The issue of compliance has become a prominent concern for every industry - and not only because failure to meet regulatory mandates results in stiff fines. The interconnected nature of modern business means that word of even minor mistakes can make it out and drastically affect customers' perceptions regarding how a particular organization operates. It should be no surprise that companies in the most regulated sectors spend the most on ethics and compliance activities. However, a recent study from the LRN corporation found no connection between the amount of money invested in E&C and the effectiveness of these programs.
The importance of ethical business
While not entirely the same thing, the disciplines of ethics and compliance do overlap. For instance, compliance mandates often deal with how companies can store and handle information. The Payment Card Industry Data Security Standard (PCI-DSS) includes provisions for encrypting data as well as guidelines that advise which types of information should be stored in the first place. The same factors can emerge from an ethical perspective: How, and to what extent, should businesses be accountable for protecting sensitive information? LRN analysts argued that modern expectations regarding moral operations have made E&C not only a responsibility but a source of differentiation.
"With increasing market saturation and commoditization of products and services, there's a realization that companies have to compete less on what they do or make and more on how they do it - which means a corresponding shift of emphasis from transactions to relationships," the report stated.
Heightened expectations regarding E&C put organizations under even greater pressure to orchestrate effective programs. However, there are also a lot of factors that can inhibit success. For one, many companies are subject to numerous regulatory mandates, making it difficult to track and spread awareness of all practices that must be followed. Adding to the complexity is the number of different departments that compliance will touch - from executives giving financial reports to stakeholders to the IT staff responsible for protecting the data that empowers those reports.
The business challenges
Despite heightened expectations from customers, compliance teams have still struggled to create effective programs. Much of this issue can be attributed to a lack of resources. As a Thomson Reuters survey revealed, most organizations have fewer than five people managing compliance even with the increasing interconnectedness of business processes, IT systems and enterprise data. Researchers confirmed the issue of growing complexity, with 84 percent of organizations expecting an increase in the amount of regulatory information they would need to track.
Consumer technology entering the enterprise environment presents another compliance headache. While this often deals with issues like bring your own device, it may also be affecting business processes themselves. The problem is that, for many employees, professional and personal lives are blending. A recent example of this issue comes from the practice of email forwarding. An anonymous security professional wrote a Computerworld blog post, describing the problem at his or her organization. One marketing employee configured her business account to forward messages to a personal email service, which went against company policy regarding data.
Although it could potentially be more convenient for an "always-on" employee to have data sent to multiple locations, the security manager suggested that the real motivation may have been a higher level of familiarity with a personal email service when compared with the company's alternative. It's easy to imagine the compliance headache that would be caused if email forwarding became widespread, as sensitive documents would be automatically sent outside the organization's control. However, it is important to note that setting policies is not enough to build an effective compliance strategy. Security and compliance officers must also encourage user buy-in to ensure that those policies are being followed.
Supporting users and the business
One of the key lessons from the LRN report is that compliance is just as much a behavioral issue as it is a business process or technical one. Looking more closely at the Computerworld use case, it's easy to see why marketers working from home or on business trips would turn to the familiarity of personal email. They would be able to send files more quickly because they would know the interface better, and having business email sent to personal inboxes would ensure those messages get noticed. This may not be an acceptable practice in most enterprise environments, but business and IT leaders can still learn from those motivations. When evaluating current solutions for data exchange and file transfer, for example, it is important to choose software that streamlines the process as much as possible.
Transparency is another key component that will resonate with employees. Prior to adopting new technology that would affect the daily work lives of their employees, businesses should clearly communicate why they're doing it and what their expectations are. For instance, companies adopting a new managed file transfer service can highlight the risk posed by turning to non-sanctioned transfer options and emphasize qualities like ease of use in their new solution.
Familiarity can present another significant barrier to adoption. After all, why use some new software when it's faster to use what is already there? Company-sponsored employee education programs can shorten the learning curve significantly. LRN also pointed out that employees will have different styles of learning, making it important to leverage multiple engagement channels. One way to build more employee awareness would be to supplement in-person training sessions with tutorial videos or documents that guide employees in how to complete certain functions. Incorporating elements of compliance in these learning sessions may also help create greater support for the company's E&C efforts.
"A blended learning approach to E&C education takes the message off the screen and into the workplace, while frequent and novel approaches wake learners out of the slumber induced by the annual 'hostage video' CBT modules of the past," the report stated. "More isn't better; better is better. To have the most impact on E&C education, framing needs to occur in as much proximity as possible to the events, and the decisions involved."
Learn more about how Managed File Transfer software can help keep your customer's data safe and your business in compliance with ever-changing laws and regulations with our complimentary white paper: