Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: Dealing with Internal Compliance Resistance
Quick Take
On This episode of Compliance Unfiltered, we cover the not-so-pleasant yet all-too-prevalent topic of dealing with internal compliance resistance. In order to properly set the table for this, Adam describes what a compliance roll out often looks like.
Have questions about what internal resistance often looks like? Need some real-world examples of how to plan for, mitigate, and avoid future internal compliance resistance? The answers to these questions and more on this episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who will shepherd you down the compliance trail. Adam Goslin, Adam, how the heck are you today? Oh, normally I would use the word fantabulous or something like that, but some brilliant individual decided to add a new member to my family, and so yeah, my wife and I picked up a 10-week-old 32-pound Irish wolfhound, and that was two days ago, and oh boy, I’ll tell you what, I was saying to somebody, I said, it’s been over a decade since I’ve either had a human or dog child, but wow, it really brings you back shall I say? We’re literally trying to figure out how the hell do we get enough sleep so we can just function. So, it was funny last night, the wife’s up till 12:30 a.m. or 1:00 a.m. in the morning. I’m getting up at 3:00a.m. to go let the dog out again, and oh my God, we’re looking forward to getting through this initial period.
It’s going to be amazing No doubt, some might even categorize that as a initial period of I don’t know, resistance to new things, and it is fitting. Today We’re going to be chatting with folks about dealing with internal compliance resistance on a first time compliance push. How does it how does it often roll out? Well, a lot of times it depends on what the cause is, right? I mean sometimes it’s a large opportunity that comes down the pipe. Maybe you’re existing clients start to push for the organization they’re working with needing compliance. Sometimes there’s new leadership at the organization, and they just want to do things differently, take it more seriously, who knows? But in some way, shape or form, the company says, hey, it’d be a great idea, and then they start heading down the compliance path. Yeah. In the past, we’ve done blog articles, and we have some other topics on the podcast about getting compliant for the first go around, and preparing for your first assessment and whatnot. So, we’ve got other resources that people can go in and leverage. Certainly, when you’re heading down that initial move from, we weren’t doing an official security and compliance activity, and now we’re officially going to do it, it’s interesting to see the different realms of resistance that one ends up discovering within the organization, but generally speaking, yeah, it’s a thing.
Now, no doubt. What are some of the internal reasoning for resistance? Like everybody’s got their own perspective, right? And oftentimes we get caught up in that me bias, where we think everybody should view things as we do. But talk us through some of those internal reasons, some of the other perspectives of these folks. Sure, and really part of it is understanding and being mentally prepared for, what are those realms of resistance? Especially for those folks that have gotten the baton wave of, oh, guess what? You’re going to be the one that’s going to go ahead and coordinate our security and compliance stuff. It’s real helpful to have a little bit of notion walking in. The first element that I’ve seen, and that have seen prevalent is just a generic fear of change. Most people don’t like change. They aren’t arms wide open and braceful of modifications. They like their routine. They like the pattern they’ve gotten into. They like how they do things the way they do them now, etc. And, a lot of people, because of that fear of change, they tend to say things like, oh, man, we can’t do this because it’s going to have this massive disruption in the business type of thing. And, they really don’t know what they’re talking about. It’s just a vague fear that change is going to screw up the works. Right. And, I can’t even tell you how many times that I’ve heard people saying, all this security and compliance stuff is going to negatively impact the business operation. And really, I mean, you can pretty much set your timer for how long it’s going to be before you hear some version of, our operations can’t afford to take on this ridiculous burden of all the security compliance nonsense, it’s going to grind our business to a halt, impede our progress, and just roadblock, roadblock, roadblock. And, it’s interesting seeing that dynamic at play, and the funnier part is, once you’ve gotten through your first round of compliance and people are looking back and go, oh, that wasn’t nearly as bad as I feared it was going to be, but yet out of the gate, it’s just, it’s nose and heels getting dug in and whatnot. Another realm that comes into play in terms of the resistance arena is, financial concerns, most certainly, especially those that are listening to this and have been down this primrose path before, their probably grinning as I’m going over this topic. But for those that haven’t been down it before, security and compliance programs aren’t cheap. Getting these things in place across your environment, it takes time, it takes dollars, it takes resources, it takes vendors, specialists, software, all sorts of things are going to start coming into play. A lot of it depends on where you’re at, against where you need to be, or want to be, that type of thing. But it’s not unusual to bump up against executive level resistance, especially if it’s a person that’s holding the purse strings. So let’s just call that person the CFO for the sake of this discussion, they may get some sticker shock as they’re going down this path. It’s one thing to sit off on the sidelines and go, hey, you know what would be a great idea, let’s go ahead and go up against filling the blank compliance, because we’ve got this great opportunity. And the next thing, the bills start coming in and everybody’s like, whoa. So yeah, gets entertaining. But you need to walk in expecting questions, expect to be prepared to make justifications, expect that they’re going to be resistant to just allocating budget requests, etc. And they may send you back to go find some cheaper alternatives, if they’re really getting their shorts knotted up.
