Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Compliance Management Systems: Making the Case
Quick Take
On this episode of Compliance Unfiltered, Todd and Adam have a heartfelt conversation about the perils of STILL, IN 2025, using a manual compliance process for one’s organization.
The time effort and energy required, year upon year, to manually, yet properly complete a compliance engagement is mind-blowing… Sound all too familiar? Then this the episode for you!
Want to be a guest on Compliance Unfiltered? Have a great topic for us to cover? We want to hear from you!
Contact the show: [email protected]
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the old to your compliance, Lang Syne, Mr. Adam Goslin. How the heck are you, sir? I am doing fantastic today, Todd. Yourself? Cannot complain. Happy new year to you. Happy new year to the folks out there in Compliance Unfiltered land. We are excited to be chatting with you again today.
We’re going to make the case, Adam. We’re going to make the case for a compliance management system. Talk to us about it. Well, I just wanted to let the listeners, especially to this pod know, if they know people that are doing compliance manually using spreadsheets, using homegrown systems, detesting the compliance season coming around because it’s such a pain. This is the episode to forward.
There’s going to be a lot of good content in here.
When we created TCT, it was really a product born out of the struggle of trying to navigate the lovely world of compliance. We’ve lived the pain ourselves, so we decided to help folks out there. One of the core tenents of TCT is helping others, by making managing compliance suck less, so we’re all about it. Indeed the struggle is real.
So tell me. Why are companies struggling today with their compliance management, and convincing their boss to allow a change? well what happens in organizations is they’re really creatures of habit, we did it this way last year, so we’re going to do the same thing again. The other struggle is, honestly for the majority of folks that, we’ll call them at the top of the food chain, whether their title ends, or starts with a C and has a couple more letters after it. For folks at that level, they really don’t have any material idea what goes into managing compliance. They order it done, they walk away and poof it’s finished at some point down the road. There’s a whole lot of pain that happens between the beginning and the end of that process. You really want to get these folks on your side, and show them that doing this manually is not a good idea anymore. What you’re seeking, is you’re seeking light bulbs to start twinkling, with these are the reasons why doing it a different way than we’ve been doing it is a good idea.
So what should the compliance manager start tackling with their CEO, CFO, random three letter acronym people? You’ve got to realize that anybody that’s at that level, they’re busy. I mean, they’re busy. They’re juggling a lot of different things, CEOs different from CFOs etc. They don’t have time to get into minutia. They need to be able to go in, make a call for the good of the business, and move on to the next fire that’s burning. Just coming in with, hey, I’d like to spend money, usually doesn’t bode well. It’s their gut response to fire things down and whatnot. If you want to be heard, then you need to be able to walk in, check boxes or hit targets as you’re going about that presentation. And, it really does come down to how you present this information. You can do it in a relatively streamlined fashion, but it’s going to take some upfront work. You want to make sure that the delivery of your messaging is relevant to their priorities. Why should they care? Why should they care if this is going to make your world better? Yeah, I’m not saying that they don’t care about whether it makes your life better, but you want to connect that relevance to priorities that they share. You want to pack this presentation into as concise a delivery as humanly possible. You don’t want a 87 page PowerPoint, that’s going to take two and a half hours to get through. You’re going to lose them after about seven minutes. So you want to make it as short as possible, trim out all the fat in the delivery, cut straight to the chase. You also want to communicate very clearly, you want to think in bullet points, not paragraphs. Make it such that the delivery style is readily actionable. You cue it up, you tee it up. We’re going to get into some of the specifics as we go through this today. But, you want to be guiding them toward specific decisions, and specific outcomes, so that you have a better chance of having them relate to the information that’s being delivered. That’s going to give you your best shot at being able to get them on your side, allowing them to really make a decision which is in the best interest of the organization, the best interests of their internal team members, you want to head them in the right direction.
So, word has it that they want to know what’s in it for them, not the compliance manager, right? Oh, yeah, yeah, for sure. While I’m sure that they hold the compliance manager on a high pedestal, at the end of the day it’s about my needs. For executives, their job is to build the business that they care about. High-level vision and mission for the organization, they want to be able to achieve certain productivity and financial goals each year. The decisions they make, need to be able to help them achieve those priorities, not compete against them . Part of the role for the CFO, is making sure that they’ve got a way to show up with all the numbers that are black on the right side of the ledger as they go through and do their process. So every time they’re spending money, they see it as a threat to that balance that they’re trying to strike, especially for the CFOs. And often you’ll see the gut responses, in essence, and it’s delivered in a myriad of different ways. Their gut response to any form of an expense request is quite literally, how can we avoid spending this money? Whatever, you got a phone system, it’s old and needs to get upgraded, but replacing it, it’ll marginally help employees do their jobs better, but it’s going to require $100,000, well, then you can forget it. Because there’s better things to go spend money on, and they’ll continue the support and maintenance activities. But if you can have the executive seeing the business benefits of making the investment, then you really do end up with a legitimate shot at being able to convince them to head in the right direction.
