Within every company’s growth, there comes a point where the way things are done are done well, but not documented in a way that someone else can understand.
Routine tasks get taken care of by the right people before they’re even asked, and no trace is left of what was done. The machine just continues to hum with the harmony of a well-orchestrated team. And all is well until someone takes a two-week vacation to Antarctica. Suddenly, while they are out, the unexpected happens, and the well-running machine screeches to a halt.
“What happened?” leadership asks, and everyone shrugs and shakes their head in uncertainty. Until it clicks, someone is missing. And while they were out, the thing they always do without being asked, didn’t get done.
And it’s so natural for them to do it, they don’t even leave notes of what it is they have been doing. No one can figure out what the step is and they can’t reach the worker while they’re on the remotest continent on the planet. It’s a common event in companies and a growing pain of getting things done fast, but without a formal process to understand what’s done and how it all fits together.
This is the point where leadership asks the question: “What do we do now?” “How can we document what we do?” “How can we prove we do it?“
As often as these questions get asked internally, your customers will likely ask them more often. Can you prove your systems are reliable, accurate, and secure? Can our business rely upon your services? Is our data safe in your systems? Whether the questions come from within or externally, leaders begin to ask what governance frameworks they may need to consider to answer the questions accurately and thoroughly.
B2C vs. B2B
Interestingly, many Business to Consumer (B2C) companies reach this point before Business to Business (B2B) companies.
In the B2C world, they probably get paid by consumer credit cards. During the early years, they’ve outsourced this to a hosted payment provider. But eventually, they grow to the point where transaction fees are too high and bring the payment processing in-house.
Along with it, the organization gets to learn about the Payment Card Industry Data Security Standard (PCI DSS), and the compliance it requires. If they started small enough, they get by with a self-assessment. Later, the organization must have an external assessment.
Either way, they’ve been forced to think about a portion of the business in a formal way they might otherwise have ignored.
On the other hand, B2B companies don’t accept credit cards for payment and can get quite large before they bump into a compliance framework. Unless they’re in healthcare, but we’ll leave them out for now.
Compliance normally gets handed to B2B companies by their new enterprise clients. These major publicly traded companies have been doing compliance for so long they’ve forgotten what it’s like for the smaller organizations. Asking for a SOC 2 audit report or ISO 27001 certification is no different than asking for a tax identification number.
It’s just things a company has when they’re as big as them.
To Audit or Not to Audit
But for small and medium organizations, they are uncharted complicated waters. Within the organization, no one may have ever dealt with these requirements.
Agreeing to an audit may be more risk than reward as the company thinks about how its operations work. No policies and documented procedures seem lean and agile and help prioritize the business’s time and money on important things such as running the business and improving the product. It costs money and time to become more compliant and to support an external audit. It takes money away from everything else the business needs to be doing.
And so, it becomes a cost-benefit analysis for leaders to decide whether it’s time to be more compliant or push it down the road.
When deciding whether to pursue any governance initiative or compliance audit, leadership must weigh the risks of taking the step versus not. Both paths have risks. As mentioned, doing an audit takes time and money. It also can create operational risk, as key members of the organization no longer have as much time for their regular assignments.
And worse, if the organization is undergoing an external audit of its activities – it might “fail!”
Getting a qualified SOC 2 report might be worse for an organization than having no audit at all. It’s important for leadership to realize these efforts take commitment to be successful.
Is It Worth the Risk?
Not taking the step of compliance has its own risks. First, if your customers are requiring you to do it, you might lose the customers.
Second, new opportunities are probably asking about your security programs as well. How does your business stack up to competitors who might have those certificates or audits already? Lost opportunities can have a significant impact on the growth of the organization.
Third, the organization may have reached a size where it’s required to have certain compliance programs. Not having them introduces the risk of fines and lawsuits.
Finally, an external compliance framework helps keep the company accountable to its own goals for security and reliability. This helps reduce the risks posed by outages and breaches by helping minimize the likelihood and damages.
Hidden Benefits
Building a compliance program also creates benefits for the organization.
In contrast to the risk, a compliance program you can share with customers helps create more trust. It demonstrates your commitment to reliability and security. It may put you ahead of competitors who are not as far down their governance path. And it helps ensure you’re taking the steps in a repeatable and demonstrable way to improve the security and reliability of your organization.
A hidden benefit: you might even find operational inefficiencies as you document your processes – giving you a chance to make your business more efficient!
The Wrap
Undertaking a compliance initiative, especially one involving a third-party audit, is an important decision for every organization.
When and whether to do it is not something to be taken lightly.
Even if the cost doesn’t concern leaders, the internal effort and commitment is important to understand. Adopting a framework, documenting your policies and procedures, and implementing all the new systems needed to track everything will always take time and money.
But, for many businesses, especially in the current market where customers are more risk adverse, doing so is a wise investment. The benefits will outweigh the risks and a more reliable, more secure, and more efficient business will emerge.
And they’ll have the report to prove it.