Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Congratulations! You’re Compliant… Now what?
Quick take
On this week’s episode of Compliance Unfiltered, the we cover the next steps after receiving your certification of compliance.
- What do you need to do, and how do you do it?
- What clean up needs are there to be addressed?
- What do you do with the valuable lessons you learned along the way?
- What’s next for your organization, and how do maintain the compliance you just earned?
Adam and Todd cover these skills at length, plus more! All on this week’s episode of Compliance Unfiltered.
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who spends the majority of his time on the other side of the compliance rainbow, Adam Goslin. Adam, how the heck are you? I’m doing great, Todd. How are you? I can’t complain, man. I can’t complain. Today, we are going to chat about something that far too many people forget about. And that is, the most important thing to do after you obtain certification.
Talk to me a little bit more about scheduling the after party. Well, the after party is important, but honestly, the most important thing that an organization can do is don’t stop. The reality is, that the people going through a compliance engagement invariably, things took longer than you feared, were harder than you thought, wrap up way later than you expected, especially for those that are going through it for the first time. I call them sugarplum visions out of the gate. Oh, we’re going to go ahead and get compliant, going to pull this out in four months or whatever. And next thing you know, it’s another, whatever, many months after the sugarplum visions. And finally, blessedly, they get the assessor sign off, right? And a lot of people that have been involved in the compliance engagement, they’ve fallen behind on their, we’ll call it, their day job, and everybody’s just itching to get back to what they call normal. And, the best advice that I can give to anybody that just got past that finish line is, take your foot off the gas, move into planning your next compliance cycle right then and there. It’s a hell of a lot easier to keep going, than just stop and walk away, etc. There’s a couple factors there. Everything’s fresh in your mind. You’ve just been through it. You are cognizant, especially as a compliance manager, you’re cognizant of all the things that need clean up on aisle five and whatnot. While you’ve got all that in your brain, it’s a whole heck of a lot easier to go and get things taken care of.
Certainly, it’s super important to recognize the blood, sweat, and tears of the folks that help get you to the finish line, if you will. Go throw your compliance party, and take a moment to celebrate the achievement, because the entire team deserves it. That said, get right back into the game while everything is fresh. Generally speaking, this is the fear, especially for those organizations going through it for the first time. Like, oh, my gosh, this was so arduous, we need to get a break, type of thing. The one thing that they can keep in mind, and they don’t know this yet, but you were obviously in the throws of trying to get your compliance wrapped up, everybody was just running a million miles an hour. You’re not going to need to keep going at the same frenetic pace that you were maintaining, trying to herd the last of the cats, if you will. Now that you’ve crossed that finish line, which was really more of a sprint to get there, now you need to shift your mindset into that marathon, which is maintaining your compliance over the course of an entire compliance cycle. So, it’s not going to mean going at the same speed, but certainly moving into that arena is going to be something that needs to happen right away. The most important thing that folks can do, is address whether there’s any cleanup that needs to be done after the completion of the compliance cycle.
Well, most certainly. Okay. I figured. Yeah, I tell people all the time, get all your stuff in a single spot and use a compliance management system, right? It doesn’t matter whether you’re doing it manually, whether it’s a hodgepodge internal solution you’re using. Or, at the other end of the spectrum, if you’re actually using a compliance management system in all of those cases, there’s going to be things that need to get cleared up, cleaned up, eyes dotted, T’s crossed, when it comes to the compendium of the of the storage. I don’t watch everybody’s team going through compliance, but, I’d be willing to bet that there’s some form of a rat’s nest of disorder that was left in the wake of your compliance engagement, in the midst of their mad dash to the finish line. And, the reality is, is that there’s some additional cleanup that needs to get done during that process. And, as I was saying a minute ago, before you get too far down the path, and forget where all the rocks are hidden, go back and make sure you’ve gathered up all the data and information around all the various elements of evidence that were being provisioned, that you’ve really got all the final versions of everything in your storage repository. Invariably, as hard as you try to school everybody to, hey, just use the compliance management system as an example. Invariably, there’s questions going back and forth through email, is there any pertinent data that was in there that we need to make sure gets mirrored back into your central repository, things along those lines? Because, if you don’t do cleanup on aisle five right away, you’re not going to realize the benefit of what you just did until, nine months down the road, when you get neck deep into your annual compliance run again. That’s when the light bulbs are going to go on and say, oh, I’m so glad that I did that. For the organizations that do this, they won’t get it now, but they’ll definitely thank me later, because, you don’t want to lose track of all of the all the important data that you’ve gathered, and garnered, making sure you’ve got a clean repository of the state of your compliance, after that point.
