These are the seven components of the United States Sentencing Commission guidelines for an effective program:
1. Policies and Procedures
2. High-level Oversight
3. Proper Delegation
4. Communication Channels
5. Monitoring and Reporting
6. Uniform Enforcement
7. Prevention
See USSC for more details on their web site. Buyers beware. At 1SecureAudit, we are approached by dozens of software and solutions companies each month. They want us to resell their products to our clients who they assume have a problem that their product will solve.
With literally thousands of product vendors to choose from, any client has a tremendous burden to find the right solution for their particular requirements. Cutting throughout the noise and finding the ideal combination of products and services is the ultimate challenge.
If there is one thing we have learned in our twenty + years in this business, it is this. You must diagnose before you prescribe. Taking this trite yet accurate approach has saved our clients millions of dollars in wasted software licensing and internal resources. While the seven steps in the USSC compliance program may grant a company more lenient sentencing in the case of loss, it will not take into account the behavioral mechanisms of management.
All said and done, the civility of the organization is going to be based upon the right training, processes and intellect of the people running it. No software program will ever get humans to comply with policy and rules.
Compliance is a cultural issue that can be supported by software tools to assist in monitoring and what becomes essentially a knowledge management exercise. However, what is most important is a framework and management system by which the organization operates its functional lines of business. Without an enterprise architecture in place to accommodate the rapid changes going on in the organization, you raise the risk of failure and new potential losses.
An effective enterprise architecture will allow the organization to adapt to changes and foresee the downstream impact of those adaptations more rapidly. This provides management with the opportunity and insight to dissect the root causes of the change and determine the level of risk associated with the change and the adaptations to the change itself.
Most organizations already have a compliance program in place. They have a human resources and legal department with ethics watchdogs in place. They have a physical security and cyber security unit that is protecting the perimeter. They all have their respective information systems to help them do their jobs more efficiently. Yet the losses continue. As the transparency of the organization increases and the speed that mistakes and failed processes are discovered increases, the faster the losses will come. This is because the organization will not allow itself to adapt rapidly enough to the changes being made in all the impacted departments and units within the enterprise.
Some of the best organizations have utilized business process management and enterprise architecture to facilitate a more adaptable and resilient enterprise. Those organizations will survive the next wave of business change on our door step.