Consolidating multiple compliance frameworks into a single work stream can save your organization time and money. Here’s how to get started.

As a family man and business owner, I have been living through the COVID-19 pandemic in a bit of disbelief over the last few weeks.

In January, I would have never predicted a hard stop in the economy come March. Yet, here I am homeschooling my daughter and having a lot of tough conversations with companies about how to balance budgets and meet obligations to maintain security/compliance programs.  

The good news is that there’s a strategy for them to save a lot of money while enhancing their security and compliance program: the consolidated compliance program

In this blog post, we will discuss strategies to consolidate compliance work streams into a unified compliance program and how a consolidated strategy can boost efficiency and reduce expenses by up to 50%.

Most Security and Compliance Frameworks Overlap Heavily

The core idea behind a consolidated compliance program is that most security-related compliance frameworks share significant overlap and do not need to be managed or audited in silos.

For organizations that must comply with multiple security and compliance frameworks, there are significant opportunities to consolidate compliance efforts and reduce the overall burden on the organization.

From my experience, the overlap between the various framework requirements is typically in the range of 30-50%.

What this means for your organization is that with the appropriate strategy, a single auditor or compliance partner can effectively consolidate your firm’s audit activity into a single work stream.

Imagine one audit for four frameworks, rather than four separate audits for the four major frameworks.

Below is a simple example demonstrating the impact of implementing consolidated compliance versus managing each compliance requirement as a distinct project. Managing each framework separately means generating 16 audit artifacts across four separate audit work streams (probably with four separate teams).

With a consolidated approach, this effort is reduced by 75%. 

Magnified across the hundreds of requirements across each framework, this results in a significant opportunity for your organization to save and be more efficient.

Benefits of Consolidated Compliance Strategies

The benefits of a consolidated compliance framework extend far beyond the dollars you will save from reduced audit fees. Perhaps the greatest advantage is the reduced burden on your team.

First, the individuals responsible for managing your compliance program can focus on a single work stream rather than multiple, disparate work streams. This frees your team up to focus on value-add assignments and operational improvements rather than chasing down endless audit requests.

Second, a single compliance work stream cuts down the audit burden on the teams responsible for mission-critical operations within your organization. Imagine a world where developers can focus on building a great product instead of gathering audit evidence!

With a consolidated compliance strategy, you can save money and free up your team to focus on the activities that add value to your organization.

In times like the present, this is more important than ever.

How to Implement a Consolidated Compliance Strategy

I won’t pretend that implementing a consolidated compliance strategy is easy. It takes careful planning, collaboration across multiple teams, and expertise in multiple frameworks.

However, difficult does not mean impossible. Here are three steps to help you accomplish your mission:

1. Identify Your Security-Related Compliance Requirements

First, identify the security-related compliance frameworks your organization is beholden to. This will be your shortlist of frameworks to streamline. Some of the most common frameworks include SOC 2, PCI DSS, ISO 27001, HIPAA, and HITRUST.

If your organization has multiple business units, applications, and stakeholders owning different compliance requirement areas, this exercise can be more complex.

If that is the situation for your organization, consider leveraging a table like this to take inventory:

2. Choose a Partner Familiar with Consolidated Compliance

The right partner should be able to take work off your plate and simplify the process of implementing a unified compliance program.

Once you have an inventory of the various frameworks that your organization is responsible for, consider identifying a partner that can help you implement a consolidated compliance strategy.

You will want a firm that has these traits at a minimum:

  1. Expertise in the frameworks important to your firm.
  2. Ability to execute unified engagements with a single engagement team across all frameworks.
  3. Demonstrable expertise in implementing consolidated compliance programs (preferably with verifiable examples of successful implementation).

Note: See our blog post about the insider’s perspective on choosing great consulting firm partners.

3. Leverage Compliance Technology (GRC Platforms)

Many organizations manage complex compliance programs in a web of Excel spreadsheets and file folders. Consider if your firm would benefit from a GRC platform to help manage multiple compliance frameworks.

A GRC platform can help automate the mapping process between multiple frameworks to help your compliance team manage them easily. GRC tools can be expensive and difficult to implement, but the return on investment is worth the work to implement them well.

At risk3sixty, we leverage our platform Phalanx GRC to manage these types of engagements.

We provide Phalanx and help implement it alongside our audits for free for all of our audit clients. 


Getting Started

If your organization is being impacted by the current market conditions and would like to save money and gain efficiency, all while improving the security and compliance posture of your organization, you can make that happen this year.

If you have questions about this strategy, you can always reach out to our team of experts. We’ll be standing by, ready to help.

Christian Hyatt, Managing Director and Co-Founder | Email: Christian.Hyatt@risk3sixty.com