Having worked with business processes of almost every kind over the last decade it is not surprising to me that compliance processes often miss the mark. While intentions are good, often times process characteristics creep in that actually get in the way of achieving the end goal of compliance. The problem is the approach. Effective processes start with clear objectives, or better, clearly defined outcomes. These are the success criteria of the process, and once they are understood the shape every aspect and decision behind crafting compliance processes.
The first and most important observation is that compliance is really a by-product of good compliance processes, not a key design criterion. Design criteria need to focus the nature of the work itself, in respect. Here are some of the top candidates.
Design Processes to Solve the Underlying Reasons for Compliance
Every compliance requirement has an underlying purpose – a reason for its existence. The entire purpose of compliance regulation is to promote (or require) proper work practices that by their design address specific compliance concerns. For example, maintaining a list of all active ports on cyber assets along with a justification as to why each port is needed meets an auditable NERC CIP requirement. However, the purpose or reason for this compliance requirement is that ports are used by each cyber asset to communicate to other cyber assets. Therefore, each port is a potential cyber security exploit – a way to gain access to and potentially compromise the cyber asset.
We can satisfy compliance measures with an updated list of ports by asset. We can also have a compliance process that reminds us to gather this data, review it, and approve it. However, if we design our process to manage the business challenge of effectively managing ports as part of how we perform work, the management of ports because the leading activity and the ports list is nothing more than a by-product of the work we do.
Design Processes to Simplify Work and Guide Effective Practices
When compliance processes are designed to simplify how people work the organization immediately benefits from a reduction in the amount of time that must be spent on compliance activities. Build into these processes structure and guidance that helps people do the right things the first time and the practice starts becoming highly effective.
For ports, this could mean the compliance process would have the ability to do things like manage ports for groups of related assets as a higher level object and relate security controls testing from the test environment to a related group of production assets.
Empower Processes with Contextual Relevancy
Contextual relevancy is a fancy way to say that each compliance process operates within an environment that has certain characteristics, properties and behaviors. Those need to be taken into account with the process design.
In the ports example the ideal scenario is that all ports that are actively listening are there because we want them to be. They are purposeful. When active ports change the compliance process should uncover and expose port changes to facilitate human review and resolution. This is particularly important because in many modern asset designs, the specific details of active ports can change dynamically.
In with the Good Habits, Out with the Bad
It is certainly better to have compliance processes that “check off the compliance boxes” than it is to have no processes at all. Sometimes we have to start where we are before we can get to where we really need to be. But until we design compliance processes with the right criteria in mind, the result will remain less effective and beneficial than desired. The benefits of good compliance design are very strong – including reduced operating cost, reduced risk exposure, reduction in threats to reliability, and an ongoing state of audit readiness. Getting compliance processes right may not be simple, but the benefits easily outweigh the investment.