Rob: 0:01

Every January, companies swear this is the year they get compliance under control.

Dawn: 0:07

And by March, policies are stale, evidence is outdated, and everyone's hoping nothing goes wrong.

Rob: 0:14

That's the problem that most organizations that we work with don't have compliance readiness. So we get them prepared. They have compliance intentions.

Dawn: 0:24

Right. But intentions don't pass audits. Systems and processes and intention intentionality do.

Rob: 0:31

Exactly.

Dawn: 0:32

Today we're going to talk about the differences between restarting compliance and building a compliance rhythm that actually holds when it matters the most.

Rob: 0:41

I'm Rob.

Dawn: 0:42

And I'm Dawn

Rob: 0:43

And this is the Van Rien Compliance Podcast.

Dawn: 0:47

Like we said, January brings lots of new things, uh a new year, new resolutions, new policies, new tools, new training, new employees, new new new words, new spreadsheets.

Rob: 1:00

Oh, spreadsheets. But a lot of gaps in their security and compliance readiness, right?

Dawn: 1:06

Yes, exactly. Because most compliance programs are event-based, not behavior-based. Um a compliance restarts triggered by an audit, a contract renewal, a client escalation, a security incident and or breach. It does happen. And if readiness only exists right before the pressure, it isn't readiness, it's reactive survival. It's like putting out a fire, basically.

Rob: 1:34

Yeah, we want to build the fire, not just be putting out the fire. Right. Compliance only works when everyone's nervous. It doesn't work.

Dawn: 1:42

And if your team needs reminder emails to follow required controls, yeah, that's then then then that's a people problem and a system problem.

Rob: 1:52

It kind of all both ties in together. That's what we say. Exactly. So let's let's be clear here, Don. Um, let's talk about compliance readiness is not perfection, right?

Dawn: 2:03

Right. Uh readiness is proof. Proof that you are ready if something happens. And what is that proof? Well, let me tell you.

Rob: 2:15

Why did you tell the folks?

Dawn: 2:18

Uh clear policies and procedures, uh, clear named ownership for those controls and processes, repeatable workflows, um, evidence that's current, not last year's or 10 years ago. Um, this is the way we've done it all these years. It's the same, not really. Um, that evidence needs to be need to be updated within the last year. And we're talking about logs and things like that. And decisions that don't rely on panic, favors, or heroics. Um, a compliant organization doesn't ask, what do we do if this comes up?

Rob: 2:51

They ask which controls already cover this, right? How do we actually pre prepare for this? Right. And then if you're doing readiness for an ISO or for high trust or for SOC, it's make making sure that you have current evidence and everything is pulled together.

Dawn: 3:04

Yeah. And that is that's considered maturity. Um, your compliance program is matured.

Rob: 3:11

Yeah. Maturity is what regulators, clients, and partners actually trust. And that's what we look for as well. So how what we do at Van Ryan is we actually rate your maturity level uh as a client. Um, being five, that you're you're you're you're highly mature, you have a well-oiled machine, you have a compliance department, you have an internal, um, you have an internal team that just focuses on compliance all the way back to one. We're like, I'm just trying to keep the lights on, help me, Robin Don. We got to get this going. Uh, and then that rating of maturity is how much we have to like lean in or watch and manage and put card rolls around. Correct.

Dawn: 3:49

Yep.

Rob: 3:52

So, how about as we get into like restarting versus the compliance rhythm, right? So here's where we shift as leaders. This is what we're really focused, focusing about is restart is emotional, right? Like we're gonna restart a project, we're gonna restart reading this book. I'm gonna restart a new year and start working out or eating better, right?

Dawn: 4:10

It's a new diet, yes.

Rob: 4:11

A new diet, it's always a new diet. I just don't do diets, so it's just it's easier that way. Um, but compliance rhythm is operational. How are we going to do this day in and day out and deliver great excellence and protect the data that we're entrusted with? Um, you know, restart looks more like this. Sometimes it's triggered by fear, like people read something online about an AI incident or about a physical breach or a how about a theft. Um, it's fueled by urgency, short-term fixes, and one person scrambling everywhere to get the evidence for an audit or making sure the the infrastructure is set, or there's a phishing attempt or a phishing attack they're dealing with. But compliance rhythm, and we want to shift from restart to a rhythm, is we have scheduled reviews. We do monthly check-ins, we do anytime check-ins, we call them in VRC1, uh, where you have M and our team going through that and making sure things are updated. So if you have a question, you reach out to the team. We have assigned owners. This is a bigger one. You can't just say IT has it or legal has it or the manager has it or the team lead has it. Um, you have to actually have a name, not just a department, but a name of who has the ball of compliance and what you're gonna, what you're gonna do with it, how you're gonna do that. Um the evidence checked continuously is a big area and no surprises. So continuously, how we look at that is you know, we're looking at that from a monthly or sometimes even weekly standpoint. You know, do we have the right password policies? Do we have the right encryption levels? Do we have everything put together as needed to ensure that we are compliant to the regulations and ensure that we uh we will meet our audits.

