Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: John Katrick, Elizabeth White, Maria C. Horton, Progress Blog, Don MacVittie

Related Topics: Compliance Journal

News Feed Item

Effective Change Management Is the Key to Constant Compliance

OVERLAND PARK, KS--(Marketwired - May 11, 2015) - Regulatory compliance is tough because it changes all the time. From high-profile security breaches changing the way organizations think about policy to legal challenges to the interpretation of regulatory legislation, it's difficult to keep up.

Take the change from PCI DSS 2.0 to 3.0 for example. The PCI Security Standards Council has released a change highlights guide on how to upgrade from the now five-year-old PCI DSS 2.0 to the newest version, which is now in effect for all vendors. While the council has done its best to make it look like an easy process, it's an organizational nightmare from a compliance officer's viewpoint.

Even at the small-to-medium business level, complying with PCI 3.0 requires changes in corporate compliance documentation, internal control language, audit requirements, employee awareness surveys and even the employee handbook. Then, keep in mind that compliance professionals are responsible for all industry regulations across all business units within their organization. Considering that there are also SOX, FCPA, FFIEC and maybe even HIPAA regulations to keep updated on top of day-to-day tasks, it's no surprise that constant compliance falls by the wayside.

An organization's take on compliance may have more to do with their attitude toward the process in general. As Verizon's professional services division found out, compliance ceased to be a concern for many of their customers as soon as they finished their project. "Most customers still see compliance as a project for two or three months," said Rodolphe Simonetti, Director of Compliance and Governance Professional Services for Verizon. Simonetti found the disconnect was maintaining compliance after a professional engagement concluded.

For these reasons, it is extremely useful to have a tight grasp on change management processes within your organization in order to strive toward automated processes. As Lisa Erickson-Harris of Network World points out, there are four areas of change management that affect a program's effectiveness: Request management, change approval, access and emergency changes. The idea is that by delegating responsibilities, giving approval power to the least amount of relevant people and staying abreast of changes in policy, compliance teams can then lay the framework for a lean and effective automated system for dealing with regulatory changes.

Staying vigilant in compliance instead of going through the motions is important in maintaining compliance as a year-round exercise rather than checking a box when something goes wrong. Automated change management notification systems, such as LockPath's Keylight platform, can go a long way toward preventative compliance, but only if an effective system is perfected on the human side first.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available:

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.