CHAPTER 1

AGILITY VS. COMPLIANCE

Compliance mitigates the risk of uncertainty about
the future. You create compliance when you want
to limit negative outcomes. Often regulators and
market pressure create compliance requirements
to mitigate these risks. Organizations use
frameworks to embed controls that help them
abide by compliance rules. Unfortunately,
compliance can turn an organization into a
bureaucratic system. Instead of seeing a realm of
possibilities, organizations view everything
through a risk lens. At this point, any deviation
from the standard, acceptable process meets the
ubiquitous "no".

Agility is at odds with compliance because it

strives to find the "yes" in resolving problems.
Some companies use agility to adapt to the
market and view change as a constant. This
means taking your best resources and using them
to create new, innovative capabilities.
Organizations that apply agility often view
problem solving as a creative process. Working
together requires flexibility and the ability to focus
on the problem at hand. Following set standards
and restricting agility reduces the team's alacrity.
The goal of agility is thus not to mitigate risk but to
transform that risk into a strength.

WHERE DO YOU FALL

ON THE SPECTRUM?
Organizations that are experiencing high growth know that
they will outgrow their processes. The standard way of doing
things evolves and the organizational structure is fluid. They
want the high growth for as long as possible because it means
that they are capturing market share. Even if this comes at a
loss of cash flow, growth is preferable because it does not last
forever. When competitors arrive and the economic
environments change, growth becomes more difficult to
maintain. During high growth, implementing compliance can
be like adding water to a nascent campfire.

GROWTH

On the opposite end of the spectrum are organizations using

risk management. Organizations that have an established
product or service can maximize profits. Risk management
evaluates threats from internal and external sources. It works
towards standardizing the process to minimize deviations that
could lead to errors. In some regulated industries, compliance
is a barrier for entry. The way of doing things seems to become
the only way of doing things.
This dichotomy between high growth and compliance can
create a difficult choice. Do you elect to continue a high growth
strategy or pursue a path towards compliance? One
recommendation is to treat this decision as a sliding scale.
Find the balance to best fit your current business model.

RISK
MANAGEMENT

COMPLIANCE HELPS MITIGATE THE RISK OF

DATA LOSS, THE RISK OF A PROCESS FAILING,
OR RISK OF ERRORS.
These risks are mitigated when companies follow a compliance framework. Compliance
frameworks outline best practices that help mitigate the risk, also known as controls. Controls are
steps added to the process that monitor the risk of something negative occurring. The frameworks
have to fit a wide array of companies across various industries, so they need to be both broad
enough to implement and specific enough for an examiner to test.

GROWTH VS. AGILITY

GROWTH

Compliance

When implemented, compliance

dampens growth and constrains
agility. A new curve flattens out.

AGILITY
3

Compliance is not a bad thing. With many large corporations

providing a myriad of services, the risk of failure can be high.
For example, in a critical sector such as finance there is a lot of
oversight to protect consumers. Companies listed on public
exchanges contain a large part of our retirement investments.
This can result in more compliance, oversight, and audits.
Organizations providing B2B services need to establish trust
with their customers.

Compliance offers a baseline in the marketplace that

establishes a level playing field. Yet, often the regulatory bodies
are slow to adapt to changing technology risks. Take for
instance new threats presented by cyber-security. Even the best
designed security architecture run by the best security experts
can fail. The key is to articulate the business driver and catalyst
for compliance.

If this is your first foray into compliance, below are some

common terms and definitions:
Compliance adherence to a set of rules established by a
regulatory body
Risk the chance that a negative outcome, financial loss,
or error can damage the organization
Control a step in the process that monitors and mitigates
risk
Audit an examination performed by an independent thirdparty that verifies the guidelines outlined by a regulatory
body
Attestation like an audit, except the organization and
third-party examiner share the responsibility of an
inaccurate examination
Framework an approach with risks, controls, and
processes to put in place a compliance model
Regulatory body the organization that defines the rules
and methods to verify the rules
Standard the specific law, rules, or requirements that
make up the scope during an examination
Scope the boundaries to examine, which are usually
dictated by a regulatory body

When it comes to compliance, you

need to assess the pros and cons.
The decision should not be an all or
nothing. Instead, you should
approach compliance as a point on a
maturity curve. This will help you
identify the steps to ease you into a
new organizational design. Striking a
balance between compliance, high
growth, and agility will be a prudent
choice.

asking more questions about the

security of the systems they purchase.
However, compliance does not equal
security. This creates another
lackluster outcome for organizations
that look at compliance as their
panacea. For this reason, you should
understand your compliance path.
You should balance your compliance
needs and wants to protect your
organization's agility.

