Complying with new regulatory requirements is often a company’s greatest challenge. Here are three ways to make it easier.
Updating and managing regulatory and compliance requirements is no easy feat. Part of this reason rests in how to interpret and put compliance measures in place.
For example, when I worked in banking we would receive new regulations, and invariably had to hire a financial compliance attorney to assist us in understanding exactly what the regulation required and how we could translate compliance into an IT solution.
The other complicating factor was the amount of time it took to identify and change the code in affected software that was already running in production, not to mention the effort that was required to revise business processes and retrain employees.
SEE: GDPR resource kit: Tools to become compliant (Tech Pro Research)
In those days—as now—much of the software code changes were and are done manually. We also manually reviewed our applications and software so that we could understand, which sections of code needed to be changed.
The risks of this included overlooking an application that you needed to change, making your compliance update inconsistent from application to application.
“Companies still struggle with configuring software and systems so that everyone remains in compliance when a compliance change occurs,” said Julian Waits, general manager of the cybersecurity business unit at Devo Technology, which provides AI/automation solutions for corporate compliance. “Being able to establish a framework that stabilizes the configuration process as new requirements emerge is the key.”
How is this done? Below are three ways to make compliance easier.
Establishing a compliance framework
1. Meet with business units across the company
When meeting with business units across the company make sure to include your legal and regulatory compliance groups. The purpose of these meetings is to establish an internal business requirements document that itemizes key compliance issues that IT must stay on top of and that are important to your company.
“Most organizations already know what they need,” said Waits. “It might be that they never formally documented their critical compliance needs.”
SEE: Hiring kit: GDPR compliance officer (Tech Pro Research)
2. Implement a framework
Once compliance needs are understood, you can implement a framework for compliance that will make updating changes easier.
For example, if you’re a healthcare company, HIPAA governs the framework for compliance. In financial services, a federal credit union is concerned with NCUA regulations. For a scientific or technology firm, conforming to NIST regulations might be critical. In each of these cases, companies must pay attention to a governing regulatory framework.
3. Map your applications
The next step is mapping your applications and systems to a compliance framework that makes implementing compliance changes easier.
“The goal is to provide a way for organizations to map the compliance framework that governs them to their applications and systems,” said Waits.
The mapping automates much of the manual work that was formerly required to identify the applications and systems that are affected by a new regulatory change. It can also provide an impact analysis that tells IT precisely, which applications and systems are impacted by regulatory changes.
Compliance mapping automation makes the jobs of the CIO, applications manager, the DBA, and the compliance officer easier.
Does it eliminate all of the pain and the work in effecting compliance changes?
Of course not.
However, the ability to use artificial intelligence (AI) and mapping automation to identify compliance change points in systems and applications can provide much-needed economy of effort in software change management and maintenance.