So another area that comes into play, competing priorities. You’re in the middle of this year right now, and that’s when everybody decides they want to go see the security and compliance light. Meanwhile, last year is when they put together their budgets for the year you’re currently in the middle of. And so now, they pop up with established budgets last year. They established, priorities, goals, objectives. All of that stuff was done last year, right? And now they go, we’re going to throw this in the mix. Well, the minute you go do that, now you’ve got the organization needing to make this commitment, and yet having competing priorities with other quarterly goals, etc. The goals of the poor soul, or department that got the nod for navigating the company through security and compliance, they may have a very vested interest in making this occur, and yet the other departments, they still have their objectives. They’ve got to go in and hit dollars, they need to be able to get their stuff done. So, many organizations will, substantially underestimate the duration of time, the amount of cost, whether it’s out of pocket or, it’s internal labor effort to be able to run a security compliance program. So, it basically puts the poor person that becomes the eye of the compliance hurricane in a position where they’re effectively competing with the resources that are shared across the company, friction internally, and a feeling of slowing things down, etc. So you’re likely to run into some issues with other departmental heads that are almost feeling like you’re stealing their people, budget resources, that type of thing. Certainly, it takes a special type of person to say that, I love sitting down and documenting processes and procedures, it take a very, very, special person. But, the bottom line is, as you’re going down a security compliance engagement. Guess what? You better become someone with all sorts of processes and procedures for supporting the policies which you’re now rolling out to the organization. So, as you go through that process, just know that natural dread of any process, procedure, documentation, etc., is going to come into play. Certainly, you’re going to get pushback and resistance from the internal personnel when you come over to them, and let them know that, hey, by the way, I’m going to need a process doc for this and a process doc for that. Yeah, you can mentally prepare yourself for some pushback on that one.
The last of the arenas that plays into the causal effects of resistance is, the impact on morale. Because honestly, man, we coined the phrase, compliance management sucks, because it does. Don’t be surprised when you’ve got people dragging their feet. they’ve put in a whole bunch of work, extra work, weekends, overtime, pushing on tight deadlines, etc. Folks will find a struggle to keep motivated. And especially, this is something we’ve talked about several times before, if the executive buy-in, in general is low, they aren’t firmly behind this, etc., then everybody else is going to start shrugging their shoulders saying, hey, if the execs don’t give a crap about this stuff, then why in the hell should I care? And why the hell should I be burning my nights, and weekends, blah, blah, blah. So, yeah, it’s a tough situation from that perspective. But, those are some of the internal factors that cause resistance within an organization.
