Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Tips to Successfully Implement a New Compliance Management System
Quick Take
On this episode of Compliance Unfiltered, the CU guys look at the hard truth facing many in the Compliance space today: Your process is too manual and outdated. It is challenging however, to implement any new system, let alone a Compliance Management System.
Adam will cover all things on this topic from why is implementing a new compliance management system a struggle for organizations, to What type of prep needs to be done for software implementation, and even, what kinds of continuous improvement should fit into your annual engagement? You’ve got questions and concerns, we’ve got answers.
All on this week’s, Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Honey Nut Cheerios to your balanced compliance breakfast. Mr. Adam Goslin, how the heck are you, sir? I am doing great, Todd. How about yourself? Man, I can’t complain. I really can’t. We’re giving out some top tips today. That’s right. Some top tips to successfully implement a new compliance management system.
Now, why, Adam, is implementing a new compliance management system a struggle for a lot of organizations? Well, I mean, each organization has a kind of a certain way that they like to go in, do things, run their engagements, etc. And so the notion of a new compliance management tool will mean for some kind of thoughtful planning, if you will. When you’re purchasing a new solution to streamline compliance engagements, you’re going to be entering in a measure of disruption. That said, you need to be purposeful about how you go ahead and implement the technology, train people to use it and whatnot. The TCT has worked alongside organizations since 2013 to help them successfully implement new compliance management systems into their operation. with some proven processes that streamline the traditional time to a bare minimum. So we’re going to go ahead and spend a little bit of time today looking through some of the best practices that will follow as we work through things with our customers.
I love that. Now, what should organizations do before implementing a new system? Well, before you get going, you want to kind of think through how does our organization function and how is that going to translate into your new tool? You need to walk in prepared. You’re not using your old system, so there’s adjustments that are going to need to be made just because of the fact that you’re moving to an actual system. So, you know, certainly approaching. You know, approaching the move, if you will, you know, with an openness to those necessary changes, you know, the open attitude as you’re walking into it will allow for an organization to be able to take advantage of the capabilities of the new system that your previous one, you know, didn’t offer.
Well, why is leveraging your compliance tool provider tech support important? Well, you know, you don’t want to be shy about taking advantage of the expertise that’s available to you straight from the solution provider. You know, the more that you can understand the software’s feature functions, you know, the more you’ll be able to go in and get it configured to your needs. You know, getting to know features, capabilities that will help, you know, you’ll kind of maximize your usage of your new compliance management system is important.
You know, ask your provider for recommendations that will make the most sense for your organization. You know, kind of, you know, usually I’d recommend you, when you’re starting into that process, going through, you know, kind of their scenario, you know, your scenario, your setup, your needs, how you do things today, et cetera, will all help in having them assist with translating those into the configuration and setup, you know, on the tooling that’s coming to bear. You know, at the end of the day, the provider is motivated to make sure that you’ve got the, you know, the best experience possible with their system. They also know the system the best and they can take advantage, you know, you can take advantage of the kind of the learning experience they’ve had with previous migrations so that you can help make your successful as well. You know, depending on which tool you’ve selected, there could be a lot of customization capabilities that could fit into your, you know, your natural workflow. It’s important to have the insight as to which of those we should configure, which of those we should leave off, etc.