One of the first factors to consider is

going public. Compliance is
necessary for all public companies.
Regulations and laws such as
Sarbanes-Oxley require audited
controls around your financial
processes. This includes your general
IT controls. Thus, the initial
consideration should be the business
purpose driving compliance needs.

Are you pursuing customers and

markets that require compliance?
Compliance has a maturity curve,
which means you can still submit an
RFP and market into these new
segments. As you move along the
maturity curve and implement
additional compliance practices, your
sales pipeline and market size will
grow and new opportunities will be
available to you. This is how you can
use the compliance maturity curve to
your advantage.

Another area of consideration is B2B

relationships. These bonds need trust
to empower companies to work
together. But due to the increasing
threat from hackers, cyber-security is
altering compliance. Companies are

CHAPTER 2

COMPLIANCE MATURITY CURVE

Most people think of compliance as a Boolean
variable of Pass or Fail. But, this is not the case
because compliance has many shades of grey. Your
auditor is unlikely to offer this view because they are
not trained in thinking of it as a grey zone. Auditors
prefer boundaries. They use checklists because it
makes examining controls a lot easier. Often, they will
use less experienced resources to perform the bulk
of the work. If you select an audit firm based on the
lowest price, expect less experienced resources.
The compliance frameworks are also robust. They are
not designed to be implemented piecemeal. The size
of your organization (revenue or market capitalization)

is not a factor. Your auditor will compare the

guidelines and rules to your processes. Those rules
leave little to no wiggle room to tailor the framework.
This is where the compliance maturity curve comes in
handy. It can serve as a roadmap to help drive your
compliance using strategic thinking. Each level is a
progression along the maturity curve. Begin with the
first level. Track your return on investment and ease
your organization into the realm of compliance. Even
at the most basic level, there will be a benefit that you
can point to. This approach will not overwhelm your
organization. Begin early and progress at a
reasonable pace.

The compliance maturity curve

helps organizations ease into
compliance and maximize
their investment.

Level 1

Consider pursuing the following tasks:

You do not have customers asking for compliance.

The product or service is about one year away from
reaching critical mass. You have not yet picked a
compliance domain. For the organization, this may
be the first time working with compliance.

Risk Assessment

COMPLIANCE
MATURITY

Penetration Testing
Vulnerability Scans
Gap Assessment

Compliance Maturity Curve

LEVEL 5
LEVEL 4
LEVEL 3
LEVEL 2
LEVEL 1

TIME

Risk Assessment Defined

Vulnerability Scans Defined

A risk assessment should be tailored to each organization. There

are open source templates that help organizations through a selfassessment. With this task, you make a list of all your risks
(business and technical). You evaluate each risk based on the
the likelihood it will occur and the impact it would have on your
organization think High, Medium, and Low risk labels. You then
plot the variables and determine how much risk appetite you
want to accept. For any items with a higher risk than your risk
appetite, you put a plan in place to mitigate the risk. This helps
you to be more aware of the risks and communicate your risk
threshold to the organization.

One of the least costly tests involves a scan of your network and
applications. This can detect holes in your network security and
help you avoid some cyber-attacks. This is typically automated
using software and can result in many findings on the initial scan.
Many of these could be false positives, which will require you to
begin tracking them and excluding them in future scans.

Penetration Testing Defined

If possible, hire an external firm to attempt to break through your
security. This test can apply to your public facing side (website or
external network), as well as internally (internal network or
phishing). You can dictate the amount of information you provide
to the firm. The less information you provide can create more
work for the tester in the exploratory phase, which may lead to
lower value findings. You should scope the engagement to
include only those components of your solution or network that
you think appropriate. It is okay to start with a small footprint and
focus on closing any findings first. You can always expand that
scope and fit this testing as a recurring task.