Dawn: 5:52

Yep. And you could say, you could argue that compliance, well, this sounds boring. A rhythm's boring. Well, that's really the point. It's not boring because if you work with FanRank compliance, uh, we make compliance fun, by the way. It's very fun. But it is very fun. Rhythm is is it's it it means that it's you're you're in control of it, you have it, you're maintaining it, you feel confident, it's really confident. So if that's boring to you, so be it. But um, we don't consider it boring, we just consider it being really smart. And by having a rhythm, you're gonna pass an audit.

Rob: 6:28

Yep. Yeah, I don't I don't think of it as boring. I think really think about it as um, you know, we're into yeah, collegiate um playoff. I can talk. It's Monday. We know we're into the playoff season um in football. So rhythm is perfection, right? You're gonna snap the ball the right way. You're gonna go ahead and you're gonna run that play that you've run a thousand times, you're gonna run a thousand and one times, and you're gonna continue with that. And so that's what we're looking at. Compliance. What's our audit rhythm? What's our what's our review of everything we need to do and keep things going? Um we need there was weekly operational control check-ins. You know, we have a weekly meeting here, uh, staff meeting at Van Ryan. We check, we we look internally how the business is working and how we're working with our clients. Um, and that's what you need to do as well is look like where are we with with our technologies, where are we with our controls? Um and that ties into from weekly, then that goes into monthly. We do those monthly risk and and issue reviews, and then moving that into quarterly, and then quarterly into annually. So, you know, you can't eat the elephant all at once, right? But if you can take that elephant and you can break up that up into little pieces from weekly, monthly, quarterly to annually, it's a lot easier. And then it's more successful, and you're not just shoving stuff to an audit and getting panicked when an auditor is looking for information or when your clients are asking you to complete 157 uh question, security questionnaire.

Dawn: 7:56

Yep. Absolutely. And and you know, if if all this is uneventful and you're just you're going through and you're doing your weekly, your monthly, your quarterly, your annual, um, that's okay. That's the goal. Um, you don't want surprises. Uh, and by being uneventful, that means you've been maintaining it. You know what to expect every week, month, quarter, annually. You know what policy needs to be updated, you know what control needs to be adhered to. So that's definitely the goal.

Rob: 8:24

Yep, that definitely is. Because we want to have that compliance readiness, right? We always want to be set and dialed in and ready to go. Um so if the if it fails, it's because leadership stopped reinforcing it. So it's important that the owners don't get vague. You know, they don't just go off, um, go off the compliance script, if you will, and making sure that they know what they're looking at. We make sure that the tools multiply, um, but clarity disap uh disappears, right? We need to make sure that if you have ads, if you're adding tools, a lot of organizations like to do this. They keep adding more tools to fix issues or problems, but make sure that it doesn't disrupt the security and the framework of the um, you know, of your business. Um the next piece is really looking at how how do leaders, you know, in the organization, your compliance officers, you need to, you need to continue ask for proof, right? Um, how how you know how are we enabling and maintaining our multi-factor authentication and our our our you know everything from disk encryption to data encryption? What does that look like? And then that one piece is um I always say this when people always say this, oh, we're all busy, busy, busy. Well, are you busy or you're actually doing anything? There are two different things.

Dawn: 9:35

Um busy or focused?

Rob: 9:37

Yes, focused forward, like we talked about last week, right? Exactly. You have to have someone that is accountable. And we actually name privacy officers in all of our documentation and in all of our um in our in our book of evidence, as we call it. Not just a department, not just legal or IT or something. It's like, you know, Tom in in legal or Stephanie in IT as an IT manager. She is responsible for that, or he is responsible for that.

