Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Compliance and Employee Turnover: Planning to Succession Plan
Quick Take
On this week’s episode, the Compliance Unfiltered guys take the time to plan their work and work their plan, as it relates to Compliance and Employee Turnover. Adam gives an in depth understanding of why compliance can be increasingly tricky during a period of employee attrition in the compliance realm. What happens when there is turnover? How can companies properly prepare to mitigate their risk of compliance staffing turnover? No worries, the Compliance Unfiltered guys have you covered on all these topics and more, on this week’s episode of Compliance Unfiltered!
Highlights include:
- Why do we use the expression “Planning to Succession Plan?”
- What makes compliance more difficult with turnover?
- How to capture this wealth of knowledge
- What happens when you change Assessors?
- What happens when you have turnover
- How to mitigate the risk of compliance staffing turnover
These topics and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who I believe is currently in the process of patenting a game that you guys call compliance hopscotch, Adam Goslin, Adam, how the heck are you? I’m doing good, Todd. How’s it going? It’s another beautiful day. I can’t complain.
Today, we’re going to talk about something that’s important to every organization when you’re thinking about the natural ebbs and flows of business from a compliance scope. And that is compliance and employee turnover. And straight out of the department of thinking about stuff, we’re going to talk today about planning to succession plan, Adam. So tell us more about that. Just curious, why did you use the expression planning to succession plan? Well, actually, I just had a little bit of fun with it. One of my favorite movies of all time, the original Office Space Movie. It just did such a great job of capturing corporate America-isms. And at one point in the movie, the main character is getting interviewed by, the Bob’s, and on the whiteboard behind him was, in all caps, planning to plan.
So, I always have fun using references to that movie and whatnot. The whole movie struck me as hilarious, and so many parts of it are so true. So it’s a good movie, it’s a little bit dated. If folks haven’t seen it, you definitely should.
Well, let’s get into it then. I’m a big fan of Office Space first and foremost, so I appreciate that approach. What makes compliance a higher difficulty when you’re talking about turnover? Well, whenever you’re in the midst of a compliance engagement, the people that are involved, certainly those that are involved for that first time through, also the whole team really, is learning a lot as they go through the process, as they put their requirements up against their day-by-day reality. What do they have? What do they not? And so the whole team is just picking up a ton of knowledge as they go through the process, and every single company is unique. If you think about this company, versus that company, they’ve got certain vendors, they have certain systems they have in place, they have certain internal procedures, they have certain people that know information, and certain people have access to either information, or places and systems. So the landscape gets extremely complex. And there is no one size fits all, despite what so many of the smoke and mirror vendors out there are going to throw at you. The bottom line is, is that there is no silver bullet for, yeah, just do this one thing and poof all of your compliance woe’s go away. It just doesn’t work like that. So some of them do a good job with marketing it that way. But not really. As you’re going through the compliance engagement, the team’s learning as they go that first year when you’re just trying to get your arms around it and survive. I won’t say the first year, but the first run at compliance, regardless how long it takes, that one’s rough. You know, the second year gets a little bit calmer. But by the time you get three or four years in, now you’ve got structure, rhythm, you know what you’re doing. But the one issue is, is that you’re going under this guiding assumption for how calm or how painful it’s going to be, that you’re maintaining that continuity of the folks that have gained this knowledge.
Well, let me ask, okay, how is that wealth of knowledge typically captured? Well, for many organizations, I mean, it’s different for everybody. Most of it, quite frankly is retained in human capital. For a lot of organizations, I’ll use my finger air quotes, but they’re system of record, is typically data and information spread out all over Hell’s Half Acre. It’s data points and information that’s spread into emails and text messages, spreadsheets, file servers, Dropbox, and OneDrive. Maybe the company is using their assessor systems. A lot of the assessors will force the clients into using their system, which is okay. So maybe that provides some measure of structure, but the hands-on knowledge of who did what? Who did it when? It just goes out the window. And you also have the problem of, it’s on their system, right? This isn’t your system, this is their system that you’re visibly populating all of your wealth of knowledge into. And quite frankly, there’s a number of assessors that will leverage that as a sticky factor for protection to the business, and as an efficiency tool for their business. And I get those notions, but the big problem is, is that typically for the internal organization, their storage system is just an absolute crap show.
