500 plus different, different elements, and a potentially extremely complicated workflow in client landscape. So yes, there’s a ton of intersections there. And then if you’re the consulting organization, you’re catching things from the client, you’re reviewing them, you’re passing things up to assessors. If you’re on the assessor side of the world, you’re catching the things that are coming up from the workflow. You are pushing those over to your internal, to your internal QA department, et cetera. So there’s a lot of kind of moving pieces and parts, and the coordination, it’s challenging. Different of the consulting and assessor organizations will also, they’ll work their engagements differently. Some of them will, it’s kind of like we nominate this person to basically take on everything, right? For larger scale, for larger scale organizations, they’ll often have certain personnel, will have certain focus areas. So I’ll have this person handles all of the, kind of networking and, you know kind of system documentation you have another person that specializes in access control another person that specializes in development another person that specializes in the policy reviews so almost like a almost like a union shop you know type approach to, to the engagements where you know the the, the whistle blows and all of a sudden everybody’s going in and grabbing their requisite parts sometimes it’s you know it’s multiple it’s multiple people that are you know that are jacks of all trades that will jump in and, and grab things you know regardless across the engagement so you know just depends on the on the organization how they go about doing it but you know there’s a there’s a lot of coordination activities that need to happen when you’re on these you know compliance based uh based engagements That makes sense.
Now, what are some of the communication challenges that these companies face? Well, I use the expression herding cats, which is never more true than when you are trying to work a client engagement. And the reason being that there’s a natural human propensity to, oh, we have a status meeting on Thursday afternoons. So even though I’ve got this list of things that I need to ask somebody a question about or whatever, I’m just going to sit on it until that meeting. Maybe everybody actually shows up to the meeting, usually not. You’ve got a wide variety of communication challenges in that the operational personnel that have assignments, they’re wondering, what is it that we have in our hands? Oh, what did I have again, etc. You got all that going on. You’ve got the client leadership basically seeking updates on status. Where are we at? How much have you guys cleared through? How far are we on track type of thing? And internally for the organization itself, whether a consulting house or an assessor, you’ve got reporting that goes back to your leadership internally at the organization as well. So you’ve got status updates coming left, right, and sideways on these things. You’ve got the follow ups. We talked about the clients wondering what they’re assigned and things along those lines. You know, keep in mind that earlier conversation we had where if you’ve got a really complicated organization where they have multiple locations and multiple departments and multiple… reporting structures, you know, you are now trying to, you know, herd the cats, herd the compliance cats in the right direction here, you know, across all of those various intersections. So, you know, you’ve got, when you’re in a position of being a consultant or an assessor, the problem is actually magnified because you not only have communication, like if you think about it right from the client’s perspective, all they, you know, what they typically have to worry about is what are we, what feedback are we getting back from our consultant or what feedback are we getting back from our assessor, as the case may be. When you’re playing consultant or assessor, you’re now worried about the things coming up the workflow, you’re passing things above you in the workflow, you’re getting, you’re getting inputs coming up the workflow and down the workflow simultaneously, you know, at you. And so, it makes it astronomically challenging to wrangle all of the communication problems on these engagements. That tracks for sure. Now, what about some of the storage challenges that clients face?
Well, the consultant assessor firms, generally speaking, have laid out the, hey, I’d like you to submit your stuff this way and put your things here, etc, etc, etc. Well, it sounds like a brilliant idea, except for the fact that you’re getting inputs on your maybe weekly or more than weekly client calls. You’ve got leadership of the organization that’s hitting you with oddball emails that’s sending you text messages that kind of call and calling you in a given afternoon. They’re sending you chats through Teams or whatever it may be. Stuff is coming at you from a wide variety of directions. The storage challenges kind of mimic that challenge because, yes, you’ve got your designated way of doing things and hope that you can get everything into there. Invariably, you have data inputs coming at you related to your client compliance engagement coming at you through a wide variety of different communication protocols, et cetera, and locations. What the net result of that is, you end up with just data spread out all over the place when all is said and done. Things are kind of flying left, right, and sideways, and it’s really challenging to kind of work out the kinks in making sure that you have everything in the right spots. What typically ends up happening is that the consultant and or the assessor, they effectively have to almost play traffic cop, and it’s kind of an unenviable position for the consultants and assessors because tonight at 6… we are getting paid by the client. The client’s expectation is, I’m paying you to handle this, you know, type of an approach, right? And so for the poor consultant or the assessor, you know, what will typically happen is that they will be forced to mirror all of these various disparate channels of communication and mirror that back into the central repository, you know, type of thing. So, you know, now, not only are they having to interact and interface on, I don’t know, 10 different communication, you know, mechanisms and protocols, but now they get the joy of having to mirror all of those updates, files, things along those lines and mirror them back into, you know, kind of the organization, the consultant to the assessor’s kind of core systems, you know, type of thing. So it gets very, very challenging to be able to wrangle all of the compliance storage cats. That sounds like some tough sledding. Now, we here at Compliance Unfiltered love ourselves some efficiencies.