Dawn: 10:04

Yep. Yep. There has to be one person accountable. Um, compliance, the compliance officer or privacy and or security officer. Some companies have both or one, or you know, um, or they're just one person. And, you know, hopefully there's more than one person um in your compliance department. But um, we need to make sure that they're they're they're held accountable and that they're the folks on their team that need to be assisting with maintaining compliance are also held accountable. So um everyone needs to have an accountability um in your compliance. And um yeah, and you can't just accept we'll fix it later. Um you need to sit down, you need to figure it out, and and come up with solutions and um make sure that um you have it all laid out and and organized.

Rob: 10:51

Yep, and doc and documented. Don't just don't just say I got it in my mind. Exactly. And you say is actually documented, which is really key. Um and looking at the controls for the year, you know, what do we have? Like, so say we're healthcare, we we have we have obviously the HIPAA, but then also what if we have an ISO or we have a SOC? So we got to make sure how are we meeting each of those controls? And if there's any changes in the environment, what does that look like for um for for the data set and for those audits? Uh, because compliance readiness is a leadership discipline, it's not compliance department tasks. You know, it's not about just getting the tasks done. It's about actually going through making sure we are ready for the audit or for other incidents.

Dawn: 11:32

Yep. Yep. And let let's talk about how we can lock in this compliance rhythm and make make this real. Um, and there's there's really four rules um for a compliance rhythm. Um, the first one is assign real ownership, not a committee, not a committee, not a department, a name. So Bob Smith, he's gonna be the owner of this control. Okay, well, then Bob is in charge of the policy procedure um and the evidence that needs to be um provided um to make sure that they that they that Bob and the corporation um assesses to that control. Um build a small repeatable cadence. So um, you know, if if you need to work on this weekly, work on it weekly. Um if if that's if you need to to to etch out that hour every week to work on this with your team, then then do that. If biweekly works, then do that. Just figure out what that repeatable cadence is and then um measure what you expect. Um, if it's not reviewed, um, you know, um, you know, it's it's it's optional. That's no, that's not, you know, you need to review it. You need to make sure it's it everything is is required. It's not an option. You need to make sure that you you expect this is what we're measuring and this is what I expect the outcome to be. Um, having those, I guess you say smart goals, because that's really what those are. Um, and then normalize the readiness. Um, compliance, you know, some people, oh, it's just a lot of work and I just don't have the time, and it's an extra thing I do, it's extra duty I have, but it is important and it's how the business operates um safely and securely.

unknown: 13:09

Yeah.

Rob: 13:10

Yeah. It definitely, and that's exactly what what we're looking at is making sure it's not operational, make sure it's part of the rhythm within the organization, right? It's not just a goal, it's not just about, oh, we're gonna do that. Um it is, yes, you can make it a goal of compliance excellence, but making sure that you you do work towards that and and making sure that you you are you have intentionality in achieving those those uh goals so that you can have fewer fire drills, which is really important. Right. Um we don't want those fire drills, we don't want those security questionnaires, we don't want all those randomness to pop up. What we want is we want a fully developed system of compliance and mindsets so that you are ready to deal with any of those issues that pop up. Um because having those strong systems remove friction and the weak systems create drama. I only want drama on TV, I don't want drama in the compliance world. Right.

Dawn: 14:06

Right. You want to be prepared for drama, yeah, and not blindsided by it. Yes. Um so if if you're listening to us right now and you're thinking about, oh, I need to do a reset, um, what what what should we what should we do there, Rob? What if they're thinking of a reset?

Rob: 14:25

Yeah, if you're thinking of a reset, you need to really evaluate the business, right? Evaluate what do we need to adhere to? You know, is it HIPAA compliance laws? Is it data privacy laws? Yes. Um are we going to expand our scope into AI this year? Are we going to um how are we going to enable or or or how are we going to um step up to different frameworks or additional frameworks? You know, we're going to look at ISO or a SOC or even a high trust. What does that really look like? So those are the those are the key pieces that you're really looking for. And then you need to start building that rhythm, right? So building the rhythm.

Dawn: 15:00

It's not a reset, it's a rhythm.

Rob: 15:02

It's a rhythm. That's what we want to do. Um, we want to go from restarting to actually going, this is a rhythm of compliance, just like you do for, you know, maybe you do you you have a rhythm for um reviews for your team, you have a rhythm for um payroll, right? You have a rhythm for taxes, you have a rhythm for uh getting up, maybe working out, eating right, or or whatever that looks like, and get compliance on that same scale.

unknown: 15:26

Yeah.

Rob: 15:26

So that you can have a rhythm with compliance as well, right?

