I talked about the discovery of Blue Zones in my previous post (link), which are place in the world where people tend to live longer, not because it’s what they want to achieve. They live longer because their lives are happier and filled with purpose.
Longer life is a result of the Blue Zone environment, which includes community….
We already describe compliance as the result (outcome) of a series of activities that meet defined requirements. So, does compliance seem to be so difficult to attain?
We create compliance programs, invest tens of thousands of dollars, to push people to document processes, standard operating procedures (SOPs), responsibility matrices.
We then tell our teams to perform the work according to everything they’ve documented, or else bad things will happen when the auditor comes.
And then, the audit. That dreadful time where everyone is suddenly unavailable for a meeting, so busy getting critical work done. Anything not to have to talk to the auditor.
Sound familiar?
For those of you working on compliance programs, or responsible for some of the controls, did you know that for the most part, they’re not set in stone?
While some frameworks, like PCI DSS, have evolved into providing prescriptive implementation guidelines, many are high-level descriptions of recommended objectives. These objectives should be adapted to your organization’s realities.
For example, SOC 2 recommends yearly employee assessments. IF this control is included in the scope of the audit, they will ask you for proof that assessments are completed, feedback provided, and training plans developed as needed.
What if you don’t do yearly reviews? What if you don’t like them, don’t believe they work, and prefer another method?
Perfect! Change the control!
Have the auditor change the control. How?
Explain to them how you provide feedback to your staff.
How you help them develop their skills
How they learn
How they grow withing the company
The auditor’s objective is for them to see proof that you have an effective process to evaluate and support employees. That’s all.
You decide what works, or not.
However, once you decide, write it down, and keep nudging people to do what needs to be done. If nudging doesn’t work, re-evaluate the process, SOP, or checklist. Adapt when possible.
Compliance is easier when it’s built into what you do every day.
Keep your team focused on goals