TCT is very fortunate. We’ve got a great team of folks that handle the operational support and implementation for TCT portal. The existing clients have seen and commented on the speedy responses that they get. We’re not the organization where we’re not sending you a response e -mail to say we got your e -mail. Instead, we’re actually fixing things, providing expedient resolutions. Most of the time, that’s within hours. For organizations that work with TCT, if you don’t see a feature that you are seeking, the TCT portal is very important. The TCT portal is very important. The TCT portal is very important. TCT portal is very important. then we want you to ask about it. Oftentimes, we try to make the TCT portal as streamlined and easy to consume as humanly possible. That said, the kind of streamlined front -end interface kind of overshadows a lot of the power of the platform. We’ve got a ton of capability that’s built into it. And oftentimes, those features are really built into the system, but we just need to go ahead and turn them on for the target organization. And the other side is that since 2015, TCT has been integrating customer requests into our product updates and feature and function capabilities, etc. So if the client’s asking for something that’d be really cool for the platform, then we’ll go add it to the list and we’ll let them know once we go ahead and release it. It’s part of what’s made the TCT portal kind of magic. It has been fun watching it unfold since the 2015 arena when we first moved it into production. For sure. Now, what type of prep needs to be done for software implementation? That’s a big thing, right? People will talk all about the magical things that a tool can do for you, but not give you any idea of how long it’s actually gonna take you to set up and use it. Well, you wanna make sure that the folks who are most involved with your compliance management are the ones most central to your implementation process. So, walking in prepared for having certain information at your fingertips is going to help. So things like, which of your personnel are gonna be involved in the implementation? What’s your approach going to be for the various certifications that you have? And what I mean by that is in one organization, maybe they only have to go through PCI, but in another organization, They have SOC and PCI and HIPAA as an example. So what’s your organizational approach? Is it PCI is the centerpiece and SOC and HIPAA kind of fall off of that if you will or are mapped from it? Okay, that’s one approach. Another approach could be your assessor has provided a consolidated request list for the items that they want to go ahead and take advantage of. And so we really want to work from this consolidated request list and have that mapping off to the various compliance standards. So how do you want to go about the initial configuration of assignments to personnel? That type of thing. So you want to spend time. getting everything configured right within your new compliance tool and planning out ahead of time how you want to go about getting that set up. Well, what kinds of testing would you recommend before rollout? How do you make sure that we’re in a good spot, you’re not going to cause more problems than you solve? Well, it’s a hell of a lot easier to catch tweaks and modifications to the implementation during the early phases. So configuring your new compliance management system during that implementation phase, then you want to deploy a couple of sample tracks for doing dry walkthroughs. Those sample tracks will let you kind of play around and play out different scenarios that you’ve got as you’re kind of doing your normal rigum roll through annual compliance engagement and or your operational tasks that you’re doing over the course of the year. So as an example, spit up a track for provisioning evidence, and then as you’re building out that track and going through your dry runs, walk through different types of questions like, do we want to have a step for reviewing the evidence before it moves up to the next person? In other words, your front line or provision evidence, then do you want to have an internal QA step? Do you have third parties that need to get integrated into this workflow at certain points in the game? Is everybody able to gain access to what they need? What else did we forget to go and set up? Also, I’d recommend to organization, thinking through special use cases that might be unique to their organization, doing dry runs to make sure that those particular scenarios getting accounted for appropriately as you’re kind of going through the process. If you’ve got those multiple certifications, then making sure that we’ve got evidence mapping, basically heading from the right track to the right track. So if you’re mapping down from PCI down to either ISO 27001 or SOC 2, whatever it may be, making sure that as I go and drop my network diagram onto my PCI track that it’s auto -populating into the secondary tracks, go through and make sure that’s done. You want your system doing the work for you, so take advantage of as many of the efficiencies as you can build into your overall compliance process. Once you’ve gone through and thoroughly vetted that process, you’ll be staged well for smoothly operating the system into a live engagement. you know, without it turning into a big, onerous process. Training fit into the equation. Hey, do you me a favor? I don’t know what happened, but your phone did the whole dropout thing. All I heard is into the equation.
Okay. Coming back in. Okay. In three, two, one. So Adam, how does training fit into the equation here? Well, I mean, once you’ve gone through and done your validation and any needed modifications, you know, etc, you want to start orchestrating your training, you know, organizing your training by groups. So for example, if you have personnel and vendors provisioning evidence, then you go and put them into the provisioning evidence training group, you know, type of a thing. You know, show each group how to use the system, you know, and, you know, there could be various groups that you’ve got. You know, maybe you’ve got people provisioning evidence. Maybe you’ve got people performing oversight, you know, managing the process, et cetera. So, you know, break up your training so it’s appropriate for the different groups to optimize their time and then show them how to use the system and keep the training relevant to their role, walking through the tasks and activities that they need to complete within, you know, the new compliance, you know, compliance management system. You know, and you want to be making sure you’re provisioning training to everybody that’s using the new tool. So internal employees, vendors, you know, partners, consultants, assessors, you know, all of that.