So talk to me a little bit more about where the most time is wasted on these engagements. Now, for the consultants and the assessors, there’s really a number of areas that, you know, that pose challenge, if you will. So first and foremost is just client onboarding, you know, getting them up to speed and, you know, showing them the ropes and reminding them of what all needs to be done and, you know, setting up, you know, you know, giving them their assignments and refreshing their memory on the storage locations and so the client onboarding is certainly one piece of it. We just talked about a ton of things that would happen, you know, kind of while you’re at it. actively going through actively going through the engagement You know type of a thing where You know the the interaction interface status updates things on those lines I mean you think about it right every single time that somebody’s saying hey, what did I have again? What was I assigned to I thought I gave that to you. Oh, you know, you didn’t see that Oh, well, that was because I sent it to you some through some unapproved mechanism. Oh, well, that’s why you know and, and, and You know let alone. You know you have the you know the distractions if you will of provisioning status to the client and everybody on their team You’ve got you know kind of you know you’ve also got your internal team. Maybe I’ve got Maybe I’ve got other consultants or other assessors that are working on this thing with me. Maybe I’ve got my QA department that, you know, is going in and doing the cross -check, double -check, et cetera. So, you know, you’ve got status coming from and at you in a myriad of directions. You know, certainly is the work effort for collecting up data and collecting up the information. You know, one other area that kind of, you know, that has the potential for some wasted time is even during the on -site when you’ve got to go in and do the, you know, the annual on -site with the client, with the customer. You know, there’s inefficiencies and wasted time, even during the, you know, during the on -site activities. You know, certainly your quality assurance, you know, department, being able to get them, you know, efficient, you know, if you will, is another arena. Report writing and report generation. That’s another area where, you know, where there’s a lot of, you know, kind of a lot of wasted time, you know, on the engagement. You figure, you figure as you, you know, as you go through and you’re doing the report writing, you know, you want to start with, you want to start with a template or something to get going on writing the report. In some cases I’ve seen organizations will, you know, kind of leverage last year’s report and, you know, tweak, modify, change from there. I’ve seen other organizations where they’ll start with kind of a default starting point template and then customize it up for that client for that year, you know, but there’s a bunch of wasted time in the, you know, report writing or report generation, but, you know,
Bar none of all of the realms. Probably. the singularly biggest waste of time is that status reporting. The status reporting and assignment reporting, both to active operational personnel as well as leadership of both the client side and the assessor or consultant side. There’s a ton of wasted time there as well. Now, how can we help companies not do the same thing repeatedly, hoping for different results, aka how do we stop the compliance and sanity? Well, this isn’t going to surprise anybody, but leverage a compliance management system for the love of God. The reality is that we’ve lived this space, we’ve had to deal with these issues and challenges, and that’s the whole reason we wrote the system in the first place. You know, for the listeners, it’s not gonna really surprise anybody to know that.
TCT leverages the TCT portal for doing our own compliance. We use the TCT portal, you know, with our assessor, you know, annually. All of our, you know, all of our evidence and whatnot is passed, you know, our evidence goes into that system and passes to our assessor through the system, etcetera.
