[Column] Richard Shaw: Cost of non-compliance is hefty
One of the biggest challenges for businesses today is keeping up-to-date with constantly changing regulations. This is largely due to the dynamic nature of the compliance landscape. This is according to Argantic director Richard Shaw.
While compliance with regulations like the Protection of Personal Information Act of 2013 (POPIA) and General Data Protection Regulation (GDPR)) come with hefty price tags, the alternative is far more costly.
According to a study by the Ponemon Institute and Globalscape, being compliant will cost less compared to business disruptions, loss of revenue, and hefty fines. The cost of non-compliance is more than twice that of compliance costs.
In fact, this report finds that the cost of non-compliance is nearly three times higher than the cost of compliance. Organisations that delay compliance efforts are taking an ill-advised risk which could ultimately yield a pricier penalty.
Many companies rely on periodic assessments, like annual audits. However, these periodic assessments create a digital blind spot, they can quickly become out-dated and could expose the company to potential risks until the next assessment is done.
Business leaders should find ways to improve integration and create near real-time assessments to control risks caused by digital assets. They normally know the technology solutions but find regulations difficult to understand.
In contrast, compliance and legal teams are normally familiar with the regulations but struggle to understand the technology that could help them comply. Many of these teams still try to track compliance manually by using general purpose tools like Microsoft Excel.
There are many complexities in managing compliance activities and this often hinders adoption. The biggest challenge is understanding how to integrate various solutions and to configure each one to minimise compliance risks. This becomes exceptionally difficult when solutions are sourced from various vendors and especially when they have overlapping functionality.
Businesses are generating and consuming much more data than ever before and their digital transformation journeys are geared to help them gain an edge over their competitors. This data enables them to stay relevant by empowering their employees, engaging customers and optimising operations. However, managing this data on various devices can be extremely complicated, especially when it comes to ensuring compliance.
Not only is the amount of data growing exponentially, but legislation and regulations on how to manage that data is also becoming more complex. Collecting customer information is an integral part of how businesses function, but it remains a challenge to maintaining and protecting this personal data.
Non-compliance could result in significant fines and it could also have a significant impact on a company’s brand, reputation and revenue.
Business leaders need simple tools that will help them manage compliance. Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance centre. It empowers companies to simplify compliance, reduce risk and meet global, industry and regional compliance regulations and standards.
The solution translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements.
It helps customers prioritise work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet a company's unique compliance needs. Assessments are also available depending on the licensing agreement.
It also offers workflow functionality to help one efficiently complete risk assessments. Compliance Manager provides detailed guidance on actions one can take to improve the level of compliance with the standards and regulations most relevant for one's industry.
A risk-based compliance score also helps business leaders understand their compliance posture by measuring their progress completing improvement actions.
Businesses that run their workloads on-premises are entirely responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared with the cloud provider, who is ultimately responsible for the security and compliance of their data.
Microsoft manages controls relating to physical infrastructure, security, and networking with a Software-as-a-Service (SaaS) offering like Microsoft 365. Businesses no longer need to spend resources building datacentres or setting up network controls.
With this model, businesses manage the risk for data classification and accountability - and risk management is shared in certain areas like identity and access management. More importantly, because responsibility is shared, transitioning one's IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces the burden of complying with regulations.
Compliance Manager helps business leaders prioritise which actions to focus on to improve their overall compliance posture by calculating their compliance score. The extent to which an improvement action impacts one's compliance score depends on the relative risk it represents.
A compliance score measures the progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. The initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards.
While the Data Protection Baseline is a good starting point for assessing a one's compliance posture, a compliance score becomes more valuable once assessments relevant to the specific requirements of the company are added.
Filters can also be used to view the portion of one's compliance score, based on criteria that includes one or more solutions, assessments and regulations.