Sure. I mean, obviously, you’re gonna reflect on the process that you just went through, especially something that arduous. What’s the value of the lessons learned here? Well, I’d recommend to organizations, I don’t care how it’s structured or set up, I don’t care if this is something that they’re doing internally with an internal assessor, or if they’ve got a compliance consultant in the mix, or if they’re going through a third-party assessment. Regardless, set up the a post-mortem, if you will, so everybody that was involved has a voice. They can come to the table and really reflect on any lessons learned from what they just went through. What things went well, what things didn’t go well, where do we need to make improvements?, things on those lines. Certainly, for organizations going through this for the first time, one of the big surprises for an organization as they go through their first shot at it is, holy moly, how much time did we spend on this, that they didn’t allocate for it? That’s one of the big problems, is that they don’t anticipate just how much time, and effort it’s going to take from different people on the team. So, while you’ve got it all fresh, as best you can, pull the people that were involved, and figure out how much time they should be allocating the next time around. If you gather that all up while it’s fresh in their brains, then you can work with internal management, their supervisors, etc., so that you can leave the groundwork for, hey, Mary put in about 50 hours of time into this compliance thing, we’re going to need to make sure that we’ve allocated enough hours for Mary down the road. So, using that historical data as inputs and planning, is a big deal. It’s not all just going to magically come together as you go from your first shot, to your second. But certainly, if you use that post-mortem to gather up that information, then you can make your next run through compliance that much more optimized.
The other piece of this is that, there’s a lot of things. I had an experience with an organization that just literally switched assessors. They went from assessor A, they actually had two assessors. One was doing most of their assessments, and another assessor was doing one. Well, they decided to shift from two to one. And, it was moving the majority of their assessments to the other organization. And in doing so, it’s almost like they were going through it for the first time. Now, they’ve just wrapped up their push to compliance, etc. And we’ve already got the after action meeting on the books, so that we can get everybody to the table. Because, the assessor had things they thought about as the engagement was unfolding, that they hadn’t initially asked for. So, we need to have a spot to go ask for that the next time. Let’s use those lessons learned, go bolt them in. And certainly, if you’re using TCT Portal for your compliance management, that system will go through and keep track of open tasks, open assignments, present you information at a glance, which will, in the grand scheme of things, be super helpful for organizations. And especially, when you bolt in the items that popped into the mind of the assessor as they were going through it. Hey, you know what, I also need fill in the blank. And, it’s not necessarily that the assessor had some lapse, in terms of that they didn’t ask for everything, some of it’s circumstantial. Really, it depends on the client, the engagement, etc.. As the assessor is learning about the organization, they’re also, at the same time, learning about what elements of evidence they want to leverage, in order to validate that certain controls are truly in place, and some of that’s circumstantial. So, using those lessons learned, it’s huge.
