When we think about compliance, we generally think about rules and regulations that have been put in place to protect consumers and companies from dangerous, sloppy, or just plain illegal practices. While the current administration has been quick to point out the number of regulations that have been deleted, the reality is that there are many, many regulations still in place. It’s not our intention here to argue whether regulations in general are good or bad, or how many is the “right” number, the point is that regulations still exist, and always will exist, and although on some level, in the opinion of some, they may have become overly-protective, following those that apply to your industry is critical to your company’s long-term financial well-being. But what if we can add another purpose to compliance, something other than protecting the public, or workers, or the environment, and that actually helps you grow your business? What if we turn compliance into as business building tool? If we can do that, chances are, compliance would no longer seem like such a burden.
The financial crisis that began in 2008 spurred regulators to create a wide range of new and sometimes complex (translation: difficult to implement) regulations. While many of these were related to financial transactions given the timeframe, many were not and you may well have found your company struggling to keep up, and finding regulatory expenses mounting with no apparent financial upside. This paper will hopefully give you some ideas as to how to turn this burden into a competitive advantage.
Consumer confidence in the corporate world has eroded over the past few years, not surprisingly, perhaps, with scandals at Volkswagen, Equifax, Home Depot, and many others. And no matter how many new regs seem to be imposed, the scandals keep on mounting. So how do you, as a senior executive in a small to mid-sized company, keep the confidence of your clientele? We believe this begins with instilling what we call a corporate culture of compliance.
Instead of treating compliance as the enemy, like a necessary evil that is covered once a year during mandatory training sessions akin in excitement to defensive driving classes taken to keep from getting points on your license from a speeding ticket, think about how compliance can become part of your everyday work scenario and how a managed IT support company like DynaSis can be an excellent partner in this effort..
Compliance can be difficult to achieve if it is treated as an annoying afterthought, only seriously considered once a year during that mandatory training session. This is what we call a “back of mind” scenario, and it is often the trigger for failing meet compliance standards. A better way is to ingrain compliance into your company’s basic culture through regular training. This regular training doesn’t need to be time-consuming or intrusive. It can be accomplished through updates, 30-60 second refresher training modules, quick contests or other creatives ways. Your reward is a team that is fully compliance oriented with a significantly reduced likelihood of falling out of compliance, and the problems inherent therein. It also shows your employees the integrity of your company and the importance you place on remaining fully compliant, and the accountability you place on them.
As we stated earlier, in spite of the talk we hear about the roll-back of regulations from D.C., most regulations surrounding compliance are still, and will likely remain, in place. There are many industries that have significant compliance requirements. We are not going to address any of them specifically, but speaking generally, let’s look at the risks of failing to comply.
Fines: Government fines can be crippling, especially to a small business, even a non-profit. A hospice in Idaho recently had a laptop stolen. On that laptop were the personal health records of more than 440 patients, and the records were unencrypted. This was a HIPAA violation and the government hit them with a $50,000 fine. Keep in mind that this was a non-profit organization and that one-third of its staff were volunteers. Of course, this pales by comparison to the multi-multi-million dollar fines we hear about being assessed against large companies, but as a small business executive, receiving a notice of a $50,000 fine would certainly be considered a “bad day”, especially if this compliance issue fell within your purview.
A year-old (2017) Verizon report showed that 80% of companies required to comply with PCI DSS regs (financial services industry) were not fully compliant. As consumers, we find that pretty scary. As a financial services business owner, consider that fines can run from $5,000 to $100,000 per month.
Public Relations: Atlanta is a big city, but in some ways, still a small town. Watch the local news one night and you will see segments on a stolen car, a small house fire, a water main break, or a restaurant that was shut down by the health department for a few hours (BTW, that is also a compliance issue.) So how do you think local TV will treat the news that a local business was fined $50,000 for HIPAA violations? You really don’t want to find out.
Customer/Client Confidence: Assume you are that company that gets tagged with a serious non-compliance issue and your $50,000 fine makes the evening news…and then the morning news…on all five of Atlanta’s affiliated news programs. How would your clients react? How would you react if that happened to a vendor you did business with and that you replied upon? Chances are that if this happened to your company, the fines involved would only be the beginning of your troubles.
