Continuous compliance begins with leadership and strategy — after which the responsibility must be passed off between compliance teams and their stakeholders. AuditBoard’s InfoSec Survival Guide: Achieving Continuous Compliance explores why stakeholders are as essential to compliance as branches are to a tree. Download the full guide, and read on below to learn six tips for creating a positive relationship with your compliance stakeholders.
A healthy tree’s branches support its foliage and fruit by delivering water and nutrients from the roots and trunk; without the branches, a tree is unable to reach its full potential. Without stakeholders, a compliance program is unable to achieve its desired goals and outcomes, including:
- Security maturity
- Reaching a new market
- Launch of a new product
- Strong governance
- Compliance with regulatory requirements
Your stakeholders play a necessary role in driving governance and continuous monitoring because they own the processes in the organization and understand the vision and the goals for their line of business better than anyone else. Thus, developing a positive rapport with stakeholders is essential to continuous compliance. The following are six tips for creating a positive and accountable relationship with your stakeholders:
- Understand their POV to build rapport. Gaining a true understanding of your stakeholders’ day-to-day activities, as well as their business unit’s goals, will help you embed governance into their processes in a practical and considerate way that ideally helps improve their processes. In your discovery process, aim to understand any objections or concerns from your stakeholders. This empowers you to identify potential roadblocks down the road and proactively address them from the start. Doing so establishes an environment where stakeholders feel their voices and concerns are heard, building rapport.
- Define risk in terms any employee would understand, from the analyst to the executive level. When performing discovery on your stakeholders’ processes, make an effort to define the risk involved in their day-to-day process in terms anyone in the business would be able to clearly understand. Risk statements should distill relevant information into their most basic, actionable form. This helps to ensure your stakeholders grasp the risk to their world, increasing your chances of winning their buy-in.
- Prove the value. Stakeholders will always wonder “Is the time and effort we’re being asked to spend on governance worth it?” Approach them prepared to provide a compelling and convincing argument for why their work is valuable to the business, e.g., driving revenue, helping to reach new customers/markets, increasing the business’s compliance maturity score, etc. Let them know you want to help empower them to make their process more efficient. Sometimes, even framing in terms of the resource hours you might be able to save them in their processes can help to set stakeholders’ expectations while also gaining their buy-in.
- Leverage a common control set. Build a compliance framework crosswalk to map your controls to multiple frameworks and requirements at once. The resulting common (or baseline) control set effectively allows you to test a control once to satisfy its compliance with multiple frameworks and requirements. This saves stakeholders from multiple documentation requests and duplicative control activities, reducing audit fatigue that could strain rapport.
- Hold regular check-ins. Set check-in meetings on a scheduled cadence for you and your stakeholders to review milestones and KPIs, identify any bottlenecks, and address any internal changes that may have affected the process or control. Whether they happen on a monthly or bi-quarterly basis, these status meetings are opportunities to tie compliance duties back to larger organizational needs and objectives — and continue to develop rapport with your control owners.
- Share your KPIs. If applicable, sharing certain KPIs with stakeholders is an excellent way to drive accountability and continue to connect the importance of your stakeholders’ control responsibilities to larger organizational objectives. Some examples include:
- Number of issues impacting critical certifications, applicable regulatory requirements, or other issues that could cause severe reputational, financial, or operational damage to an organization.
- Time to remediate issues.
- Time and expense calculation per issue.
- Compliance posture/status by framework.
- Review success outcomes of completed and obtained compliance projects to support the value of ongoing maintenance
- Leverage technology to ease the burden. With the right technology, evidence collection, communication and follow-up, surveys, and testing can be accomplished with more speed and ease than in a manual environment, benefitting all stakeholders involved. Technology can also help compliance teams communicate the value of assurance work to their stakeholders. A compliance management solution that collects all the data points related to a stakeholder’s processes and interlinks them can help teams surface data in a meaningful way with dashboards and reporting, which can be shared during status updates.
Download the full ebook, The InfoSec Survival Guide: Achieving Continuous Compliance, to learn best practices to optimize your compliance practices from end to end through a continuous monitoring approach.
Kelley Spakowski is an IT Risk and Compliance Specialist at AuditBoard. Kelley is the former creator and host of the GRC & Me Podcast, and an experienced GRC software and services solutions professional. Connect with Kelley on LinkedIn.