Speaker: 15:30

Mm-hmm.

Dawn: 15:31

Correct. Yep. Yep. And and and a structure, um, a maintenance structure, operational structure. It's built into your systems and processes. Yep. Um, on a daily basis, um, and meaning you don't have to work on it every day, but it's just it's built in. So at any time, if something comes up, you already, you already know um that you have that process um already in place.

Rob: 15:54

Yep. And you want to kind of think about it is something as um, you know, we've talked about about the actual rhythm, but what about getting into like a reality? What does that look like, Don? You know, going from that into an actual reality, um, of what what does it look like when we actually achieve when we actually achieve compliance goodness? Um, and what does that look like when we actually put that together? So from that is like a reality looks like when you get a security questionnaire, you know what it's gonna look like. You know everything that that you're gonna go through. Um, and not having that drama from that theater into that actual compliance reality.

Dawn: 16:37

Yep.

Rob: 16:38

Yep. Policies, policies are written for auditors, not operators, right? Screenshots are already staged. We have the data, we have the information. Um, maybe you need a couple screenshots that are that are current to verify that on January 12th, the day we record this, um, that yes, we have we have antivirus enabled, we have our our encryption enabled, all that. Those are those key pieces. Yeah.

Dawn: 17:02

Yep. And make sure the you know, the evidence and the policies procedures. It's not like let's first hurry up and make something up and get it done, and let's take a this and that and find it and and put it up there and we're done and we can check it off. That's not that's not compliance at all. That's not being prepared. That's rushing around hurrying up and throwing stuff against the wall and seeing if it sticks. Um, we're talking true evidence here, you know, evidence that is, you know, is during that, that, that audit period, um, you know, those logs and that type of thing. It's not scrambling and just trying to throw anything up there, kind of creating something as we go. Um, that's not what that's about. It's actually finding real evidence um and and and making sure. And if you don't have it, you don't have it. That, you know, um, and that's where the remediation comes in. That's where we help assist um with those gaps.

Rob: 17:52

So what about, you know, Don, what about like if only one person knows about the compliance program, right? Well, if the only that's the only person that knows what to do. Or the big issue I see is the only person has the keys of the kingdom. They know how to access the systems, but not everybody else does. So um, you know, if that one person is on vacation or is gone or is ill or something, um, you know, how how can a company what does a company need to do to kind of build that out?

Dawn: 18:20

Yeah. Yeah, you definitely need to have a um, as we call it here at Van Ryan, a deputy. Yes, we have that term within our team. Yes. There you need to have someone, it's kind of like having a successor for your business.

unknown: 18:33

Yeah.

Dawn: 18:34

Who is that person gonna be? Um, things have happened. Um, you know, things happen every day. Um, illness, uh, you name it, um, things happen and people have to step away from their business or or whatnot. Or even people sell their business. So, what does that look like for that next person in line? Well, that next person in line, I bet, would would like to have some sort of book, a playbook of of knowing what to do. Um, and this is where, you know, we create a book of evidence. This is your policies and procedures, um, you know, for HIPAA compliance. Um, and this is, you know, here here's VRC one, here's the last audit you did, here's the evidence that was provided, you know, all that is available and that would be good to pass off to the next person. Um, and and you know, having someone else be involved and not just one person, that is going to be uh the best thing. Um I I find, I mean, with with the audits that I'm involved in, um the if you have more people than one on your team, you're going to be extremely successful. Um, if you're trying to do it on your own, you can do it, but it's gonna take a little bit longer and it's just really nice to have have more than one person. Um, and again, if you're and unable to finish, then you've got someone that that can back you up.