The other problem we were talking about was the assessor’s systems. What happens when, whatever, let’s say that my favorite assessor at such and such firm goes away, and then they get replaced with somebody that just isn’t a fit, or doesn’t do a good job. So you decide to change assessors, or the assessor firm gets bought out. If you have to go in and change your assessment firm, now the only repository that you had goes poof and you start over again. So as organizations are going through that annual compliance cycle, as you get to the end of the annual push, the team’s tired. I’ve heard this comment time and time again from folks that go through compliance, they’re like, we just need this done. I just need it done. Whatever it takes, let’s get through this. And, we gotta get this finished because we need to have this off of our plate. Whether it’s we’ve got a backlog of day job things, or we’ve got clients jumping up and down about where’s your reports. Whatever’s the cause of the pressure, we’ve got to wrap it up. As the organization going through compliance starts to near that finish line, man, people are just cutting corners, maybe in the first two, three months, right? They have this, hey, the files are always going to get loaded here. And then we’re gonna go ahead and replicate the status over into our Excel tracking sheet. And you’ve got all of this rigorous structure that everybody follows for the first little bit. As you start to get into the backend of these engagements, oh God, you got people that are getting texted pictures of evidence that they forward to their email, that they peel off of the email, that they then load straight into the assessor systems. And now, it didn’t go in the repository, the status didn’t get updated, and you’re clearing things out on the fly as you’re on calls. If the people that are listening to this have gone through it, they’re all chuckling because it’s so true, it’s so true. It seems to be just a mess at the back end of these engagements. So bottom line is, the internal systems typically get data and information sprinkled across a wide variety of different repositories.
So now, what happens when you have turnover? Well, okay, so you’ve gone through whatever your first year, or maybe you’re in your second year. Now you’ve built up that human capital with knowledge. This is going to be fun. I’m gonna be Mary for a day. So my name’s Mary, and I know that I need to go to Francis to go get fill in the blank evidence and oh, if we’ve got to go get this other evidence, well, now I need to talk to the other Mary about that. And so they know where they need to go, they also know which system. Oh no, we don’t need to get it from that server, we really need to get it from this server, or we don’t need to get it from this logging system, it needs to come out of that logging system. They’ve already run into the wall, figured this stuff out. But when you have turnover for whatever reason, that human capital that you’ve now built up is now lost. And especially today, with the job market tighter than it’s been in some time, there’s higher volumes of people turning, and switching jobs. So, it’s a real risk. So when you go and get your new person, it’s like they’re going through the real world Groundhog Day or something, right? They’ve got to go in and learn everything new. They’ve got to go in and make probably the similar, or same mistakes as the person before them. Maybe they even make some new ones, because they didn’t already have some measure of context within the organization before they came on the scene. In order to get to the right answer, they’re going through a whole ton of wasted time, bringing up the wrong evidence, repetitively getting redirected to know you gotta go do this. They don’t have the tribal knowledge that the person before them had, who did know which rock to go look under for fill in the blank. When you’ve got the turnover, especially in the compliance arena, I mean it just straight adds up to a ton of wasted time, and thereby money that the organization is burning through. Meanwhile, you’ve got the sales crew, and the executives all pounding their fists about when’s this going to be done. Dealing with that in the background, while you’re trying to deal with the noobs that replaced the person that did have that experience.
So what is the solution for companies looking to mitigate the risk of compliance staffing turnover? Well, the biggest thing is, make sure that all of your information, and your data exists and is organized on your systems. This is data about your own company, you want to make sure that it gets preserved for your use. I’ve heard the dialogue from folks that use assessor systems, and they’ll say oh, well, we’ve been with such and such an assessor for years, and they keep it all organized for us, we don’t need to worry about it.
Well, again, that’s brilliant until your favorite assessor leaves, or something goes sideways. God I had an assessment firm, they were in one particular arena, like servicing clients in that space, and just made the decision that, hey, we’re no longer going to serve this arena and moved on. There’s a lot of reasons why things could go sideways. But regardless, you just look at it from a pure risk mitigation perspective. The why doesn’t matter. Part of risk analysis is looking at the eventuality of that risk, and how do I mitigate it. So they need to consolidate all of what I love to call, the compliance noise, into one spot. Because, that was the big challenge I was dealing with in my early years. We were trying to hold this all together. Personally, it was a gigantic task to go through and try to make sure I was keeping up to date, and keeping up to speed, and juggling all of the directions that things were coming. I mean, if you can get all of that down and into one spot, where you know your assignments, any reassignments. You have to check what evidence did they load? What additional verbal justifications did they give? Interplay back and forth with your assessor, any changes that were made, versions of your evidence, all that internal communication on fill in the blank compliance topic. Being able to have your status reporting in one spot, all of that in one single place. I can’t even describe the difference that organizations feel when they no longer have that stress that was associated with, just trying to hold it all together. That way, when you do lose somebody on your team and they’re no longer there, that new person, instead of them trying to go in and hopefully piece it together. I mean, they don’t have that person’s phone, so they can’t see the emails. They can’t listen to that person’s voicemails. Yet there’s holes in the storyline from whatever that person had done and gone through. If they’re able to simply go to that compliance management system and see everything that that last person did, said, loaded, what adjustments they made when the auditor told them, you’re close, but no cigar, that type of thing. I mean, this new person can walk in, and instantly see all of it. I mean, it’s really magical to go from, where you were before, to this new world where I don’t have to hunt and peck, and look all over the place to go try to figure things out. I don’t have to go play 20 questions with somebody on the team. They could literally go to one spot every time, all the time, and be able to not only see what was done, but also, if you’re using that system year over year, well, now I can go back in and I can look at the final state from last year as a reference point and use that. So yeah it’s interesting as that plays out, seeing the light bulbs going on for people when they see compliance from that perspective.