Now, CFOs especially like risk reduction, tell me more about that. Well, they hate risk, especially financial risk. The basic premise of their job is risk minimization for the organization. And because spending money inherently introduces risk, then they walk into it hesitantly, especially for new investments. There’s a balance of risk and reward while keeping your company in the black, and the objective is to have it be more in the black than it was the year before. So spending money unnecessarily, can for a CFO, be restricting the company’s air supply. And so to get that spending request approved, you need to help them see that the compliance management system will actually reduce net risk to the organization, and create additional business benefits for the organization. I mean there’s just a lot of things that go into the discussion with these folks.
One of the key points execs get into is the return on investment, right? The ROI really matters. So explain a little bit more about that here. Sure the reality is, that they want to know what’s the payoff. well, what is the quantifiable return on investment of the compliance management system within a reasonable period of time? And especially the CFOs. I mean, they’re looking for numbers, right? ROI doesn’t necessarily have to be more revenue. It can come in a number of different ways. ROI could come in manners or approaches like increased profitability. Doing what we do, just more efficiently or more effectively. Reductions in employee turnover. I mean, employee turnover, if you think about it, that is one arena with just huge additional costs that get tied in. Every time you’re turning over an employee, you’re certainly losing a vast compendium of knowledge. You’re in the position where you have to go ahead and train up the replacement. It’s going to be months, if not years before that new person is going to be on par with the person they replaced. It could be for ROI, increased sales. It could be increased efficiency, increased productivity. The key is to be able to show how the business is going to be better, or stronger in some manner that’s quantifiable.
So, the one area where I’ll see, especially with the folks in compliance struggle, they almost view it as an insult, and you shouldn’t. You just need to understand where these folks are coming from. To the CFO, the numbers tell a story. The numbers bring clarity to decision making. If they can see numbers, you’re almost empowering them to justify the decisions with some sense of clarity as they go through the process. So 2% makes sense, yeah 2% increases in quality isn’t the same as a 20% increase in executives. They want to find solutions that are going to promise that big bang for their buck, speedy returns on investment. There’s nothing that’s going to warm their hearts more than being able to make some type of an investment, and have some projected timeline over which they’re going to be able to run down that path.
Now as you go through the process, there’s a number of things that I would recommend to the compliance managers that they do upfront. They’ve got to understand themselves. It sounds weird, but yes, they do this day by day by day, right? It’s one thing to be able to herd the compliance cats all year long, and especially in compliance season, and it’s another to really sit back and look at numbers and statistics that are going to help you as you go through that process. You’ve got a number of team members, as an example, that get involved in compliance activities. How many people for what period of time? Oftentimes for the core team, you’ve got the core players, they’re neck deep in compliance for a period of certain months, if you will, two to three months, let’s say. But you’ve got other folks that also get involved, and maybe for less time. But getting a notion of who all’s involved in your compliance across the course of the year, and approximately what time investment that they’re putting into those compliance activities, that’s one piece.
Another piece to understand is the, we’ll call it the average hourly cost of team members. Maybe what you wanna do is, you wanna group these folks into highly technical boots on the ground people, less technical boots on the ground people, middle management style people, and just get an idea of what are the costs for these various individuals. And then extending out the amount of time and investment against those hourly costs, to really get a good picture of your total hours of compliance-related work. For the compliance manager, it’s going to take some sitting down and thought, and maybe you’ve got to go back to your calendar. Maybe you’ve got to go back to interactions with your assessor, things along those lines. But keeping in mind, you’ve got the annual spin-up and kick-off process, you’ve got initial data gathering, you’ve got gathering up of evidence and data, and getting those all to the right spots. There are certain tasks that are being done, we’ll call it operational compliance elements, that are happening all year long. You’ve got those that now fit into the mix as well.
