The 5 First principles of Compliance Automation

Compliance is rarely voluntary: usually businesses need it to get a license, certification, investment, or contract. And often a very painful process: Auditors and regulators simply cannot understand your business half as well as you do. The path of least resistance: Answer all questions, and get it over with asap. After all, more time is spent on the quality of evidence than the actual controls themselves. Sounds like fun! (not).

Compliance is best left to people that enjoy collecting screenshots and telling people what to do. Right? Wrong.

Why would anyone ever want to build a career in this field? Or a tool, for that matter? A question we have been asked a lot. In this article we explore our personal 5 ’First principles’ to answer this question, and how you too can solve the Compliance Problem.

Our (and your) biggest competitor is the Status Quo

What we do seems to work, so why change now?

Max, Martijn and I have always been excited about the prospects of automation to solve the Compliance problem. This was based on the pains each of us felt in our previous businesses. And so we foolishly skipped the part where you question which problem exactly you are solving, and went straight into product design. We were convinced that we could make a better product than anything out in the market.

But through validating our product we discovered that the competing platforms were not our biggest enemy: The Status Quo is: “As long as I can get away with MS Excel, why bother looking further?”.

Compliance is a broken process

Our first belief that we had to articulate is that Compliance is a broken process. We believe that people do not enjoy collecting evidence in screenshots and excels. We saw that compliance managers and auditors were rarely happy with the quality and consistency of results. We saw the pain our clients were having:

  • Having to beg for (additional) evidence, or not being ready in time for audits
  • Endlessly having to explain auditors how (the same) things work
  • Having to dig into things that happened 6 months ago but were not properly documented

Or worse even:

  • Delays in contracting with suppliers, or getting additional funding from investors
  • Inability to win bigger deals, or delays in customer contracting

Is it possible to do better than Excel?

With compliance and trust becoming ever more important, this needs to change. Somehow the world evolved but compliance stayed behind.

10X better is easier to realise than 10% better

Google already noted that businesses tend to fix processes through incremental improvements. “We should document our processes properly this time.”, or “Next year we should ALL use the same place for storing evidence.”, or “let’s start preparing the process earlier this year”. These actions will help, don’t get me wrong, but ultimately they won’t fix the core issue: that you’re using too many actors to get the job done.

A lot more evidence should come from systems, not people.

The source of control is in your systems, your applications, your cloud. Why not use this as your foundation, and try to eliminate as much noise as possible?

Only solutions that scale will survive

Compliance is a process that requires many stakeholders to “donate” a bit of their time. If everyone can determine their own method, process, and timing of delivering evidence, you will have chaos in no time. There is no room for catering to everyone’s wishes. Or is there?

Scale comes from breaking a problem down into many reusable parts

If we can break down a compliance process in small parts, and then reuse these parts across businesses, then the cost of compliance goes down for everyone. We are all using the same cloud providers and productivity applications anyway, we just need to be able to add on the integration part for each of them. Scalable technology for a better compliance experience.

Not everything can – or should – be automated

Human judgment is a beautiful thing. Experts are much better at understanding context than technology, and have access to more data and risk factors than technology can access or come up with. Success is when humans and technology work together seamlessly, enhancing each other. This also goes for compliance.

Technology alone won’t get 10x results

Not all controls can be fully automated. And that’s why our fifth ‘first principle’ is that of making technology that works for humans. It is why we started by creating a very simple and user-friendly governance, risk and compliance module (GRC lite) that aims at assisting the expert do their job as efficiently as possible. The principle is still the same: Reduce compliance friction by eliminating unnecessary manual and repetitive maintenance tasks.

This concludes our 5 first principles for putting the first line back into the driver’s seat and bringing the compliance function to the next level.