More Than Checking the Box: Beyond Compliance Basics
“Just check the box,” that little voice says. “Once you meet the minimum requirements for compliance training, you’ll be off the hook.”
Listening to that little voice we all have can be a mixed bag. Often times following your instincts will lead you down the right path. But it’s when the voice tells you to cut corners or to do only the bare minimum that you have to be extra careful.
This is especially true in the compliance space.
By now you know that compliance means more than technology, policies, and IT resources. More than ever, it means equipping your people—your employees—with the right skills and training to handle a shifting array of laws and regulations. Knowing what to do is a good start—but you also need to know how, and that’s the hard part.
Just Checking the Box
So you have to ask yourself: Can I get away with just checking the compliance box? The answer to that questions depends on one thing: your objective. While it’s true that most security, privacy, and compliance regulations mandate awareness training programs, seldom do they prescribe the details of such programs.
Technically, then, you may be able to get away with the bare minimum of having employees view a handful of PowerPoint slides. Pretty cheap. Pretty easy. But there are at least four not-so-cheap-and-easy problems with that approach:
- Costly litigation demonstrates time and again that the minimalist approach may serve to check a box, but it won’t get you off the hook when a breach occurs
- Regulatory bodies are catching on. Many regulations, such as those governing PCI compliance, are much more explicit about awareness training requirements.
- The “check the box” mentality completely misses the point: protecting your organization, its assets, reputation, and customers
- Quickly assembled “training” is also quickly forgotten—if it was ever absorbed in the first place. And that’s a far cry from achieving the correct objective of training: behavior change. While many regulations require only an annual training event, information security and compliance is not a single point-in-time activity. Good training requires ongoing reinforcement.
The bare minimum is starting to sound less attractive, isn’t it?
Checking the Box … and Then Some
In our experience, there are two kinds of organizational cultures in the world: The first kind views things like compliance regulations as a burden—and consequently are more likely to fail because of it. The second kind embraces them as opportunities to improve everything they do, becoming better and more profitable organizations as a result. We’ll give you three guesses which kind are more likely to go beyond checking the box.
How does one go beyond compliance basics? Well, it begins with the goal of a truly compliant organization, one in which the desire to keep the organization safe is baked into the very culture. Here are some ways to help effect this sort of cultural shift:
Enable Your People
Sure, a multitude of software vendors offer technology-based solutions for managing compliance processes. But make no mistake: staying compliant is ultimately about human behavior. It encompasses such things as codes of conduct, corruption, fraud, waste, insider trading, ethical standards, conflicts of interest—all of which are behavioral issues.
Bringing about the competencies, habits, and efficiencies that compliance initiatives seek to achieve means encouraging a host of behavior changes. Neglecting the all-important behavior change misses the whole point of such programs. This is the essential difference between initiatives that only seek to check the compliance boxes and those that work to build the right behaviors into the very fabric of the organization. An e-Learning program that meshes with your unique organizational culture will bring this about in a way that is real and lasting.
Support the Change
Data breaches and ethics violations are stark reminders that organizations remain susceptible even after passing rigorous audits. A truly effective compliance program will require more than simply defining a program, writing a policy, and installing some software. In fact, that’s a recipe for ensuring that little, if anything will change.
An organization’s active leadership is absolutely fundamental to transformation. In every example of successful culture change, you’ll find personal and passionate dedication to the vision at the highest levels of the organization—including the board room.
As new executively-modeled actions begin to yield fruit, new norms emerge: problems are solved, barriers are removed, and processes are improved. A new, vibrant, and motivated culture based on the shared vision and values begins to take shape.
Reinforce the Message
Consistent communication and reinforcement through training and awareness is essential to changing the day-to-day behaviors of employees, and to making compliance principles a part of organizational culture. Toward this end, a formal compliance training program should be followed up with an annual awareness plan and corresponding reinforcement campaign that includes animations, posters, and newsletter articles.
We won’t beat around the bush: effecting this sort of cultural change will be challenging. But the knowledge that you went above and beyond checking the box, and helped to ensure a stronger organization, will be well worth it.
This blog post was adapted from our white papers 6 Steps to GRC Success and 3 Keys to Unlocking GRC Training Success. Learn more about MediaPro’s compliance training offerings here, or contact us directly.