You know, most certainly, you know, the one thing that I would say to, the one thing that I would say to organizations, and I say this a lot, is you want to own your own tool for your compliance. You know, you may change your assessors, you may change your consultants. Don’t get sucked into the notion of using their tool, you know, and whatnot. instead get your own tool, aka your own license for TCT portal, then you can have your consultants and your assessors be part of your workflow. Just makes things a hell of a lot easier for you, the organization, going through compliance by a long shot, number one. Number two is that as you go through your year over year, now you don’t run any risk of losing a repository that was nicely organized, but it was on your assessor systems, etc. Just a couple of pointers there. Again, one other pro tip related to training, and that is it’s really tempting for organizations to go, way, we just got the new tool, let’s train everybody, as soon as the training system’s there. But the problem is that there’s certain of your personnel aren’t going to be using the tool maybe for a couple of months, that type of thing. By the time that they get in and start working on the tool, they will have forgotten. you know, the vast majority of any training that have been previously provided. So, as you line up the groups, also be cognizant of when they’re going to be, you know, get ready to access the tool and stage your kind of training sessions, you know, accordingly, if you will.
Now, what kinds of continuous improvement should fit into your annual engagements? It’s easy for you to say. The conduct of post -mortem at the end of your first cycle. Bottom line is, is that when you, you know, you’ve now, you’ve gone, you’ve done all the work, you’ve set everything up, you’ve made it through your first year, etc. As you round out that year, do a post -mortem at the end of that year. You know, what types of input and feedback can you get from the team? How can we make this better, make improvements? What things did they struggle with? What adjustments can we make? For our next compliance cycle, I mean, you’ve got to look at your relationship with your compliance management tool is one that does need to evolve. So you also want to go ahead and look ahead to your next year. Do you have any upcoming business requirements that we’d need to get integrated? You know, do we have an acquisition coming? Do we have some new compliance standard that we see on the horizon? You know, so kind of doing that work, getting that plan together, et cetera, is going to be super helpful. Gathering all of those is really helpful while it’s fresh in everybody’s mind, right? Right after they’ve gone through the process is the best time to go ahead and collect those inputs because they’re still remembering. Otherwise, even if you get, you know, a couple weeks out, you know, people are already kind of forgetting the pain that they went through or things that they thought could be better, et cetera. So go ahead and gather those up, you know, right away. That way, you can take those elements, build them into your next compliance cycle, et cetera. You know, these are the things that we need to look at. The other thing that I would say for organizations that are going through this is that the ongoing compliance approach is something that as you integrate these enhancements year over year over year, it’s just going to continue to make it better and better and better. As well, depending on your choice for your compliance management system, I would certainly implore organizations to leverage what TCT calls an operational compliance approach, which is… spreading out your compliance elements, your compliance collection points all through the year. Certain things that organization should be doing every day, every week, every month, every quarter, twice a year, once a year. Not only making sure that you have data collection points for all of those regularly occurring items throughout the year, but also even looking at your annual items and figuring out, hey, how do we want to spread this out so that it’s not this gigantic compendium of work that fits right in at the back end and makes the tail end of your compliance cycle, just makes it a pressure cooker. You can make your world easier, it just takes time and planning. Just plan your work, work your plan.
I love it. Parting thoughts and shots for the folks this week, Adam? Well, when you’re looking at this process, a lot of folks will get, I call it doing the compliance zombie walk. This is what we did last year, so we’re just going to go in and do the same thing type of a deal. I would implore organizations to take a fresh look at their approach to compliance. Honestly, if you’re using a spreadsheet and or a network drop zone for managing your compliance, you absolutely should be looking at there’s a better way, what can we do? How long should a software implementation take? It depends on your choices, it depends on which compliance management system you decide to choose. But for some of the compliance management systems, it could take months to a year or more to get the compliance management system fully rolled out. The good news is that you know TCT has been you know we’ve been in this space for a long time and honestly if we have a client that just wants to needs to use let’s say a standard you know PCI DSS self -assessment questionnaire D for a service provider and just wants that deployed I honestly we could have them we could have them sign you know sign in the morning give us all their inputs before noon and we’d have them running before you know we’d have them running by early afternoon you know on that on that track within the system impressive it literally can happen that fast yeah people have additional things they want to get configured or a custom request list or blah, blah, blah then yeah it might take a little bit longer but we’re not talking we’re certainly not talking months maybe a couple of weeks max type of a thing but I would say Most of the organizations that we spin up on the platform are literally from the time that they signed to actually using it, it’s days. For anybody out there that is looking for a better system that’s easy to implement and makes your compliance management suck less, well, you know the right folks they had to.
And that right there, that’s the good stuff. Well that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