Now, you said that a person is no longer there, but I was only thinking about someone unexpectedly putting in their resignation. I’m sure there’s like a myriad of other reasons and ways that come up here. Yeah I mean, of course resignation plays into it. But you’re right, it’s bigger than that. Terminations could play a part. We need to part ways with somebody. Maybe, someone goes on to a long-term medical leave. Maybe it’s three weeks. Maybe it’s three months, right? But if you think about it, if so and so goes on medical leave for three weeks, but it’s the last three weeks before this stuff is due, so the assessor can go do their thing, Oh dude, that’s brutal. I mean, there’s always the possibility that somebody does get hit by the proverbial bus, literally, we’ll call them removed from the field of battle. You’ve got things like, maybe the organization gets bought out, and the parent company just willy-nilly decides to go swap out a bunch of the staff for their own staff,that could come into play. You could even have people changing to a new department, or maybe you have footprints all over the US. They move from the Ohio office, to the Denver office. And now they’re not just down the way to go ask them a question. There could be a whole ton of reasons, but people don’t think broadly enough about this. We were talking about the medical leave earlier. I’ve been in organizations where somebody went on medical leave for, I think it was about four months, another organization where somebody went out on a medical leave for four weeks. But if that happens to come up at just the wrong time, what a nightmare. Now, not only are you trying to get your arms around everything under the sun, but you’re also going through and you’re trying to get your arms around things, learn what they knew that you don’t, and trying to do it basically with a really, really short and high pressure timeline.
Now, we’ve discussed some really good things in this pod. I think that there’s a lot of things that may be common knowledge for a lot of folks, but also for a lot of folks, things that weren’t necessarily on their radar, but make a ton of sense. Any parting thoughts at this stage? Well, for the love of all that’s holy and true, I always like to just reiterate on this one. But, the one thing that organizations need to understand, and I get it, you’ve always done things this way or whatever it may be, but this is your information. It’s your data. It’s your compliance. Make sure that it’s at your fingertips. And really, for the folks that are in middle management. It’s really easy to sit in the corner office and just tell people to go do things. But honestly, get out of the office, go down to a double-dogged area, go down and just strike up a conversation with the poor soul that you have anointed the center of your compliance arena, and go stop by their desk. Let’s say four weeks before compliance is due, and then two weeks before compliance is due. Honestly, have a conversation with them. Because, these people that basically put themselves in the midst of these engagements, I don’t think the upper levels have a real appreciation for just how difficult, challenging and complex the engagements are.
You think about something like PCI, right? If you’re doing a full-blown PCI ROC, you’re looking at 500 plus different moving pieces and parts. And you go well yeah, 500 is a pretty big number, but how hard can it be? But, you’ve got these 500 items, meanwhile that 500 items is a starting point. It’s assigned out to maybe eight, twelve, or fifteen different people, or companies you need information, data points, and inputs from. You’ve got all of those items basically flowing from the organization that’s going through compliance at bare minimum. If they’re going through an assessment, they probably have the front liners gathering evidence, they’ve got a second round of some form of internal review that would take place to make sure it looks okay before it goes. Now, whether that second review is an internal QA, or that second review is some form of a security compliance consultant that they put into the mix to help with the coordination. But in some way, shape or form, they go through, they validate and vet the evidence before it heads up to the assessor. But you wanna make sure that it’s as clean as you can get it. Then once it gets to the assessors, if it’s good to go, great, it moves on to their QA department. If it’s not, now it’s coming back down again. And so you basically got origination of evidence, some form of internal QA, the assessor’s review, assessor QA and complete. So now I’ve got 500 items across whatever, let’s say you have 15 different sources provisioning the evidence across five different states. That’s just the baseline of complexity. We haven’t even layered in notions like, oh, and by the way, we have to collect evidence. Well, let’s pretend that I have servers at corporate and I have stuff in the cloud. Maybe I’ve got stuff in two clouds, right? So now all the technical evidence, now I need to go ahead and gather that up against three different facilities, right? These are just examples, but it gets astronomically complex very, very fast. And so going back full circle. Honestly, I would challenge the execs. I would have them go, and just do a touch base with those people they chose as the eye of the compliance hurricane, at four weeks, and two weeks before compliance is due. It’s difficult and it’s stressful. So you definitely want to make sure that you’ve got as best you can, your ducks in a row, with the things that you can control.
I can’t control that there’s 500 things. I can’t control that I have to go get these inputs from 18 different people. But what I can control is consolidation of that information into something that makes sense, that’s easy to reference, easy to use. That’s there for that planning to succession plan. That all that information and data is immediately available. It becomes critical to have that information at your fingertips. And lastly, and this isn’t gonna be a surprise for anybody, but get yourself a compliance management system, do it. Grab whatever one you want. Of course, I’m a little preferable to the TCT Portal, but I literally built the TCT Portal from the ground up, to solve the problems that I was experiencing as somebody having to go through this process, and being a practitioner in the space. I literally built the system that I wished that I had back when I was stuck in spreadsheet hell.
And that is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.