Gap Assessment Defined

Before embarking on a compliance assessment, you should
consider a gap assessment first. A gap assessment includes
hiring a firm that is experienced in the type of audit you need.
Begin with one domain at a time. Focus the gap on
understanding what is required to be compliant. Ensure that you
explore each domain that you think would be a good fit before
you agree to undertake a full assessment in that domain.
Sometimes it can help to use a workshop style engagement. You
visit multiple domains, without going into too much detail on any
specific domain. This can give you a better sense of all the
options available to your organization. It will also help develop
the business case for electing to begin the full assessment
process. Where possible, avoid jumping into more than one
domain at a time. Try to always perform a gap assessment when
embarking on a new domain. Involve a broad group of
stakeholders to develop team consensus. Each team should
understand both the business case and compliance
requirements.

Level 2
You have some customers asking for compliance. Your product
or service is sold across several verticals with no clear focus area
emerging as a core compliance need yet.
Gap Assessment
Letter of Intent from Auditor
Remediation Plan (if any gaps found)
Gap Assessment Defined
(See Level 1 definition)
Letter of Intent from Auditor Defined
This option is not well communicated across audit firms and
some audit firms may not agree to this. If you ask for a letter of
intent, they should be able to provide one after you have a signed
engagement. The letter is usually quite short, describing the
services you contracted the audit firm to perform. The letter may
have the audit firm's letterhead and include a point of contact. It
will not state any opinion or conclusion. Share this letter with
interested parties asking to know more about your compliance
status. It can also help remove friction in the market. This letter
can be helpful in winning a competitive bid or contract. It shows
your intent to be compliant. Once you share this letter, the reader
will expect you to progress towards compliance.

10

Remediation Plan Defined

In most cases, you will have findings. Remediating the findings
takes time. For example, if you need to create a new policy and
procedure, it can take a week or two to write a new document. If you
need to hire a new resource to strengthen the process, it could take
several weeks. Some gaps do not have to be closed right away. You
have an opportunity to respond to those gaps. Yes, it will result in a

non-compliant report, but if you have proper justification, the reader

of the report will understand the gap. You should always have a plan
underway and work towards resolving all gaps. However, do not feel
pressured to fix everything all at once. Work with your auditor and
those parties requesting the compliance report. You should be in
control of the process to ensure you make the changes when you
are ready.

11

Level 3
You have an immediate need to be
compliant (either a Request for Proposal or
major partner is requiring it).
Compliance Readiness (project should be
inflight)
Internal Auditor or Internal Compliance
Team in Place
Strong Grasp on the Controls to Track to
Compliance
Focusing on One Compliance Domain and
Establishing it as Your Foundation
Letter of Intent from Auditor
Compliance Readiness Defined
You should have a project that is managing
compliance. Projects help implement
changes in organizations. Your compliance
efforts will change the organization and
should have its own project assigned to
manage the change. By using a project
approach, you will have a business case
and a project plan to evaluate your
compliance readiness. Prioritize the
changes required and maximize the impact
to be effective. A communication plan
should be in place to alert stakeholders.

Without the proper change management in

place, your compliance project will take
longer and cost more money.
Internal Auditor or Internal Compliance
Team in Place Defined
Once you begin a compliance process, you
should expect to maintain it. Some domains
require annual assessments while others
have a schedule over several years. You
should either hire a compliance professional
or assign a team the responsibility of
compliance. Strong governance should be
in place that will empower the team. They
will need to make changes to processes
and organizational design that will be
difficult. Especially when you are tracking to
a prospective customers timeline, you need
to invest in this area to secure a favorable
outcome.
Strong Grasp on the Controls to Track to
Compliance Defined
Before you begin any assessment, you need
to understand the requirements. Never start
an audit without having the controls
documented and well understood. Read
through the controls to understand the
requirements and expectations. Track your
progress to each specific control. As you

