Integrated Compliance Frameworks—Avoiding Common Pitfalls to Enable Success

Organizations today are being burdened with an unprecedented volume of regulatory and compliance requirements leading to increased operational complexity, challenging production capability and occupying key resources. Integrated compliance frameworks offer a mechanism for these organizations to implement a single enterprise wide solution that allows you to “control once, comply with many.” While the concept is simple, implementation of these frameworks fails as often as it succeeds due to circumstances that could be prevented with up-front planning and coordination. Below are five basic points to consider before you begin your integrated compliance journey:

1. Start small, think broadly. It is tempting to try and tackle all compliance requirements across the entire organization in one pass. However, integrated compliance solutions take significant up-front time and effort to succeed. While a solution should be built with an organizational scope in mind, demonstrating incremental successes through smaller pilot efforts will help build support and keep momentum throughout the framework development and roll-out.
2. Consider the pros and cons of “off-the-shelf” frameworks versus custom built. You will find several solutions in the market that offer “off-the-shelf” integrated compliance frameworks. Careful consideration should be given to how these frameworks fit your organization, the applicability of all regulations/requirements included in the frameworks, and whether your organization truly understands the applicability of specific requirements if dependent on a package solution. On the flip side, while a custom framework can allow increased flexibility in scoping, control design and roll-out, there may also be increased overhead with maintaining a custom solution.
3. Identify organizational stakeholders. It is critical to identify who key stakeholders are within compliance, legal, audit, business units and IT, as the success of integrated compliance frameworks depends on support of all functions that are impacted by the various compliance and regulatory requirements included in the framework. Often times a steering committee made up of key organization representatives can help not only with the initial design of your integrated compliance framework, but also with the successful ongoing support of the program going forward.
4. Understand the applicability of requirements. Whether attempting to comply with SOX, PCI, HIPAA or other requirements, the effort of scoping each requirement for your organization in detail remains important to the effectiveness of your framework. While the purpose of an integrated compliance framework is to allow one common set of controls to achieve all applicable requirements, that does not mean all controls apply to the entire organization. Understanding and capturing the scope of each applicable requirement is crucial to demonstrating that the appropriate level of control has been applied to the environment while not over controlling.
5. Consider the outputs at the start. It is easy to get buried in the details when designing and implementing your integrated compliance framework. Careful thought should be given at the start of your program to define goals, reporting and key metrics that will measure success. Integrated compliance frameworks can help achieve a reduction in controls, improved compliance reporting, a reduction in hours spent on compliance efforts, and improve the ability to strategically address compliance and regulatory remediation efforts. Identifying key outputs for your organization at the start will allow you to design your framework in a way that will help best realize these benefits and be able to effectively communicate them to management.

Implementation of an integrated compliance framework is a complex undertaking that cannot be solved with a quick-fix solution. As is the case with any large project, management can improve the likelihood of a successful implementation through careful planning and consideration of the organization’s objectives and risks to those objectives. Proper consideration of the points above can help you start on your journey to a simplified and integrated compliance landscape.

Nick Blaesing, CISA
Director, Risk Assurance, PricewaterhouseCoopers LLP

[ISACA]