You know, you look at those various areas that, you know, that we were talking about earlier, things like, you know, kind of client onboarding. You know, there’s often a bunch of wasted time. I mean, you can almost cut the onboarding, you know, onboarding process in half, you know, when you’re leveraging the consistency of process and something like the TCT portal, especially as the clients get, you know, get used to leveraging it and get their arms around it. You know, we’ve got things like training that can, you know, training that can get deployed out to the, you know, out to the organization, you know, in an automated fashion, etc. You know, we talked about, we talked about things like, you know, just the active engagement, the status reporting, which is, you know, quite frankly, probably one of the bigger areas for four -time savings. You know, the cool part about the TCT portal is that it is live. You know, it’s not getting overwritten by multiple people making the updates to the same cells on a spreadsheet or on a SharePoint side, you know, etc.
This is live status where it’s intended for multiple users and very large and very complex, you know, complex engagements. The coolest part about the TCT portal is… and for the, for the consultants and assessors, where they’re, you know, kind of, I can, I can almost see those that are listening to this pod, you know, are sitting there kind of knowingly nodding their head, you know, it’s, yeah, you’re right. That completely sucks. And, you know, and oh, yeah, we get peppered with questions about who’s got what, where are we at? Are we on track? And, you know, are we there yet, etc. But it doesn’t stop. It just doesn’t stop. Um, you know, so you figure you’re doing that, you know, uh, bare minimum every week, uh, over a period of what probably is two to three months per client, you know, type of type of thing, at least, depending on how the scale of the engagement you’re working on.
Um, you know, and when you’re using something like TCT portal, all of those stats, statistics, assignments, uh, where are we at? Is it done yet? good, marry, complete this particular item, whatever. All of that is live in the system. We don’t need to go hunt anything down. We don’t need to go and look for anything. The reality is that it’s all right there. And so the status reporting element alone will probably save an organization more time than it costs to use the system. And that’s really the way that we structure things for the TCD portal, is we basically wanted this to be a no -brainer. Things like data collection, we talked about all of those disparate arenas. Now, are you really ever going to completely eliminate the notion of this spread of compliance -related updates that are coming at you from all directions on these engagements? Let’s just be realistic, probably not. But that said, the TCD portal has a couple of different things which really drive the organization to leverage the system, which is things like for assessors and consultants, they have the ability to consistently generate their guidance to their clients, give them examples of what it is that you’re looking for. So by encouraging through the training process to have the clients first go in and look at the guidance, look at the examples that are available, what I typically recommend to these organizations is train your clients to do that. That way, number one, they get used to going in and leveraging the TCD portal. Number two is that it actually helps them. We were talking earlier about somebody having a question and waiting to, you know, whatever, they come up with of this question on a Friday, but their next weekly meeting isn’t until the following Thursday. And of course, they sit and wait, right? Well, if your client has been trained to go in and review the guidance, review the examples, very, very likely that they will get the answer that they need from your guidance and examples you have configured into the portal for your clients. Keep in mind, this is information that is only shared with your customers. This isn’t somehow widely available on the portal. This is literally for your clients. So and the other thing that I’ll encourage the consultants and the assessors to do is to, when they go to deploy the TCT portal, integrate in feedback loops.
So in other words, what I mean by that is when a client goes in and reviews the guidance and reviews the examples and still has a question, incorporate a feedback loop so that they can ask their question immediately, we can actually turn on the capability for them to ask questions through the portal, and they can immediately send it up. So that way, the same person on the client team that otherwise would have waited until next Thursday on Friday now can just document their question, hey, I read all this stuff, but I don’t see, here’s my question, I don’t see an answer. They can ship it immediately on Friday, you can then go in and not only resolve that by responding to the client later on Friday, but incorporate that feedback loop to go back to your guidance and back to your examples to make it better.
