Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Stop the Compliance Insanity!
Quick Take
On this episode of Compliance Unfiltered, the CU guys give the audience a break. We know the struggle and heartache a less than stellar compliance program can breed.
On this episode Adam lays out exactly how you can get your compliance sanity back! Curious how you got to where you are? Wondering how you can gain a foothold to get back to normal? Wondering what tools can set you on the right path?
Well the CU guys have you covered with all these answers and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in. In addition to Compliance Unfiltered, I’m Todd Coshow, alongside the cream and sugar to the perfect cup of your compliance coffee, Mr. Adam Goslin, how the heck are you, sir? Well, I can tell you that I’m probably about, I don’t know, maybe eight cups in so far today. It’s been a good day. Well, it experiences the best teacher, as they say, so that tracks indeed.
Speaking of, we’re going to talk to the folks today, Adam, about stopping the compliance insanity. So how does a compliance process work for most organizations each year? Well, the way it works for most companies is that your eyeball deep in day by day, whoever is kind of coordinating, orchestrating your compliance is probably been griping at everybody going, hey, it’s almost compliance season.
You’ve got to start taking this stuff seriously, We’ve got to get moving and blah, blah, blah. And everybody’s busy and yada, yada, yada. And basically you hit this point where everybody in the company is forced to basically abandon ship on whatever they were we’re working on because now it’s compliance season. You know, we have it seasoned and yeah, I do. Yeah, I did that. And so, you know, everybody just basically migrates over into the compliance arena and starts madly putting in the long hours trying to gather up all of their stuff, and sending it in, depending on what role you’re playing on the compliance engagement.
If you’re a participant or you’re provisioning evidence, you’re asking yourself questions like, what is it I need to do again? When do I need to have this done? Where do I need to go put the evidence again? And meanwhile, you as the sender, you’re giving the Project Manager updates in the hallway, updates at meetings, you’re sending them stuff through email, text messages, phone calls, dropping it in various locations on file servers, on shared drives, blah, blah, blah, blah. So that’s kind of from the perspective of the person shipping evidence side. The poor soul that actually has to hold this all together, they’re busy trying to keep up, because it’s not just Bob that’s sending in evidence, right? This is probably multiple people on their team, maybe multiple vendors that are provisioning stuff to them to check all the boxes for compliance. They get the joy of having to basically coordinate or herding all of the compliance cats, if you will. Constantly having to remind people what they need to do, constantly reminding people when they need, constantly reminding people to put it in the right spot, and, and, and. And it’s just, it is an absolute f-ing nightmare to go through the process for most organizations. By the time that they’re kind of getting out of, compliance season, if you will, their work is all backed up, their bosses and fellow compatriots and whatnot are griping because there’s other projects that are behind, everybody kind of just abandons the, you know, the compliance thing as quickly as they can. The poor central person that has to coordinate everything, well, good luck to them if they want to go and get some of these people back into the process again. So you’re dealing with delays there too. It’s just all the way around, it’s a nightmare at the end of it. The organization is just basically going back to, you know, all the stuff that now they’re behind on type of a deal, with their normal day job, etc. Most of the time, the compliance arena is just left in this haphazard state. A lot of people say, typically say that, gosh, we really should do duh, duh, duh, duh to make this better, it’s a fleeting thought for a moment as they all go back to their normal day job. And then they fast forward, whatever it is, 8, 9, 10 months later and poof, guess what? It’s compliance season again. It’s almost like you might as well just go ahead and kick off the circus music and just watch the same shit show unfold again.
Actually, this is a fun story. So, way back in the day. I used to work at a company, and the people that were on my team knew this joke. Every time that I would just get some inane request from somebody, I would literally kick off this midi sound file on full volume of circus music, and I would sit in the middle of cube land, and I would throw my hands up in the air, I’d throw the circus music on, and I would spin in a circle, and that’s how my team knew that I’d just gotten some super dumb request. That’s fantastic. Yeah, whatever. Yeah, it was a good time, but actually, that’s kind of what it feels like when you’re walking back into that compliance process, is cue the frickin’ circus music, and everybody throw their hands in the air, we’re just gonna sit in our chairs and spin, it’s gonna be great.
So why the topic of stopping the compliance insanity? Well, I mean, the definition of insanity is doing the same thing repeatedly, and expecting a different result. The bottom line is, is that these organizations, I feel bad for them, it’s why we got into this space, is to try to help cure some of the pain. The reality is, is that I want people to do something different, and break that cycle of compliance insanity, because there’s just way, way too many organizations that do it. I really struggle with companies that just keep doing the same damn thing. It’s a gigantic pain in the arse.