No doubt. What are some tips for handling these factors? I mean, like everybody has their own way of viewing what you’ve just said, and how it applies directly to their situation, but what are some of the universal things that they can do, and add to their toolkit in order to be able to aptly handle these situations? Well, a lot of this just comes down to getting proactive, addressing issues before they arise, making sure that you’re on the same page, a lot of prep work, if you will. And really doing these things even before you’re just kicking tire and lighting the fires, and go headlong into doing compliance stuff. Certainly from a starting perspective is laying that groundwork, lay groundwork with your executives, set the expectations around time, costs, internal resource needs. I mean, one of the tricks that I had learned from a seasoned project manager in my early days, was if you think it’s going to take so much time, then you add 50%. And, it sounded like a wild concept at the time, we’ll just automatically go ahead and put 50% on there. And obviously, it depends on the organization, sometimes it’s appropriate for 10%, sometimes appropriate for 25%. You know your organization, how well you hit deadlines, how well you plan things out, you can figure out the percentage on your own. But, put some of those factors in there as you’re putting together timelines. Make sure that the execs are aware about what type of things they’re about to go get into, you want to make sure you’re getting commitment from them for supporting the efforts, having your back, because the executive leadership team, at the end of the day, they set the tone for the company. If they’re on board, if they’re behind it, if they’re pushing for it, if they’re being supportive of it, in all cases, elements, etc., everybody else is going to see that, and that’s sets the tone for the organization. You also want to prepare the leadership team when they say, that’s great that we’re going to go head down this compliance route, but you then tell them, hey you guys set all these objectives and blah, blah, blah back in the day, if we don’t make some alterations and adjustments to the timing of those, then we’re going to be running into issues here as we’re going through the process. So, set realistic expectations of timelines, making sure that internal expectations regarding deliverables have been, shuffled around appropriately. Also, laying groundwork with, I’ll call it middle management, make sure that they’re aware of what it is that lies ahead, what we’re going to be going through, the fact that we’re all in this together. But most importantly is, make sure that you’re open, at all times, especially in those early arenas, shut your mouth and open your ears and listen, listen to what their concerns are, listen to what their objections are. Don’t get defensive about it or anything along those lines. The bottom line is, they’re entitled to their thoughts, they’re entitled to their opinions. We talked earlier about various frustrations and fears, acknowledge those, do what you can to alleviate their concerns. Make sure that you’re showing that commitment to work with them, to make this as easy as possible. But, now at the same time, we also need to be realistic right? I mean, one of the shows I have fond recollections of is a tv show called the Bewitched, it’s not going to happen with a cross of the arms a twinkle of the nose and a nod, it’s not. Yeah shocker huh. You’re actually going to have to do work.
So, the last arena of laying groundwork really is down at the staff level, making sure that they understand the impact etc. Certainly if you’ve got adjustments being made to departmental deliverables timing, things along those lines, that’ll start to roll down through the middle management, through to the frontliners if you will. But, talk to them about the fact that it will help them understand that you’ve thought about these things, you’ve thought about these impacts, you’ve worked with the executive team to make these adjustments etc., so that everybody can be successful at this, while trying to do our best to mitigate the amount of pain we’re about to experience with the crew internally. Communicate, communicate, communicate, oh, if I didn’t say communicate. You want to get a lot of buy-in, you want to get responsiveness, you want to be communicating regularly with the leadership team, regularly with middle management, regularly with the frontliners that are provisioning evidence, executives, you have got to keep them in the loop, and make sure they’re aware of the good things that are go on, and the bad things that go on. A lot of folks it will take an approach of only highlighting those things that are going sparkly, and never talk about the things that went sideways. And, honestly, if you talk about both sides of it, celebrate the wins, and discuss and learn from the losses, it’ll actually get the executives to be in a plane of understanding. That way, when something goes poof, they’ve got your back, rather than them saying, I never heard anything about this before. You need their support, you need their help, you’ve got to be in the loop as you’re going through this. This will help you address any other concerns around timing, spending, things along those lines. And, with the compliance team members, communication with them similarly, making sure they know what evidence is coming due, when’s it due, how do they need to do it, what are you looking for, that type of thing. Staying on top of your project status, holding frequent meetings so that we can touch base on who’s where, what was supposed to be done, is it done, what still needs to be done, and helping them clear the path, solving issues, etc. In some ways, the relationship, especially for the poor soul that’s the eye of the compliance hurricane, it’s interesting the skills that come to bear. We did a podcast on this earlier, some