Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
A few weeks ago, a customer asked me an informal question: “What do you think about Compliance as a Service?”
This question was the starting point for this article.
Compliance as a Service(CaaS) is a framework that enables companies to outsource roles, figures, and skills needed to implement and maintain compliance, to facilitate and simplify adherence with regulatory requirements.
Companies typically outsource figures that are not within the boundaries of their core business. Just think of how many companies, especially in the SME sector, use external suppliers for Facility Management activities, Energy Manager, Prevention and Protection Service, but also the Legal Department. Recently, thanks to the introduction of EU Regulation 2016/679 (EU-GDPR), also for privacy activities with the role of the Data Protection Officer.
So, why not use the same approach for compliance?
Recently in cyber security and Data Protection we have seen a strong evolution of regulations and standards (see below). As a result, companies are struggling to keep pace and increase the demand to their partners of complete and reliable offers that can help them to achieve and maintain compliance.
Think, for example, about an ISO 9001 and ISO 27001 certified company:
Therefore having external professionals who are competent, trained and available “on-call” becomes a very interesting approach to managing compliance.
The market is oriented on two main strategies:
1. Coaching: largest companies prefer a coaching approach, being accompanied by a team of expert for the first period, acquiring competences, then train their employees and internalize the activity.
2. Full outsourcing: the smaller companies (with some exceptions) prefer to completely outsource the compliance, building a relationship of deep trust with the advisor company.
After seeing the needs that push the companies to the CaaS, we analyzed the benefits and the constraints of CaaS.
Let's start with the benefits:
Of course, some risks should also be considered:
The EU-GDPR art.37 describes when a company needs to designate a DPO. This is the person in charge of monitoring compliance with EU-GDPR about the protection of personal data.
In 2018, with the entry into force of EU-GDPR, the role of the DPO is certainly the most popular and widespread in the CaaS sector.
The CISO is a C-Level in charge of information security in a company. This person directs the establishment and implementation of policies and procedures, manages security technologies and responds to incidents while keeping in mind business objectives.
The main goal of a CISO is to shift the view of information security from a technical problem to a strategic priority.
The approach to compliance goes through risk management.
The Risk Manager is responsible for determining the risks throughout the whole organization of the company or in a narrow scope. This person addresses any kind of risk: security, financial, safety, etc.
Risk Manager designs and implements a risk management process (risk assessment, treatment, acceptance, and communication) to define the level of risk the company is willing to take.
The Institute of Internal Auditors (IIA) defines an internal audit as an “independent objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Many ISO standards (i.e. ISO 9001, ISO 27001, ISO 22301, …) require the implementation of a Management System. ISO defines an MS as “how an organization manages the interrelated parts of its business to achieve its objective”.
An MS Manager is in charge of defining a framework to implement and manage the MS according to relative standards.
These figures and their roles in the CaaS will be described in the next articles. If your business is considering outsourcing compliance get in touch with our expert to book a free call.
I am the Senior Data Protection Consultant in Advantio. I have great experience in ICT and Telco services, where I covered several roles and responsibilities. In the last 10 years, I focused my attention in information security and business continuity compliance.