100% agree. Now how can organizations step up their tooling game? Well, most certainly, leveraging a kick-ass compliance management tool like TCT Portal would be a great start. The reality is this. When you sit and you think about all of the various and sundry, just horrifying waste of time on these engagements, right? And I talked about some of them earlier. The people on the team, not even sure, what am I supposed to do? What did I supply last year? When do you need it? Where do I put it? All of those questions are answered when you’re leveraging a system that’s doing all the heavy lifting, if you will, that’s a gigantic pain to try to manage as you’re going through a compliance engagement. These are things that just naturally come out of a system. So certainly you’re making the participants’ lives easier through the process. They are wasting less actual time. And I’m gonna draw a distinction between actual time and kind of calendar time. What I’m getting at here is that the participant themselves, that they don’t have to go ask somebody, you know, go ask somebody the question, they can self-serve, they can go into the system and see exactly what it is that they need to go do, etc. On the flip side, if I’m back in like manual land, if I’m in manual land, what happens? Well, there’s one of several things that happen. One, the participant goes and sends an email to the Project Manager, you know, saying, Hey, uh, what is it I need to do again? And then they sit around and wait. So now they’ve stepped away, they’ve, done their job, which is, I’ve asked the question. So now they step away and disengage from the compliance stuff. They go off into their own little world, maybe hours later, maybe days later, the Project Managers’ coming back and telling them yet again, what it is that they need to do, uh, you know, and then there’s a more of a loss of calendar time while you’re waiting for this person to receive, read, and allocate the time to get back into the process again. Meanwhile, I’ve lost, uh, calendar time. I’ve certainly lost multiple days in the process, and it could even be weeks. Right. And that’s just one person, that one person with one question, you know, blah, but now I’m seeing these calendar drags, um, that start happening, it’s a good part of the reason why on these compliance engagements, it seems like it’s just endemic, to the compliance process is, they’re typically running behind. It’s typically everybody’s flying by the seat of their ass. That’s typically high pressure. It’s typically a lot of stress, that type of thing. So that’s kind of from the participant side. They can, t can do things like go ahead and look up their assignments.
They can see, well, the dates that they’re due, they can even reference the evidence that they provide from the prior year. One of the greatest parts about leveraging compliance management tooling is that one of the big problems in organizations is turnover, right? Especially in today’s day and age, there’s a lot of people that are moving on to different jobs, and or retiring you know etc. Or, maybe even just moving roles within the company. Now I’ve got a rock-solid historical repository of exactly what Mary did last year. So when Mary goes and finds another job or is unfortunately part of some layoffs, or retires or gets promoted, now when Frank needs to come in? And can take over for what Mary was doing, Frank now has an absolute crystal clear repository. What did Mary do? What evidence did Mary supply? What tweaks did Mary need to make? All of that, it’s right there. You start compounding all of this time that gets saved by the various people that are engaged, but most certainly, there’s savings across all the participants when you leverage a system like this. The person that ends up being the one that has to try to hold all this together, or herd the compliance cats as I like to say, that person, they now have tooling that’s live, it’s up to date. If somebody submitted something three minutes ago, I know about it. Normally on these compliance engagements, the organization will kind of, they have to get on some form of a cadence just to kind of keep things on track. So let’s say they start and they start with a weekly compliance meeting to regroup.
The person that’s at the eye of the compliance hurricane, they’ve got to sit there and spend hours going through all the submissions that everybody’s put in and all the screwed up places. They dropped evidence and, and, and, and, and just to try to figure out where do I think we’re at? The saddest part is the minute that they start doing those updates, their updates are already out of date, right? The people that have been at the center of this compliance stuff, you know, and I know, and they’re chuckling right now, they go and they show up to the meeting and it’s almost like human nature, right? Oh crap, I’ve got this meeting. So, oh jeez, I told so-and-so is going to get this thing done. So what happens? I started my update four hours ago, right? And yet in the hour before that damn compliance meeting, I’ll be damned if, you know, 16 to 50 different pieces of evidence just magically materialize right before the meeting. So I’m getting on the call and I’m like you know whatever, you know Bobby, you said you were gonna get this done but on my manual status update I’m showing that it’s not done yet. Oh yeah ,no I thought I submitted that type of thing. You get this indignant response right, and meanwhile Bobby, three minutes before the meeting just went ahead and launched something at you, and now it’s buried in the all the other updates.
When you go into a compliance management system instead all have to do is hit the refresh button on the damn interface and poof I can see it. Oh yeah Bobby, that’s right you did go submit that whoa hold on a second yeah three seconds ago thank you, yo know? And so it’s just, it makes a huge, huge, huge difference. The people on your team, you know, they’re not experiencing as much pain. They’re automating all of the singularly largest waste of time on these engagements. Everybody on the team is recouping hours, no one more than the person that gets the joy of being the eye of the compliance hurricane. The team has less stress, etc. And guess what? Even the bosses are happy because in the compliance process, people aren’t coming out of it feeling like they got run over by a Mack truck, they’re actually able to clear their compliance stuff with far less strain and can get back to doing the regular things for the organization. So it makes a huge difference when you step from the compliance insanity into, you know, into a compliance tooling arena.