For the compliance manager, also some things to keep in mind, you’re getting stuff from various departments as well. So you’ve got inputs coming from vendors, you’ve got inputs from HR, from legal developers, your networking group, change control, and, and, and. So you’ve got all of those in there as well. And unfortunately, I was talking about employee turnover earlier, that’s one of the things that plagues these particular engagements is employee turnover with the core members of the team. That is something that has a pretty detrimental impact on the engagement, because now you’ve got to go bring somebody else up to speed, because of the fact that you’re not using a system. You literally have to do a lot of work to get these people back up to snuff. It’s a lot of information that needs to happen there. As you get from gathering up data points, now we need to take that information, those data points, and really turn them into a story. Use those hard numbers to paint a picture of the costs of your of your annual compliance. You’ve got all sorts of disruptions that happened during the year, as you’re going through. So, looking at various time that needs to be spent on the engagement, the compliance manager wants to think about some of the activities that happened through the year. Checking engagement status, where are we? I talked about this in detail before, but it sounds like an easy thing, right? Hey, where are we at?
Sure. Except for the fact that if you’re using a manual system, every time somebody asks you that question, it takes hours to go put it all together. Where are we? I don’t know. I’m going to go in my cave and I’m going to go figure out the engagement status. So it’s figuring out engagement status. It’s the cat herding that you had to do to keep people accountable, following up with them. Where’s the evidence you said you were going to provide? Tracking that evidence down. For a lot of the folks in the compliance management arena, especially those that aren’t using automation, they’re in a position where they’re getting evidence coming at them through emails, items getting dropped on the file server, thrown on a SharePoint, sent to them via text messages, and left in voicemails on their phone. Somebody tells them while they’re sitting in a meeting about some other topic, Oh, by the way, I put da, da, da, over here. It’s coming at you every effing direction. For the vast majority of people that are handling this stuff manually, they’ve got spreadsheets that they use to leverage and maintain, to be able to keep everything up to speed and organized.
Well, now I’ve got to go in and I’ve got to actually update the spreadsheet with all the crud that I just learned, and all the other stuff I was just running through. There could be, depending on the organization, they could have to write reports, and things along those lines. So, there’s also unexpected labor costs over time, hiring that’s needed. We talked about turnover, but even onboarding new team members each year, I mean, these all really play into the cost for the ongoing endeavor for the organization.
You really want to be able to go in and figure out, what all is it that we’re putting into that engagement. Those are all elements that have to play into it. Now, the one good news piece of it is, for those that may not be aware, but you can go out to, I like to tell people the short form version to get to the web to the website but it’s www.gettct.com. If you go there and you go to resources, you can go to ROI calculators. We’ve got two different calculators, one is for organizations that we call applicants, so that ROI calculator is for people that are subject to compliance. We also have another one for assessment firms, so they can go in and run there’s as well. But if you hit run the numbers, then there’s a little block in there where you can go ahead and type in the total hours that you spend each year on various tasks, across the course of the year. Once you’ve gone in and put all of those numbers in, then you can go ahead and hit calculate, and what it’ll do is, it’ll go down and it’ll make a calculation on how much return on investment you would expect to see, from the use of automation. There’s a lot of good information in there. But the legwork that you put in up front, thinking this stuff through, as well as the use of the ROI calculator itself, that will go a long way with putting the compliance manager in a position where they’ve got the inputs, and data for presentation to their C level. It provides them with some various things that they can bring to that conversation. But again, the key is just get it condensed, get it into an easily digestible mode, that way you can go ahead and just have the direct conversation with the C level, and try to get the system implemented, get them on your side, and ultimately it will be better for both your team, and for the organization overall. Nice.
Are there other ROIs to consider? Well, certainly there are several business rewards for those that haven’t used an automated compliance management system. Certainly, productivity is one of the biggest winners as you go through and implement a compliance management system. If you have a team of six people, and your engagement’s taking around 2,000 man hours a year across all six, then you’re going to see some pretty substantive savings in year one. And the coolest part about these systems is, whatever you gained in year one, it’s going to get even better in year two. Because now you’ve gone, you’ve made the investment, you’ve got your arms around the tooling, you know to how to use it, you’re just naturally more efficient in that second plus year. So, you’ll be able to recover a good amount of time. It’s astounding how much time is literally burnt to the ground on these engagements with useless crap that you don’t need to be doing.
