In April, I broke my foot. Just stepped wrong, and next thing I knew – boom – Excruciating. Pain. The RICE (Rest/Ice/Compression/Elevation) protocol really does help. But it can’t cure a broken fifth metatarsal, especially not a week before a big family get-together. Sure I could have canceled due to reduced manpower, but didn’t. Instead I called in the troops – i.e, everyone in my family worked double time and ultimately, we pulled it off.
But what if you don’t have troops you thought you’d have to help you get through?
A lot of Compliance leaders are facing this issue these days. And it’s not that this a new issue, but more that it’s an exacerbated issue; our Compliance industry report found that lack of manpower is cited as the greatest challenge (73%) facing companies with 1000-5000 people, even in typical economic climates. Now, as the global economic situation has shifted, many companies have seen their plans for the future shift in tandem. So perhaps two months ago you were confident that you’d get, say, ten great new people. With this increased headcount, you’d do all kinds of projects. But now, you find you’re only getting half – or maybe NONE – of that headcount. And yet, you still need to keep moving forward.
So here is the question: If you were relying on higher headcount — and then the budget for those resources disappears — what do you do? How do you move forward in these uncertain economic times?
In this blog, we'll look at six ways to survive, and even thrive, with reduced manpower in your Compliance team.
Making Do with Less Manpower: The Clarity of a Good Hard Kick
Samuel Johnson once said, “When a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.” Okay, that’s pretty grim but we all know it’s true – the perverse advantage of hard times is that they make you focus on what’s essential.
While a reduction in personnel can be a huge challenge, it can also be the trigger to asking questions you might not have thought to ask when the headcount you needed was there. Like: Do we have to do everything we’re doing?
It’s a problem that happens too often: Compliance personnel are told, “You need to meet all these requirements or we won’t pass the audit.” Sometimes, it turns out that’s not *quite* true and you may be okay with doing less. But how do you know what is truly required and how to manage Compliance obligations when reducing manpower?
Compliance is an area where it’s far too easy to go overboard. And that’s why more thought needs to go into how much personnel is being allocated to Compliance, and whether that number can be cut down.
How to Reduce Manpower Requirements Effectively
Here are six ways to cut down without impacting the effectiveness of your program and, though it may sound like a bad cliche by now, make do with less Compliance staff.
1: Kill Compliance Overkill
When you trust someone to take action, you step away from the need to dive deeply into that specialization yourself. Maybe an in-house security person worked on setting up change management controls for the first time, and there wasn’t room in the budget for more expert advice, like establishing proper backout procedures for emergency changes to production. In good economic times, no one at the company may even know — or care — that resources are being expended needlessly. But when budgets and headcount are reduced, it makes sense to do some digging and see whether your Compliance program can be cut back, while remaining solid.
2: Stop Blindly Following Consultants
When consultants aren’t focusing on what your company actually needs, control owners may end up doing unnecessary busywork. Like reviewing every time someone makes a manual change to a system. By failing to ask why something has been recommended, there’s no chance to find out how much thought has gone into it or if, in reality, a more streamlined approach would be enough. Worse, if the current consultants are just repeating a recommendation that was made a few auditors ago, they may truly have no idea whether a control is needed, other than that it’s the same thing the company was told to do last year. Getting control owners to stay responsible and review what controls are actually necessary can stop the waste of resources — and that will be a bonus when headcount is back to normal.
3: Know that it’s not About Being THE BEST
While in some areas, you want to be the very best out there, where Compliance is concerned, it’s more about hitting a mark repeatedly, persistently, over time and incrementally improving your Security Compliance maturity. And while you need to make sure you actually hit the marks you’ve set, there’s no extra credit for over-spending resources, and you can’t get an A+ on your SOC 2 or ISO 27001 audit.
4: Tailor your Efforts to What you Actually Need Now
If there is some time until your next audit, think about how to invest just enough, for the time being. Some factors to take into account:
- Your company’s size
- Your industry
- The level of risk you’re taking on
- Your team’s maturity
So if you have a control your auditors say you need in order to pass an audit, but it doesn’t have another function, that’s not something you should over-invest in at the moment. And if you’re implementing policies, remember that they don’t need to be perfect, just not overly expansive. Think about it: the more policies your company takes on, the greater the risk of failing to adhere to them. So instead of implementing a dream list of perfect policies, keep it small. When you agree to a streamlined set of policies, they’ll be easier to adhere to with reduced manpower.
5: Use Automation to Compensate
It’s simple. We’re talking about how to automate and reduce manpower, ie. do what you need to do even without all the people you need. As a Compliance leader, you are in the position to think about how much more you could accomplish with the headcount you’ve got, if only specific elements of certain controls were automated. Compliance automation is not a binary concept of “automated or not automated.” Any given control has many — even dozens — of elements (user access reviews come to mind). If you determine which manual elements of a control could instead be automated — because they’re time-consuming, or rote and tedious, or some combination — you can free your team up to do what only they can do.
6: Prioritize What you Absolutely, Positively have to get Right
When reducing manpower, you’ve got to figure out your priorities. We talked about how reduced manpower makes it more important to figure out which requirements in your Compliance program are not actually necessary.
So how can you determine what’s really important? Set up a matrix of what’s do-or-die, and what isn’t. Not every failure of controls is unsalvageable. For example, if you are supposed to give an auditor X number of samples to show you followed a policy, and an outbreak of COVID messed up that month’s samples, you may be able to show that it was a one-time thing by pulling samples from other months to illustrate that the failure was a limited-time deviation — and, in aggregate, controls were working. But some controls don’t give you leeway. If you miss a required quarterly review of a control, your company may have to delay certification. So when you are trying to prioritize, build a matrix of which controls must not be missed and which ones are lower priority.
Bettering a GRC Reduced Manpower Situation
When times are tough, no one likes an optimist (maybe that’s just me?). Still, there are ways to cope when you have fewer troops on your side. While it may not fix a broken toe, reducing overspending and busywork, discovering how to automate and reduce manpower and doing what’s essential to keep Compliance solid will help you and your company keep moving forward even in more challenging times.
Reach out to anecdotes, the Compliance OS leaders to discover how to manage your Compliance obligations with reduced manpower, by maximizing the benefits of automation.
About the author
Contact us
