Winston Churchill said (more or less): “Democracy is the worst form of government—except for all the others.”
Compliance leaders say (also, more or less): “Delegation is the worst way to get anything done—except for doing it all yourself.”
See, it’s a good day already; someone’s compared you to the man who led England through World War II. But let’s get back to business. Your company is growing fast and that’s good for everyone, but the pressure is on. There are too many controls for you to be solely hands-on responsible for. But how do you make sure that designated control owners are taking responsibility? If you wait for the next audit to find out, it may be too late.
Not surprisingly, pressuring control owners is not as helpful as some other strategies. So here are three suggestions to help you ensure that control owners get on board and keep their controls operating effectively. But first, to shake things up a bit, we’ll tell you what doesn’t work, and go from there.
1. Don’t rely on the top to set the tone - Some Compliance professionals expect that if they just get hold of someone near the top of a company — say, the CTO — and explain how important controls are, that person will go and tell their entire organization. Occasionally, that might work; some corporate cultures require permission from the top to get anything done. But many businesses wouldn’t require going through the hierarchy in this situation. In that kind of environment, you could make yourself a nuisance if you try to get the CTO to do your work for you.
Instead: Show, don’t tell - Find and build champions who will spread the word about the value of controls. If you work directly with an engineer and solve a problem by implementing a control, that engineer’s going to become your ambassador. Then you can together tell other engineers what you both did and how it worked. Instead of telling them, or getting a higher-up to order people around, you’ll be showing them why it’s a good idea. So use a control to solve a problem and let the story of your controls go viral.
2. Don’t bark at control owners - People want to keep their jobs, and following the rules thrown at them is a part of it. That said, is that honestly the best way to get control owners to be responsible – by ordering them around? (The answer? In a word, no.) They might verbally agree, but that doesn’t mean they’ll actually do what you want. People don't like to be governed, especially when they know what their job requires and they do it well.
Instead: Understand what the control owner is already doing, so you can leverage it - Instead of coming in and telling an engineer what extra work they should do, try to first understand what they’re doing currently, because perhaps they’re already doing something that can be leveraged. Say, for example, they’re already halfway there in a certain dashboard they’ve built, and you just have to add one more row to create the control you need. You wouldn't know that unless you took the time to actually understand what they’re doing. So spend time with Engineering, see what tools they’re using, how their teams are structured, what kind of sprint cycle they’re using. To get control people to own their controls, first do the hard work and know what they do.
Bonus - By focusing on controls as just another aspect of internal technical standards, control owners are empowered to take responsibility for their controls, in the same way they feel responsible for adhering to any other standard they take on. Just as they rely on other tech teams to maintain standards, they know that other teams count on them to do the same.
3. Don’t waste control owners’ time on “Compliance theater” - You might think it’s impressive – maybe even helpful – to require every control owner to go through classes every year to train them on the aspects of Compliance they need to know about. Because then (we think) we can prove to leadership that we've trained everyone on how to be responsible for their controls. But here’s what control owners are really doing: turning on that Zoom meeting…. and going back to work. You may be able to show the CFO a spreadsheet that shows 100% participation in the class – but what was the true impact? Forcing control owners to watch a training won’t integrate much of it into their work, because they don’t see these controls as part of their real work. So pretending that classes will train control owners – when they are much more likely to tune out these classes – is a game of “let’s pretend.”
Instead: Make training matter - Broad, sweeping training doesn’t measure how or if participants are impacted, and is thus sub-optimal. But by spending a short amount of time with each individual, you can tailor your advice to what they specifically need to know, depending on their place in the organization. This will also give them an avenue to ask questions, thereby turning questionably-effective forced training into a collaborative environment, without spending more time in total than it takes to have all those people watch all those hours they don’t need to see.
Or try this - If there’s no way around sending all control owners for training, you can still make it more meaningful, and get the data to show it. For example, you could send 100 people to a class, but that doesn’t mean there was any impact. What if, instead, you send out a questionnaire before class to gauge the future participants’ level of commitment and accountability, and then after class, you send participants the same questionnaire? Showing an increase in scores is measurable indication of the impact the training. That, at least, is meaningful.
But that’s neither realistic nor necessary. The more that control owners can treat controls as part of the job they already do, the easier it will be for them to keep their controls operating effectively. And it will leave you more time to do everything else you have to do.