Compliance and the “Kevlar Receipt”
Your organization is probably required to comply with multiple regulatory mandates—most of which entail more diligent governance of your information assets. These mandates are an alphabet soup of standards that include PCI, HIPAA, GDPR, and CISA CPG.
To achieve compliance with these mandates, you need to implement a compliance program. That program will ensure that you have the proper information controls in place, that your employees understand their compliance-related responsibilities, and that you can document your fulfillment of your mandated requirements to external regulators and auditors.
But here’s something else you should know. You’re not just implementing your compliance program to comply with the “letter of the law.” Your compliance program also provides you with vital protection against the potentially severe penalties regulators can impose if you do inadvertently violate some provision of one of the mandates that pertains to you.
Because as we sometimes like to put it: “Even if you’re not 100% bulletproof, you gotta have a receipt for the Kevlar.”
Executive Diligence vs. Executive Negligence
What do we mean by a “receipt for the Kevlar?”
Well, when you implement a compliance program, you’re trying your best to fulfill the requirements of your target mandates. But chances are that your motivation for doing so is two-fold: serving your customers and avoiding adverse consequences resulting from compliance failure.
These adverse consequences can include:
Financial penalties imposed by regulatory authorities
Restrictions on business activity that have significant financial impact and can severely limit your growth
Lawsuits brought by customers and other parties impacted by your non-compliance
Damage to brand reputation resulting from public disclosure of both your failure to comply and the imposition of penalties
Increased regulatory oversight that impedes the operation of your business and adds to your operating costs over the long term.
The first two consequences above can be especially problematic. Regulators routinely levy heft fines. And many have the authority to bar businesses from offering specified types of products and services, entering specified geographic markets, or participating in specified vertical markets.
But there’s the thing: Regulators often typically have very broad discretion when it comes levying financial penalties or imposing constraints on how you operate your business (also sometimes referred to as a “code of conduct”). If they believe that your violation occurred because of gross negligence—that is, a genuine failure on the part of your organization’s executives to implement institutional safeguards against such a violation—they can really lower the boom on you.
If, on the other hand, they perceive that your violation merely was an accidental oversight by someone that occurred despite that fact that your executive team was fully diligent about putting a reasonably thorough compliance program in place, they are likely to go much, much easier on you.
In other words, your compliance program may not make your organization 100% bulletproof—but it is, in effect, a “receipt for the Kevlar.” It demonstrates that you made a full good-faith effort to make your organization compliant.
So, if and when someone somewhere in your organization does make a mistake that violates a regulatory mandate, you’ll be in a far safer position with regulators. And your due diligence regarding compliance also can be solid grounds for a legal defense against a lawsuit claiming damages based on your alleged negligence.
Compliance Program ROI
Why is it important to consider the tremendous differential between the consequences of a compliance failure caused by negligence versus the consequences of a compliance failure that occurs despite demonstrable due diligence?
Because that differential makes a compliance program much, much more than just a cost and an inconvenience. Your compliance program is a sound investment that protects your organization from significant financial, legal, reputational, and regulatory risk. And it enables your business to grow and thrive free from the potential encumbrances associated with regulatory negligence.
Compliance is also an investment in the well-being of your customers, your partners, and the communities of interest in which you operate. After all, regulations generally arise due to real issues in the real world—even if we don’t always agree with the way regulators seek to address those issues.
So, the question isn’t whether you should implement a compliance program. It’s how you can most resource-efficiently implement the kind of compliance program that will best mitigate your risk and most effectively address the material issues targeted by regulators.
If you can do that, it’s a big win.
To learn more about how a virtual CSO can help you more efficiently and effectively implement a high-value compliance program, reach out to vCSO Magazine’s editors at info@vcsomagazine.com or contact any of the CSOs listed in our vCSO Directory.