But I mean, I literally lived this, which is why I wrote the system. Some C level person would come floating by and ask, hey, where are we at? And I said, it’s a pain in the ass to go put it all together. I would literally have to sit down at my desk, start at like eight in the morning, and it was around midday by the time that I made one pass through my stuff to try to figure out where everything was, because I was hunting down evidence. I was looking through all those various places that people would tell me that things have been updated. I’d go in and I’d look at evidence, if it was good I could pass it along, but oftentimes it wasn’t, so I had to go hand it back. So just pouring through the evidence, moving things up and down, loading things over to my assessor. I mean, I had to take half a morning just to figure out where things were at. And the sick part about that is, that I would have to go through that process, not only if I had somebody pop up to me out of the blue, then it would depend on how recently I’d updated the sheet, but I’d have to do this weekly for the for the internal team meeting. I’d have a secondary meeting with the assessor, to sit down and talk with them about where we’re at, and whatnot. I mean, I would easily say in that six person 2000 man hours in a year style scenario, and you move over to compliance management system, oh you can readily expect that you’ll be able to chop out about 500 man-hours of work in that first year alone. You start putting it into numbers like that, and let’s say it’s at least 500 man hours in the first year, you’re probably looking something more along the lines of a thousand man-hours by the second year.
What’s that worth to a company? Well I mean I’m going to go ahead and grab the old calculator, and let’s see if I’m talking a thousand hours and the resource, at oh let’s say 45 bucks an hour, that’ll be a relatively low dollar amount for the types of people that are typically involved. But if I’m saving a thousand hours, at 45 bucks, I’m at $45,000. This isn’t chump change, this is real savings for the company. It gives the organization choices about what they want to go do. So certainly from a productivity standpoint, the one thing that the C-level folks have to understand is, that every single year that we continue doing it the way that we’re doing it right now, we’re literally lighting a match to hours. Well, what does that translate into? Well that translates into, if I don’t have enough warm bodies to do what I need, well, now I need to actually go out and hire people. I don’t know about you, but I’d rather go ahead and save, half a warm body every year, than to have to go and be in a position where I’ve got to go hire another one. I’d rather take the 45 grand to the positive, rather than go sink in $190,000 into somebody. Profitability-wise, if you’re going through 2,000 hours in a year across your team supporting compliance, going back to the 45 bucks an hour, internally you’re putting $90,000 into your compliance efforts. Hell yeah, you want to learn how to save money on that. You get a large volume of savings as you’re going through these numbers year over year. So certainly, the organization can look at it as an opportunity to reclaim time, and reallocate folks. You can do something with that regained time that you get. Certainly from a staffing perspective, those are some of the benefits for the CFO, and CEO, as they’re looking at the numbers, but there’s much broader benefits to the organization that go way beyond that.
Certainly, we talked about the improved efficiency may offset the need to hire additional personnel. That’s huge dollar savings there. Less overtime means that depending on the cost structure of the organization that we’re talking about, maybe they’re spending more for overtime hours, so your savings could be even more than just the back of the napkin run that you and I did. But probably most importantly is the stress reduction. We’ve talked a couple of different times in this discussion about how people, when you have turnover within a team, that’s a huge, huge detriment to the organization. If people have less stress, then people aren’t going to burn out as easily, and they aren’t going to be as likely to quit. Happier employees leads to increased productivity across the board. So, as we go through all of these various approaches that we were talking through, it’s hard to argue with, oh, geez, I don’t know, we’re going to end up with reduced turnover, improved morale, greater productivity and lower labor costs. I mean, I’m not quite sure how you could argue that one. Checks a lot of boxes there, doesn’t it?
Now, what about the difference in approach to cyber liability insurance? I know this is a topic that we’ve covered on the pod recently, but I think it’s applicable to bring up here. Sure. The reality is, is that the insurance companies more and more, they’re looking to make sure that organizations actually have their act together. They’re actually doing the things that they say that they’re going to do.
They’re doing them when they say they’re going to do them, and validation that they’re actually being done properly. And so what better tool, than to be able to have all of my compliance stuff tracking and accountability, for yes, we’re doing the right things when we’re supposed to do them, than to use a compliance management system. I know that I think I shared this on the prior pod, but TCT recently had to go through our own expansion and renewal of our cyber liability insurance. And I quite literally got on the phone with the underwriter and I was showing them TCT, whatever expression you want to call it, but we eat our own dog food, if you will. We actually use the TCT Portal. Go figure. And manage our compliance. And so in terms of that, I was able to get on with the underwriter, and literally pull up our track and say, see, this is what we’re doing. This is how we’re running our program. Do you see how we have no open, overdue tasks? Do you see how we passed all of our Q1 and Q2 deliverables up to our assessor through the system. I could literally show them a system that had everything tracked, managed, and showing that we were keeping up with all of the things that we were supposed to do, in a way that’s relatable to them. They’re able to see that we really do have our act together, that we’re all over it.
And honestly, it made a difference. It put us into a situation where the comfort level of the underwriter was substantively improved, because of the fact that we were all over it, we actually had our act together. It’s a it’s a pretty big deal.