But let’s look at this from another angle. Instead of worrying that your company will get caught, how about if you turn the tables, make full compliance and managed IT security part of your corporate culture, and then use that compliance and the security it brings your clients as a competitive tool?
How do you look at compliance?
We would be the last people to claim that every government or industry regulation is well thought-out or practical, but on the other hand, there usually is at least some logic behind most of them, and whether or not you agree with them is not the issue. And consider this: when your company operates within a culture of compliance, adherence to new regulations becomes easier. It may be expensive, it may be time-consuming, but if you want to avoid the fines, the public relations nightmares, and customer pushback, and since you have to do it anyway, let’s discuss how doing it right can build your business.
So, the first thing is to NOT shrink your bottom line with large fines. Your business is probably not publicly traded, but studies do show that accounting type scandals can whack 27% off a company’s share price. You may not be able to track it the same way, but the devaluation is still there.
And consider this: recently, some fines imposed by governmental agencies have actually been reduced when regulators determined that the infractions came in spite of compliance programs being in place…albeit not necessarily as effective as they should have been. A Japanese manufacturer of automotive parts, doing business in the US, was fined for price fixing and bid rigging, but had its fine reduced because it was determined that they were on track with a new compliance program…and these two infractions were not necessarily even tied to compliance.
Of late, there has been a major uptick in the public’s perception and deemed importance of a company’s integrity. Blame it on social media or the “24-hour news cycle”, but the reality is that people expect ethical behavior from the firms with which they do business. Pollute the streams, foul the air, or fail to protect people’s money or privacy, and your reputation will take a hit. On the other hand, if you can point to your outstanding record of compliance with these issues, your reputation can enjoy a real boost. How do you accomplish this? By building a corporate culture of compliance and integrity. Let’s look at some of the building blocks:
Corporate Awareness: You can’t be compliant if your people don’t know how to be compliant, whether it’s maintaining clean air release or working with your managed IT support company to ensure that your sensitive records are protected under PCI, HIPAA, or any of the alphabet of regulations that may affect you. The good news is that once people get on board, keeping them on board is relatively easy. (Read our White Paper on Employee Training.)
Corporate Communication: Ethics are an important part of the mix. It’s one thing to try and effect compliance because you have to do it, it’s another to effect compliance because it’s the right thing to do. It’s important to not only communicate that compliance is required because of regulations, but it is even more important that your people understand why the regs exist and how you are helping the community at large (and maybe helping your individual customers, as in the financial services industry) by being compliant. Most employees take pride in working for a company that is truly ethical. You should take pride in educating your people on your high ethical standards, exemplified in part by compliance. This message should also be transmitted to your clientele through news releases, newsletters, and direct communications from your sales and support teams to your customers.
Partner with an Experienced Managed IT Support Provider: A great deal of compliance revolves around your network security protocols and your relationship with your managed IT support company. While they may not be the people who prevent chemical waste from being illegally dumped where it doesn’t belong, they will make sure that your customer records are safe and secure, and properly backed up in case of data loss. The will make sure you are in compliance with PCI DSS, HIPPA, SSAE 16/SAE, ASO 27001, SOC2, SOC 3, Safe Harbor and others.
As a small business, you may feel you can side-step some requirements because regulators will be spending their time looking at the larger companies. In some cases, this may actually be true on some levels, but is this a chance you really want to take? Depending on your industry, there are many areas of compliance and, of course, our focus is on those that involve IT. We are always here to help you in that area, but don’t be that company that gets caught in any type of compliance violation. You don’t want to be that company featured on the evening news. Instead, look at ways you can use your compliance to foster your reputation and grow your business.
At DynaSis, we have been providing managed IT support in Atlanta to small to mid-sized companies since 1992, and in those 25 years, we have become highly skilled at helping our clients meet or exceed compliance standards, while also protecting their businesses. Give us a call and we can discuss how we can help you turn compliance into a competitive advantage. 678-373-0716, or visit our website at www.DynaSis.com.