Rob: 19:47

So Yeah, I I love I think that well, you know, that's opening the little bit of the Van Ryan playbook is the deputies. So we have deputies within Van Ryan. So if one of us is unavailable or or or or um or ill, um, we know where to go. We know their the deputies. And we have a couple of those in our team that says, okay, they know how to keep things going if one of us is unavailable. Uh and so you need to have those deputies in your organization so that you can keep on going. Plus you kind of share the load of compliance and security. Yes. To ensure the load that everybody is, you know, really is is kind of perked up their their um their ears, if you will, and their eyes. So when they hear about a new product or they hear about a security incident or something, they know how to engage and deal with that. Instead of just waiting for someone to deal with that, they can they can just go ahead and jump in uh and be uh be really intentional um because those deputies are really really key. Yep. Yep. And that you know kind of ties into like what auditors and regulators actually look for. So um what we look for when we're looking at at a rhythm of an organization is it's very well oiled meaning that the documentation is put together meaning that there's even maybe meeting minutes that are that we've seen from an audit perspective in the last month or so that we've met um meaning that like the documents aren't four or five years old. Maybe they're just a couple months old. Yeah. Looking at inventories when I see inventory that's a key piece is like do you have an inventory of your environment that you really um that you know you know your environment. And then when we do like on-site audits are fun but um when I do an on-site audit and you talk to multiple people they all speak the same language and you can do that uh you know over over uh Google Meet or VRC1 Meet or whatever meet you want uh as well and you can really get a good feel of the environment and get a really good feel of of how people are are working together or if they're not working together if IT is disconnected from legal or if compliance is disconnected from finance or that you really need to make sure people are are dialed in there so they have a very good rhythm and not just restarting.

Dawn: 22:05

And we're not looking for perfection auditors aren't looking for you to be perfect. They're looking for consistency. All right if you're if you're the first year out and you're building your program you're not gonna have anything we're gonna help you build that you're gonna build it up the second year of audit of auditing they're gonna you know we we are or the auditor is going to look for have you implemented it okay yes you have okay okay well maybe you need some help with that the third fourth fifth you know so on and so forth they're gonna look for a lot of consistency with that implementation has it been you know are your are your policies and procedures updated are they versioned correctly have you implemented this this or that um do you have good documentation of XYZ so really consistency is really the key.

Rob: 22:53

Yep and and when you have a solid compliance program it survives leadership changes so let's think about that so there's always there's always change of business a company gets purchased there's there's a a leader leaves he or she leaves goes on to to next season of of their career um when you have a solid compliance program and you have those deputies there and ready to go it doesn't matter who's in that that leadership seat we're all kind of leaders to make sure things are dialed in so making sure people know what to do when there are leadership changes audits and uh and definitely growth within the organization. Those are really key pieces. Yeah and Rob, what do we hear from a lot of a lot of customers um oh it it it compliance just takes so long we'll just do it later uh another day we'll we'll worry about that later that word later comes up quite a bit doesn't it it does or I'm too busy or too busy well are you too busy to do your finances let me ask you that are you too busy to run payroll yeah are you too busy to deal with taxes are you're too busy to to um you know work with your team maybe do their their HR reports uh no so this is this is a an important part of the business because your clients are actually uh entrusting you with their data and you have legal requirements from a federal and state level um plus you have contractual obligations for your master service agreements and how you're doing business to maintain that data and keep things going. So we want to build that rhythm. Yeah and the longer you wait and you keep saying later later your risk is higher um definitely um and your employees your your your um business associates within the company your leaders have no idea what to do so um that is that is dangerous um and then yes you you run into um you know contractual failures with customers and that type of thing um penalties possibly um and and just really a lot of risk exposure um because you just start pushing it off kicking the can down down the street so yep don't wait till later don't wait till later you know so if you're listening this today at at uh this podcast so think about how you can do a compliance reset to get a rhythm in your organization how do you build a rhythm because it doesn't just come from from that motivation uh like don't like you had mentioned it comes from that structure of how you how you do that within the organization so right yep um and we know that structure always beats that willpower every single time making sure you have good structure and good frameworks within the organization to take care of things and to make sure that that your organization has great rhythm to make sure that you are ready for audits you are ready for for law changes and you're ready for the ever changing business that you're working on and probably to wrap things up Dawn I think the uh the deputies are are key in the organization.

Dawn: 25:53

Get yourself a deputy there you go there you go get yourself a deputy for compliance that's all you need well thank you so much for joining us and if you like and subscribe if you like the podcast obviously say like uh if you get if you like you subscribe as well to make sure that more people can hear um hear about the podcast and hear about how we can build a rhythm in your organization and until next week thank you for joining by and hang on one more second one more second oh yes you forgot the webinar this week oh the webinar because the other big thing that um obviously is a huge huge uh thing this year is ai so join rob um in the webinar this week and he will make sure he includes that link in the show notes in the in the show notes there you go sorry to interrupt you but I was like we have to we have to uh tell people to tell people to join you're exactly right I'll put it in the show notes I got excited about deputies I'm like yeah that's it yes we'll be doing a how to do an AI audit webinar this this week uh very excited for that and I'll have all that information in the show notes sounds good all right until next time see you later bye bye