I’m sorry, go ahead. To close the loop, sure. Yeah, yeah. Well, and the coolest part is that it’s like a snowball heading down a hill. It just keeps picking up steam and getting bigger and getting better. The more that you do that, the more self -serve capability your clients have, the happier those clients are, the less frustrated they are with the process and having to wait till next Thursday, or pepper you with all these oddball questions whenever they think of them type of a deal, and it mitigates the amount of pain and time that the consultant or assessor has to spend on the engagement with all of this kind of waste of time going back and forth. You’ve got the on -site activities, we were talking about that earlier. A lot of organizations have streamlined the blazes out of their on -sites. I can remember days in my early days where some of these on -sites literally were like weeks type of thing. Over time, I started to see those on -sites get minimized into a couple of, in some cases, a day, maybe a day and a half, type of a thing. Now- That’s how they’re blowing some minds, by the way. Yeah, well, again, it depends on the scale of e -engagement. Let’s say if your target organization is a corporation that has 200 locations included in there, in there that have physical presence, yeah, it’s not happening in a day, type of thing. So this would be realistic. But for small to moderate sized organizations, it’s not unusual for the onsite activities to be taking a quarter of the time that they used to. That said, could it be even better? Yes, it can. You know, you could really organize the on -site activities such that, you know, they are streamlined. You know, we’ve got the ability within the TCT portal to allow our consultants and our assessors to queue up their own, what we call a custom certification. But look at it as a data request list, or you could look at it as a portion of their custom certification, excuse me, for some reason I’ve got the hiccups now. But we have the ability to go ahead and set up a section of their custom cert specifically for the on -site. I want to go, and I want to talk to these various roles of people, these are the questions I’ve got, etc. You can really queue it up for them where previously maybe people were using Excel sheets or Word docs, et cetera. The other side that I encourage the consultants and the assessors to kind of think through is as you’re centering around the TCT portal and you’re doing your on -site, you know, use the TCT portal to capture your notes about the interviews themselves. If you had to look at things, screens, you know, grabbing screenshots, pictures, things along those lines, go ahead, grab them, put them right in the freaking portal so you’ve got them sitting right there with you. There are ways that you can really streamline both the on -site and really one of the bigger challenges for the consultants and the assessors is really after the on -site, right? There’s often a whole bunch of, you know, whatever, note clean up and triaging of, oh, yeah, no, I forget, I had this and this and that, etc. And the other cool part is you can use the statuses within the TCT portal if you’ve got them set up appropriately for your process to where there was a follow -up… item for, for Beth, right? I need to send this item down to Beth and ask for, guess what, do it through the portal. Don’t forget, we talked about you’re going to go ahead and get me to the little knock. Can you please ship that my way? Thanks ship and wham, you’re doing it right through the portal, you know, so there’s ways to do that. We talk about QA or quality assurance, right? So we know in a typical assessment firm, the assessors would go through and they do their assessment activities, they pass it up for, you know, for, for a cross check, double check with the QA department. You know, the one of the ways that QA used to work back in the day, is that basically QA would sit and wait until everything was done. And then all of a sudden, it would be like, okay, now I’m going to pick up these hundreds of items.
And you know, he There’s still a lot of folks that do it that way, man. Well, there are, but one of the advantages that TCT Portal affords is it’s not necessary to do it that way anymore. If you want to do it that way, you can, of course, but the TCT Portal allows you some more flexibility, so keep in mind, all of the hundreds of items on the engagement can move up and down the workflow independently.
So, what does that mean? That means that if you so choose, QA literally could go and process items as they arrive dynamically across the hundreds of items. QA could take a second methodology, which is, you know what, we want to have everything for this particular requirement completed. Once we see everything that we have 100% in QA’s hands, then we’ll go and pull the trigger and we’ll just pull that trigger requirement by requirement type of deal. You know, so it really affords the organization a ton of capability and choices as to how they want to manage their engagements, but bar none. The QA process can be made dramatically easier, and certainly one of the biggest elements of fanfare around time savings that we’re able to bolt into these style of engagements is that, in our case, we allow the report writing to happen from within the system, and with a push of a button, you can generate the outbound reporting. So, you know, so you basically, you do all the work within the system, you get all your report text all lined up and things designated properly, et cetera, and then you basically say go ahead and generate my SAC, my AOC, my ROC, whatever, you know, it automatically is generated by the system. The best part is, it’s generating that SAC AOC rock from the system that’s already been through all of the back -and -forth and rigmarole and Reviews of report text and in an end so quite literally The report generation is quite frankly just punch the button and somebody can do a once over of the entire thing Just make sure that doesn’t look like anything massive was missed But generally speaking the reports effectively are ready to rock at that stage of the game So,
you know all the way around You know, there are a ton of you know, a ton of reasons That leveraging a compliance management system adopting it internally Integrating that with your clients and your client engagements, you know, etc training the people on the engagements not only your own personnel which is its own challenge sometimes but the client personnel to push their things into that centralized repository because it’s so helpful people will see the light you know people see the light over time a lot of people will fight these new systems and you know and it’s something that you just got to kind of deal with as you’re going through this type of change as an organization but without question those that went down the path adopted the system leveraged it for themselves have seen the just the material benefits you know of their you know within their own organizations as well as their interface interfacing and interaction with their customers no doubt about it parting thoughts and shots for the folks this week got it well one of the biggest one of the biggest challenges is just you know getting people to change their mindset you know to seeing seeing value in in the overall compliance program a lot of organizations will especially the on the client side not, not necessarily on the consultant assessor side but the companies are going through compliance will often see the compliance extravaganza as a distraction to their you know normal day by day business etc and you know the way that the way that i would kind of put it to consultants and assessors is you know one of it are you ultimately going to have control over their mindset well no but is it going to help if it’s less painful yes is it going to help if the system that’s that that they’re leveraging gives them the answers that they’re seeking like where are we at who’s doing what what’s left who has which assignments etc they can just go look it up you know um they will see the value out of the tool.