Are you there? Oh, I’m sorry. I said, what else can a company do to alleviate the strain on their team? Well, certainly for a foreign organization, you know, they, yes, the tooling is the first step, but, you know, really what I would recommend to organizations is in the TCT portal, we have a mode that we call operational mode. Basically, it takes all of those tasks that they do over the course of their compliance year and spreads those recurring tasks out so that you can make sure that you’re keeping up to speed with the things that you’re supposed to do, you’re alleviating the possibility of showing up to the annual audit, only to find out that, oh geez you know so-and-so didn’t do fill in the blank, and especially with the turnover arena that’s huge because a lot of times the noob that’s coming in, they don’t have any idea. Well, what was it that you know that that Fred was doing with fill in the blank, they don’t have to wonder anymore because they’ve got that solid historical repository, they know exactly what items Fred had on his plate ,you know, they can just pick those up ,they know when they’re due etc the other. The other benefit of moving into that operational mode, what I’ll typically see for an organization the first time they come in ,they’re using the tooling ,they’ll typically go in like a one-time mode. Just trying to get everything done, get it through the workflow, get it into a completed state breathe a sigh of relief and you know, then move on to year two. Maybe then they start dipping their toe into the operational mode water. Years three and four, what I’ll see is they’ll start to kind of perfect their operational mode. And what I mean by that is, not only am I now able to keep up with all those regular recurring tasks throughout the year, but they will also have the capability to take the once a year tasks and sprinkle those out over the course of the year. So instead of this super nuts, hectic, process of, oh, compliance season, and everybody just goes heads down for anywhere from weeks to months at a time. Now you can spread that kind of compliance love out over the course of the year, get people doing things in smaller bits and chunks and things like that. It’s a heck of a lot easier to manage your compliance engagements, etc.
The other kind of real use of technology, is many organizations aren’t just subject to a single form of compliance. It’s not just PCI, but it’s PCI and HIPAA and ISO and SOC, whatever, it depends on the organization. But there’s also ways to be able to leverage the technology so that I can supply evidence once and use it many in a fully automated fashion. So there’s just a ton of things that you can do with the technology to make your world better. More often than not, the teams just don’t realize, they’re so used to the insanity, that it’s just, oh, the circus music cued. So now we all know what we need to go do, right? Instead of that, break the cycle, break the cycle, start using technology to really help the organization, smooth things out. For sure.
Now, give me a favor, Adam. Tell the listeners about our recent and upcoming opportunities to show organizations a better way to reduce their compliance and sanity. Well, we were just at the PCI North America community meeting out in Boston. We were able to certainly rekindle relationships with all of the folks that we work with all year long. It’s nice to be able to see a great number of them face-to-face. Especially in the PCI arena, it seems like it’s a relatively small community in the grand scheme of things. Well, there’s a lot of people involved, but it’s funny how small that world is, but no, it’s great seeing them. Being able to, spread the word to organizations about the TCT portal about the things that we can bring to the table, how we can help them, etc. It’s always fun being able to have the conversations with new folks that haven’t yet had the opportunity to hear about us. It’s a ton of fun. Also the Community Meeting is a good event for really anybody in the end-to-end PCI space, whether you’re a large-scale merchant, whether you’re an organization that’s subject to PCI compliance, whether you’re a service provider to compliant organizations like us, or you’re an audit-assessment-style firm. It’s a good opportunity to brush up on the latest and greatest what’s going on in the PCI world and to rekindle existing relationships and make new friends. In addition, we are going to be in Barcelona for the Europe PCI community meeting in a couple weeks from when we’re recording this. That’s going to be October 8th through 10th in Barcelona, Spain. So again, we’re really looking forward to kind of regrouping with the folks we know, spreading the word about the TCT portal. There’s nothing I like more than alleviating people’s compliance management pain.
Excellent. Parting shots and thoughts for the folks this week, Adam? Well, please, please, please, for all that’s good and true in this world, do not keep living your compliance nightmare. There is a light at the end of the tunnel, it’s not an oncoming train. Step into this technology space. What I hear from organizations that step into this world of… going from the compliance insanity, they used to go through. It’s always fun having conversations with them like three, four years later, you know down the road, we’re having a discussion with them and it’s almost like they can’t remember how much it used to suck to manage their compliance. You know, they’ve really, they can’t believe that they used to do it that way. Just the relief that I, you know, that I see in them when we’re having the conversation and honestly it’s a great feeling knowing that we’re able to help them. They’ve been through the process and, you know, they’ve kind of perfected their compliance program, you know, and they’re not living that hell anymore.
It’s fun. It’s really, it’s great being in the space to be able to provide that, you know, kind of mutually beneficial, you know, relationship with folks. When I started TCT, I set out to build the system that I wished that I’d had when I had to first go through compliance. And it’s fun being able to bring that to other people because I know their pain. I lived it firsthand, which is why I built the damn system. You know, for anybody that’s listening to this pod, you know, that already knows TCT and the capabilities, you know, etc, you know, do us and people that you know a favor, let them know about TCT. Don’t assume that they know about us. You know, we got into the space to help people make compliance management suck less, and I know that we’d both appreciate it.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.