of the skills that compliance people need. But I mean, part of it’s like being a psychologist or something, going to bat for them with their bosses. I mean, it’s crazy the stuff you get into as you do this more, and more, and more. Part of it is being able to build up morale as you’re going through it. The folks on the front lines. I’ve said this numerous times before, leadership at organizations, generally speaking, don’t have a freaking clue of the misery that the people going through, doing the compliance stuff actually go through. All they know is they’ve got to wave a wand, go tell somebody to go make it happen and then gripe about why aren’t we there yet type of thing. And, it takes a special leader to be involved, to understand the pain, etc. And certainly, you don’t want to become an office of, some type of an internal cheerleader, but in the same sense, you want to express genuine appreciation, recognizing hard work, achievements in tangible ways. Some things that could be done, certainly verbal acknowledgments. Thank you, always works. Public recognition from executives for hitting certain milestones, etc. Periodically, take a team out to lunch, order in breakfast, get an extra day off after a really tough weekend of rolling out several components of security compliance things. Certainly, I’ve talked about this a lot, throwing the compliance party when you finally get across the finish line, that’s important to go through and do. You want to make sure you’re recognizing what the team is doing, making sure they know you appreciate it, it’s really, really important as you’re going through this, and certainly, shared vision goes a long way. The people that are doing this, they need to have some type of an idea. Why the hell am I doing this? Talk to them about the reasons we’re doing it, what things are we trying to achieve? What are the end goals that we’re putting in place? How are these things going to help make things better for the company, for the organization, protect their jobs, protect the clients, things along those lines. Understanding that a lot of people don’t do well when you just say, go do this because I said so. But if you share with them some of the reasons that you’re heading down this path, you’ll find the adoption rate substantively higher.
Certainly, when you’re setting expectations with the team, give them that view down the road. The first year is going to be painful, but we’ll all get there together, and we’re in this together, etc. But, the second year is going to get a little bit better. The third year, things will have settled down. By year four, we’re into a rinse and repeat mode. I swear to you on all that’s holy and true, this is going to get easier, It’s going to get better, I promise. I’d also encourage organizations to, every year, go and take a look back when you hit the end of that year, let’s talk about where you started way back in the beginning. Even when you’re in year three or year four, God, do you guys remember? We were pulling all nighters for two months solid, blah, blah, blah. Oh, my motion alerts are going off. Todd, I was thinking, I just got a third freaking motion alert. What the hell am I thinking? Oh my God. So, take a look back. Look back at that first year, even if you’re in year three, five, eight, it’s good for folks to have that context.
The other piece is, the members of the team are constantly changing. The folks that came in in year five, that are just, hey, this stuff is just smooth now. I mean, they don’t quite understand what it took to get to where they are, and the benefits to get the gain out of that, etc. So, it’s good to reflect. It’s always good to reflect over your prior year, look for additional realms for improvement, what went well? what went poorly? what changes do we need to make? etc. Certainly, if the team is seeing transition of identified opportunities for improvement, translating into actual change, well, then they’re going to be in a position of being far more supportive of the process, knowing that their feedback is being listened to, that they’re going to actually be able to make a real difference in what’s happening.
Parting shots and thoughts for the folks? Sure. Well, at the end of the day, we want organizations be able to go ahead and get a culture of compliance in place within their organization. When you’re just starting, the big win is mitigating that internal resistance, right? And, year over year, over year starting to get security compliance built into the DNA of the organization.
Gaining that true culture of compliance really helps everybody, because it’s astounding the difference it makes when everybody’s in the same boat, and we’re all rowing in the same direction, and we’re all on the same pace, it makes an astronomical difference. Let’s face it, man, nobody’s going to come walking into work on a given Thursday and be jumping up and down out of their seat because of compliance. I suppose the way I would put it, personally, the personal goal should be, aim for the lofty goal of just mitigating the bitching about it, and that’s going to make things a billion times better. Yeah, yeah, exactly. But, it’s often that multi year down the road mark, when folks can look back, and realize how far they’ve come, realize it wasn’t as a big of an impediment as they feared, etc. And, it’s also really rewarding just to see the change within the organization, of how the organization approaches, deals with, respects the notion of security and compliance, but those light bulbs just don’t go on for a while. There’s no doubt about it. Year one, year one’s rough, but hopefully the stuff that we’ve gone through will give people an easier process, and path forward.
It’s not a sprint, but it’s a marathon, so give yourself enough time, tools, skills, patience to build that security and compliance program that rocks.
That is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