begin to add more domains to your scope,

the control mapping will help identify
overlaps that you can label as common
controls.
Focus on One Compliance Domain and
Establish it as Your Foundation Defined
It can be tempting to group several domains
into one audit. Intuitively it feels like there
would be a lot of overlap. Although this may
be the case with some domains, there are
too many nuances between each domain.
Regulatory bodies compete to make their
framework the best. This creates changes
and customizations that are not apparent. It
is better to begin with one domain and make
it your foundation. This domain should be
the one that aligns to your business and
should set the tone for investing in
compliance. As you add more domains to
your compliance portfolio, the foundation
domain will be the key to making it easier to
add an incremental domain. You will have a
baseline to compare new, eligible audit
domains. The stronger your foundation, the
easier it is to build on top of it.
Letter of Intent from Auditor Defined
(See Level 2 definition)

12

Level 4

Level 5

You have passed one compliance audit

domain. You are asked to add additional
audit domains to your compliance
portfolio.

You have a number of audits that are

required by customers that you cannot
afford to fail.

Dedicated compliance staff to manage

vendors, findings, and schedule audits
Central repository for tracking
requests, evidence, and control
evidence
Seeking multiple auditors to provide
competitive quotes
Additional Gap Assessments are a
precursor to new domains (one gap
per each new domain)
Project Plan for remediation, audit
scheduling, and staffing resources
assigned to support audit

Dedicated compliance team with

organizational structure to oversee
process
Sophisticated Governance Risk and
Compliance (GRC) system in place
Dotted line to the Board of Directors
with constant updates to the audit
committee
Multi-year commitments with both
external and internal auditors
Compliance consolidation and
leveraging a single point of contact
becomes a priority

13

The compliance curve is a reflection of the type of experience

organizations go through before they are compliant. Most
organizations fail to reach a compliance maturity without making
mistakes. However, these mistakes teach them lessons that help
improve their approach. The more sophisticated the person
managing the compliance can be in dealing with the auditors, the
better success they will enjoy.
Sophisticated compliance managers know how to deal with
auditors. They know when to push back on findings. They can spot
pedantic procedures and convert them into useful, sustainable

processes. Auditors do not gain much by failing an organization so

there is always some room for dialogue. Bullying an auditor can
sometimes work, but this should never be the norm. In the longterm, the auditors will rotate and future auditors may not be so easily
bullied. You may find yourself failing an audit because the previous
pushover auditor moved on and you have to face the reality of a
non-compliant environment. Usually this also carries the risk of
financial penalties.

14

TIPS
Depending on the size of the audit firm you hire, you can use
letters of intent to your advantage. The letters of intent state that
the audit firm will perform an audit. They do not express a
conclusion and are only a paragraph or two. However, these can
be useful to remove friction in the marketplace with prospective
and current customers. It confirms your intent and buys you extra
time (usually 6-18 months) to perform a gap analysis, remediate
findings, and pass the assessment.)
When undertaking an audit, you might fail some of the controls. It
is okay to receive less than a 100% grade. For overachievers, this
can be difficult because the findings are usually presented in red
font at the top of the report. They stand out and make you look
bad. Yet, those findings show that the process was followed
honestly. Many organizations have findings and the exception is
to have zero findings. It is also appropriate for you to comment on
those findings and explain your response to the gap. This shows
your maturity and understanding of the process.
It also helps the reader of the report if you contextualize the
findings. You can provide a backdrop along with a business
justification behind your reason. Customers that want new
features are going to understand that the process for change
management may be weaker, such as implementing highly
desired features by circumventing the compliance-driven
waterfall method. You can explain the rationale for your decision,
while maintaining your agility and high growth strategy.

15

CONCLUSION

Compliance nirvana is a state that will take time. You will need to
measure the tradeoff between agility and growth. Each step along
the way will build your confidence that you can strike the right
balance. The better you can manage the change, the more in
command you will be of the final outcome.

COMPLIANCE AGILITY REQUIRES

AGILE TOOLS.
Trying to figure out if there is a tool out there that will fit your
compliance needs? Talk to one of our GRC experts.
Visit us online at www.reciprocitylabs.com.

16