As the COVID-19 pandemic captured the headlines; another, less visible pandemic was playing out. The compliance pandemic.
Prior to 2020, there were warning signs that compliance may one day upend the business world. Savvy businesses acknowledged it was a matter of when, not if. But many preferred to delay the inevitable as long as possible.
The compliance pandemic of 2020
When COVID-19 hit in late 2019 and its macro effects were seen in 2020, it accelerated digital adoption around the world. That was great for digital-native companies, with increased sales of their software. Investment and company valuations skyrocketed. But along with that increased digital adoption, came increased compliance scrutiny. Enterprise customers imposing rigid compliance requirements related to their information security, users' privacy, reliability of service, and even environmental and social factors.
Previous compliance outbreaks had been limited geographically, and/or confined to specific industries like financial services. But since then, there has been a rapid rise in the dependency on third-party software products, a snowballing landscape of digital risks, and soaring public expectations with respect to digital security, privacy rights, and the environmental and social impact of organisations. These factors, combined with a major shift to digital adoption, created the perfect storm for the Great Compliance Pandemic of 2020 (GCP20).
Risk factors of compliance
When GCP20 hit, many of the younger, digital-native, and agile businesses were less impacted. That was in part due to their secure by design principles, use of more modern and secure infrastructure and software, and progressive organisational values. It helped avoid the more severe impacts otherwise seen in older, more complex businesses that were slower to adapt and recover. Those with pre-existing security and governance weaknesses, were at a higher risk of poor outcomes. In some cases, compliance would be the end of the road for those that couldn't adapt to the increased standards of the modern, digital world.
Compliance mutations and strains
GCP20 mutated into many different strains. Most businesses couldn't tell the difference. But each strain posed a risk to their company health, with the potential to put their team out of action for weeks, months, even up to a year and beyond. Some of the well-known strains included SOC 2, ISO 27001, HIPAA, and GDPR. All of these strains and more, are still in circulation today. The dreaded ISO 27001 strain would have a greater health impact, on average burdening the team for 6-9 months before compliance was achieved. Others like SOC 2, the recovery could be as short as a few weeks, but the transmissibility was high. It was easily passed on through supply chains, especially in the software industry with prolific use of third-party products and partnerships to rapidly spread the SOC 2 requirements.
The cause of transmission
The transmission of each strain occurs when forming or continuing a business relationship with a third-party that requires the strain of compliance. Unlike COVID-19, that transmissibility doesn’t end after a period of time. It continues indefinitely. Each enterprise passes it on to their third-party providers that want to work with them. Some enterprise now impose multiple strains. It's common to see requirements for both SOC 2 and ISO 27001, as well as more niche and regional strains like HIPAA and GDPR.
Transmission continues through the chain as other third parties and partners are engaged. By extension, those third parties need to meet the same compliance standards. In the past two years, the transmission has become so prolific, that businesses are faced with two choices:
The symptoms of compliance
The early signs of a compliance infection, are due diligence questionnaires. That is, following interaction with a third-party enterprise, you get asked to complete a lengthy list of questions attesting to your current state of business practices that support their security, reliability, and other objectives. They will sometimes start by asking if you've contracted one or more strains of compliance previously. If you have achieved SOC 2, ISO 27001, HIPAA, or other compliance standards previously, these can be used to reduce the extent of their requirements or even provide full immunity. Further into an infection comes the costs, the time drain, the headaches and feelings of doom and gloom. For businesses that aren't prepared, the fees for compliance audits can be crippling, usually in the 5 figure range. That's the tip of the iceberg compared to the internal time costs as compliance often requires a high level of input by senior personnel (most commonly the CTO or COO). Overall it's common to see compliance require months per compliance standard.
Protecting your business from the compliance pandemic
If you’re concerned for your business, get in touch. AssuranceLab has developed a world-first, world-leading, multi-standard approach to compliance that future-proofs your immunity to all strains. Our software removes the rife duplication that exists in compliance. Each standard is commonly managed as a separate project with a separate provider. By consolidating your compliance audits with a single partner you can transact with new third parties carefree, and reduce the business disruption each time a new compliance standard is required.
Contact us to discuss your business plans and how to protect your company from the compliance pandemic.