Raising IT Compliance Concerns with Management
Raising IT compliance concerns internally with management or other gatekeepers / sponsors can be a difficult situation, but it is becoming a more frequent rite of passage for a compliance professional. I have found it most effective to get the concern to resonate with management when I can reframe those concerns in one of two ways: (1) the client’s perspective, and (2) the competitive position of the firm. With respect to a client’s perspective, the compliance concern needs to have an underlying relevance from a client’s perspective. That is, the client should have an interest in the concern (such as data privacy) or the client considers the concern in making the decision to continue the engagement (such as the quality of resiliency in the system or RPO / RTO). With respect to the competitive position of the firm, this can highlight where the firm is deviating from best practices or where competitors have a differentiating advantage that can be reduced by smartly addressing the concern. Additionally, and less effective, there is always the pressure points of reputational, financial, organizational, and cultural damage if an incident were to occur related to the concern. I have seen management most responsive and supportive when concerns are articulated as having a primary benefit for clients and the business, and secondarily also address a regulatory or auditor concern. I can be difficult to find the most effective messaging for IT compliance concerns because it is often influenced by the culture of the organization, the current market environment, and the personal perspective of the key individuals.