So, as the organization wraps up the party, and the post close cleanup, and high fives, and starts looking around. What’s next? Well, the next step really is, now we go about planning that upcoming cycle. So, working with your vendors, your assessors, your consultants, to create that roadmap of your coming cycle, if you will. Establishing upfront established dates, and priorities out of the gate is huge, because that will allow the organization not to get caught off guard down the line. Asking questions like, all right, so now that we’ve gotten through this, and now that we’re in 2022, start planning your 2023 right out of the gate, and when approximately are we going to be looking at scheduling either on-sites or interviews that are needed to support the process? When do we want to start requesting documentation from our vendors? What order do we want to request documentation in? In some cases, the assessor really wants certain things to be refreshed, quote unquote, at a certain point across the continuum, so they know that it’s accurate and live, so that they can pull from that, and grab populations that they need, and make sure that they’re accurate. So, all of those things are going to come into play. When do we want to make sure that we’ve got all of our evidence together? So the assessor has the time to be able to go through it without feeling like they’re just being pressed for time. Looking at the interaction that you went through, and how can we make things easier on our vendors, or our consultant the next go around?
Another element for organizations to explore with their assessor is, what’s acceptable for the assessor in terms of spreading out those one-time tasks. So, at the end of any compliance engagement you’ve got a whole series of things you need to only do once, and yet, that’s a gigantic compendium of stuff that has to all happen within this brief period of time. If you just take it on all at once, how can I take those one-time items and sprinkle them out in a manner that makes sense, that everybody’s on the same page. What I’ll typically recommend to organizations is to look at their signing date, we’ve made it all the way through our run for this year, and now, we’ve got a signature on a piece of paper that says, sign of the cross, you’re compliant. We’ll take that as your, okay, here’s when I’m going to want to have my signature next year, and then work backwards from that. Just remember, there’s a whole slew of things that you’ve got to go through between, okay, we’ve wrapped up the evidence, and we’ve got a signature, right? So, plan your work and work your plan. Yeah, exactly. I mean, compensating for the time it’s going to take for the assessors to complete their reviews, time for backs and forths, with any populations and samples that are needed, the internal assessor’s QA process, and other hoops that may need to be gone through. As a general statement, no, obviously, it depends on the size and scale of the engagement, but at minimum, I’d recommend to folks plan on their evidence collection being done, six to eight weeks before that signing date, because that’ll allow for all of the other elements to happen. But certainly, if you’ve got an assessor, check in with your assessor, and work the plan with them, that will help.
The other piece to consider for organizations is, that there’s a large volume of annual stuff that needs to be gathered. We also have those scheduled tasks that need to be done, every day, every week, every month, every quarter, twice a year. Those items, we want to make sure that we’ve got a tracking mechanisms for all of those, so that we have interim pulse checks throughout the year. It’s something that in the TCT world, we can call operational compliance, which is, operationalizing your compliance collection throughout the period, because that way you don’t land up at the back end of your engagement. Part of the reason we wrote it into the TCT Portal is that, I was walking into engagements where people were forgetting to do, or validate their periodic tasks through the year. In that operational mode, it gives you a roadmap through the entire compliance period, for what is it we’re going to go gather, sanity check it, etc., as you’re going through it. Yeah, it’s a real big deal.
Well, I guess this is the part of the conversation that as we approach this topic, I think that I’m the most interested in. And that is, what do you do to properly maintain the compliance that was just achieved? Yeah, well, for a lot of organizations, unfortunately, there’s a lot of them that do it on the annual sprint, right? It is what it is. They’ve got all these other secondary mechanisms to hopefully do stuff, etc. But, compliance isn’t made to just set it and walk away. Compliance, for an organization that is taking it seriously, that’s doing things appropriately and whatnot, the functions really need to become part of the daily DNA for the organization. It’s a way of life, walking into that compliance world. Sure, you got there for the first time, but now you actually need to maintain it, this isn’t an annual event, there are all these things that you’ve got to go do throughout the period. So, earlier we were talking about things that need to be done every day, every week, month, quarter, twice a year, and once a year. Well, if you’ve done the tasks that we were talking about earlier, where you’re putting together a roadmap, or a game plan for pulse checks, and sanity checks for all of those items that happen more than once a year, and you’ve coordinated with all of your various and sundry players on what’s going to be our approach, for the once a year items, and how are we going to sprinkle those out across the course of the year? The better that you get with all of those items, the easier it is in the grand scheme of things to just manage and maintain your compliance, and do it in a sane fashion.
