To Rationalize & Harmonize Controls Requires Correlation

Unified Compliance Framework® (UCF) has done a lot to rationalize the growing number of compliance and industry controls, avoiding a duplication of controls. The Common Controls Hub simplifies the need to locate, research, interpret, and reconcile new and evolving mandates by giving compliance professionals the ability to centrally scope, define, and maintain regulatory demands online. Companies can now automatically compile custom, harmonized control lists in minutes by vertical industries, market segments and geographies.

The UCF maps and identifies harmonized controls across authority documents, across industries including PCI for retailers, SOX for accounting practices, HIPAA for healthcare, NIST for the government, and NERC for energy/utility companies. The UCF harmonization process alone typically results in a 65 percent reduction in the controls an organization needs to implement, generating massive compliance cost savings. With the addition of the online portal, companies can further drive down costs and refocus resources on more meaningful compliance tasks.

Change management is the real issue

The reality is you don’t always have a choice. If your business accepts credit cards in any significant volume then PCI compliance becomes a business requirement. Want to set yourself apart in Europe? ISO-27001 certification may be in your future. Building a new power plant? Welcome to the electric world of NERC enforcement. And so it goes throughout every industry and geo.

In today’s world of multiple operational requirements and rapid change, finding efficiency is paramount. When you already have your hands full with meeting the requirements you can’t afford to struggle with the mechanics of managing them on top of it. Making the “ask once answer many” dream come true is more important now than ever before.
The past few years brought an interesting turn of events in the revision timing for many of these prevailing resources. Most major IT-related standards are published by totally separate entities and consortiums, each according to their own schedule. Since the development of those standards is often collaborative and even political, delays often occur. This can cause official releases to slip by a year or longer, which is exactly what happened for a few of them.

The result was a rare perfect storm of circumstances that dropped new versions of COBIT, PCI, ISO 27001, NIST 800-53, and the ISF’s Standard of Good Practice on the collective market all within about 18 months of each other, plus a major revision to HIPAA and ongoing NERC changes to boot! This was unprecedented and if you have to maintain compliance with more than one of those, chances were you were scrambling. Furthermore, with the ink barely dry on DSS 3.0, PCI unexpectedly released DSS 3.1 out of cycle in response to SSL security protocol vulnerabilities that were discovered after DSS 3.0 had shipped.

This is where modern tools like GRC platforms can play a big role in wrangling complex risk and compliance processes. Embedded content libraries full of authoritative IT standards and other supplemental content make it easier to connect the dots and adapt to changes in their compliance obligation landscapes. Specialized solution functionality further enables organizations to comprehensively address IT risk and control activities in a sustainable, reportable way. As the organization matures its program, activities previously considered one-off sunk costs can actually become reusable efforts that combine into an aggregated portfolio view of overall risk and compliance.

What if an organization could demonstrate compliance with a new requirement without expending any additional cycles? With the ability to trend risk and compliance performance metrics over time, metrics like inherent and residual risk and quantifiable costs of controls are easily updated with accurate, real-time statistics. When combined with business and asset contexts, that type of operational data can be a very powerful input into strategic decision making, especially when it comes to deciding how and when to take calculated risks to grow the business.

Risk and compliance operations are no longer relegated to the background as annoying burrs in the executive saddle. Instead, organizations have begun to see tremendous opportunity in streamlining and repurposing these activities to provide valuable internal decision insight, cost savings, and even a potential source of competitive advantage. Click here to learn more about risk and compliance solutions.