The Unfortunate Reality of Compliance
I.T. Compliance. Ugh. Just the word can flood our mind with images of excessive documentation, added expenses, increased overhead, and unhappy users. Yet for the SMB community, compliance requirements are growing – and not just for highly regulated industries like medical and financial – but for all industries. And compliance is often expensive. So a game ensues. The game goes like this:
Regulated industries protect their interests by requiring their vendors and partners (and sometimes their clients) to sign a Business Associate agreement. The Business Associate agreement requires the business associate (i.e. the related vendor, partner, or customer) to implement many, if not all, the requirements the regulated entity is subject to. The business associate implements the minimum requirements to meet compliance and creates their own BA agreement for their vendors to sign. And on it goes from one company to the next.
This “trickle-down” effect isn’t new, but the effect it’s having on the SMB community certainly is: implementation of poor, unmanaged, sometimes pointless, and wasteful solutions.
The interesting part here is why this is happening. As it turns out, it’s a matter of incentive.
From a business standpoint, there are really only two incentives SMBs have to implement a compliance solution: to mitigate risk and to keep a customer happy (or acquire a new client). That’s it. There’s rarely any other business value to be had.
So what does nearly every SMB do? They invest the very least amount possible in order to become compliant because, in all but the most diligent of companies, compliance is never a budget item.
As such, SMBs implement the least expensive systems; they develop process improvements as quickly as possible, responsibilities are delegated to staff who can’t effectively execute on them, and documentation remains stagnant until compliance is required again.
Then efforts are directed elsewhere and none of the policies, documentation, or process improvements are maintained or managed, essentially reducing all the value created by the initial effort.
In the end, management is left with the feeling that they’re now compliant and, although new systems are in place, those systems are often doing very little in terms of keeping the company compliant because hardware and software is only a small part of the compliance solution.
What are we all left with?
- Businesses who are forced to invest in technology that creates overhead for the business
- Regulatory bodies who feel good about the requirements they develop
- Consumers who feel protected, but aren’t
In other words, it’s become a game; a game in which very little is being accomplished. Business is forced to implement costly, inefficient solutions and consumers aren’t protected any better than before.
Altogether, it makes this a game we’re all losing.