One of the huge benefits that I’ve seen on engagements where, previously, they were being performed on the annual scramble approach, and then shifting into the TCT Portal operational mode is, that one of the hugest benefits was that, we get to quarter one, and basically we spread out all those daily, weekly, monthly, quarterlies into quarters. So, we would pulse check on those, make sure everything’s okay. And, the interesting part about doing it that way has a couple of benefits. One, the organization itself internally, they have a moment, a quarter of the way through their compliance year where now they’re pulse checking, are we doing all the things that we’re supposed to do? Do we have any issues? Were there are any challenges, or issues that we needed to face and get lined up? The assessors, really, generally speaking, are quite reasonable, if they see an organization that flagged early in their compliance cycle, that they had some type of a problem with this being done correctly, but we caught it in quarter one, and made our adjustments, validated those in quarter two and quarter three, and four was just smooth as butter. The assessors are gonna feel a lot better about an organization that’s taking that approach far better than, getting to the end of the year and finding out that stuff that was supposed to be done, either wasn’t being done at all, or it wasn’t being done correctly, you know, it kind of warms the heart of the assessor as they’re going through that process. The real trick for these organizations is, just stay on top of it. We talked earlier about how it’s more of a marathon when it’s done right, but it takes several rounds to go through and get this stuff buttoned up. But, it’s a whole hell of a lot easier if you’re staying on top of your tasks, making sure that we’ve got the right information as you’re going.
Now, the interesting part is, I’m seeing more and more assessors that are integrating, I’m gonna call it a higher touch approach to their engagements. I’m seeing that happening a lot more, and it’s primarily because of some of the things that I discovered earlier on, which is, the problems with, nobody wants to be in the position where they don’t have what they need to go through compliance. So, certainly, seeing that movement within the assessor arena is heartwarming. Certainly, for anybody that’s listening that isn’t using a compliance management system, seriously, go take a gander at it, because as you get through, especially when you get through your first run at it, and that everybody is breathing that sigh of relief, and yet still reeling from the pain, it’s a perfect time to go check out a system to try to make your life easier, because those systems can honestly make a gigantic difference in the level of pain that’s felt through the process.
That’s fair enough, fair enough. Any parting thoughts and shots on this one? Well, one of our earlier blog posts, we were talking about some of the softer skills of compliance managers, and certainly patience was one of the things that I had mentioned in that prior podcast. In the prior podcast, we were mentioning that patience was a big thing. And the reality is, is that patients in terms of the seasoning of your compliance state, if you will, you’re going to need a dose of that too. This isn’t, oh, I go in and I do it once, and I adjust these three levers and poof, it’s perfect. It’s not gonna work that way, it’s going to take several cycles, and that’s in an environment where there’s relatively little change. Let’s pretend for the sake of this discussion that you didn’t have to switch out any vendors, you didn’t have any significant amount of critical turnover, in terms of your internal team for visiting evidence, you didn’t move from three locations to 18, you didn’t get an acquisition. Even if you don’t have any of that involved, it’s still gonna take probably, three cycles to start feeling like things are starting to click, just because there’s so much that goes into these compliance engagements. It takes a little bit to feel like you’re hitting that stride, where it’s really settling into something that is both expected, as well as repeatable, it’s just gonna take time. So, the best way to make efforts to shorten that time to proficiency, goes back to what we started with out of the gate, which is, once you get to the point where you’ve achieved your goal, or your objective, don’t stop, keep it moving. Because hey, at the end of the day, compliance management sucks and we do our part to try to make it suck a lot less.
Absolutely. So moral of this story is at the end of the day, don’t stop, keep it moving. I love it. That’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