There’s more and more folks in the cyber arena, where the light bulbs there are starting to go on that, hey, there’re actually some companies that do have their act together from a cyber perspective. It’s cool that you got on the phone with the underwriter. Well, I told the insurance agent, I said, look, I want to get on the blower with this underwriter because I want them to understand who is it that they’re talking to. Who is it that they’re about to go and insure. How risky is this proposition? Because I mean, in the grand scheme of things, TCT is an organization that’s headed by somebody that’s been in the security and compliance space for north of two decades, and let alone all of the other and sundry expertise that we’ve got on staff. The fact that we really care about security and compliance, the fact that we don’t have to, but we elect to, go down our own assessor evaluation each year, and we’re trying to do things properly and appropriately. We adopted PCI V4 as soon as it was available. So, we just try to stay on that leading edge of doing things properly and appropriately, because of the fact that we take our responsibilities to our customers seriously. We’ve got a lot of people that depend on us for helping them make their compliance management suck less. And we definitely want to do that in a secure and compliant fashion. That’s for damn sure. Indeed.
Now that’s a lot, but at this point is the compliance manager ready for battle? The reality is, that it’s at this stage of the game there’s a couple of additional I dots and T crosses to do. Obviously, one of the recommendations to the compliance manager that’s heading down this path is, go ahead and contact TCT. We’ll show you the system, we can talk to you about the cost and pricing, as well as discuss your situation. You definitely want to walk into that discussion having done your homework, having run your ROIs, seeing the tooling and learning what the costs are going to be. You definitely want to have all of that in hand, and then go and put together that total ROI. When I’m able to empirically show savings, that are measured in the multiple tens of thousands, and yet the cost of the system is less than one of those tens of thousands, then it’s a no-brainer, right? It’s literally a no-brainer. And that’s part of the reason why we built the platform the way that we did. We’re not trying to go to the Bahamas off the backs of any single organization.
We’re trying desperately to help people, and there’s nothing that drives me crazier than seeing organizations that continue to struggle with manual compliance management efforts. We want organizations to be able to use this tooling to make their life better. But when you put all of those numbers together, the cost savings of the way you’re doing it now, versus the cost of the tooling, I mean, the case almost makes itself as you go through the process.
But coming back full circle, we’ve covered a lot of different arenas. I didn’t want to steal your parting thoughts and shots ask, but this is pretty much it. Fair enough. You can have all the parting shots this week, Adam. As you get into this arena, I’m just going to come full circle and say, remember that this is no offense to the C-level folks out there, It’s just a reality. They’re busy, they don’t have a hell of a lot of time. They don’t have time for an 87 page PowerPoint. They don’t have time for a three-hour meeting. Honestly, if you do the detective work, you do the homework, you put together all of the numbers, you assimilate your existing cost structure for how you do compliance today. If you put in, and add in a lot of the material benefits that you’ll see from a compliance management system including its actual cost, it’s going to write itself. But as best you can, and I know it’s hard, the detail, folks that are in the compliance arena especially, they’re detail oriented. Just fight the urge to give them every single aspect of minutia as you’re trying to do the presentation. Just stick to the high level brass tacks of what’s going on here. There’s several intrinsic benefits too. I talked about additional benefits in year 2+. If you think about it, as you go through that first year to that second year, one of the biggest benefits is that you now have a rock solid repository of what did you did last year. It doesn’t sound like a lot, but I can tell you, and I know there’s people that are listening to this, they’re just literally chuckling when they think back about the hell that they had to go through trying to figure out who did what, and how did they do it last year. It’s not easy, it isn’t. It’s a game changer when you can go log into the system, and know precisely who did what last year, what evidence they provided last year. I can go and look at the screenshots that they provided last year. I can look at any written explanations they provided last year. If Mary got hit by a bus between last year and this year, and now I’ve got Fred that’s coming in to pick up the pieces, Fred can literally go into the system and review precisely what Mary did last year. That helps in a lot of ways, because I can’t tell you how many times I’d go and start engagements and somebody would say, well, what did I give you last year? Well, now I can say, go look. It makes everything markedly easier.
Honestly, putting together the business cases is fairly simplistic once you’ve done all the hard work. But certainly if there’s anybody out there that needs some help, or you want to know more about all this fun stuff. By all means, use our ROI calculators, they will help you. And second, reach out to the team. Todd and the crew would be happy to go show you things, and answer questions. And certainly, if you’re looking for help building the ROI, make that a part of the conversation, I’ll be happy to jump into the fray with Todd and the crew to give you a hand. We’re here to help people make compliance management suck less.
That right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