Now, maybe the uppity ups over on the client site aren’t going to go log into the system. But their main point person for compliance most assuredly will, and you will be saving them an astronomical amount of time and pain in terms of answering those inquiries and questions on their side. One of the biggest challenges for consultants and assessors, especially in larger scale firms, is developing and attaining and maintaining a level of consistency across your engagements. Certainly leveraging something like TCT Portal, where you have default starting point templates. You have default starting point report text. You have directional guidance on what’s needed. You’ve got examples about what you’re looking for, et cetera. All of these things work together. to generate a much, much higher level of consistency as an organization. But really, and most importantly for the consultant assessor organizations is that you’re seeing that consistency across all of your consultants or all of your assessors. It’s a huge problem for organizations that could… And again, I can see the listener that’s doing consulting or assessing kind of chuckling to themselves. But the consultant and assessor group, it is an interesting group of characters. Everybody likes to have their own way of doing things. And I’ve been doing my thing for a number of years, slash decades, type of thing. And boy, I’ll tell you what, it is challenging at times to crowbar the spreadsheets out of the hands of some of these people.
But if you can navigate those waters, if you can get down… But my macros, Adam. Yeah, the macros that you need to go and spreadsheets that you need to gut every time that we decide to change the requirements. Yeah, those ones, you’re right. You know, the reality is it’s tough to gain that adoption. It’s going to take some effort. It would definitively be some pain involved. It’s out of a blot. At the end of the rainbow is… I mean, you literally have all of your engagements on the same platform. You have all of your engagements that are being done in the same fashion. You have consistency across your engagements. What happens if… Yeah, what happens if… We were talking about whatever, Mary, the assessor earlier. What happens if Mary gets hit by a bus on a miscellaneous Wednesday afternoon? Well, you’re not screwed eight ways from Sunday because you now need to… go figure out, well, geez, how is Mary doing her engagements? Who else would have, be able to piece all of this together? You know, if you have the consistency of a system, now, granted, there will be some learning curve on the client, etc., but at least you have the consistency of implementation. Who’s doing what? How are they doing? And shall we say? You know, and the last piece that I’ve got for parting thoughts and shots on this one is, you know, it, you want to get people to see the light. you know, not just, you know, a portion of your team, you know, you want to get the team to get on the same page, see the light. You know, what’s a lot of times extremely challenging, especially for the consultants and assessors, is talking to the folks that are above them in the food chain and making that case for, you know, for leveraging, you know, some type of compliance management system.
So I’ll just remind the listeners, you know, that on our website we do have a section of resources and underneath there we have various, give me a minute, I’m trying to actively click on this as we speak. Let’s go here and here. We’ve got eBooks underneath resources, compliance guides, and in there we’ve got an e -book on how to make the business case for the compliance management system. If the listeners haven’t had the opportunity to go take a look at that, I’d recommend it. You know, we put a fair amount of thought into trying to help organizations, you know, kind of get through that gauntlet. But, you know, bar none. If you’re struggling, do me a favor. Reach out to reach out to TCT. You know, I’m sure anybody would be happy to assist and help with you kind of carrying the water, if you will. And that right there, that’s some good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less. Thanks for watching!
