In the last week, several online news sources were publishing analyses about the challenges of structuring compliance. One writer observed that, across different industries, compliance executives were facing common compliance challenges. Another analyst talked about the perils and uncertainties of potential compliance with differing legal rules for what will be required to build and maintain effective information security. But no one is talking about the real monster in the room—the capacity of the computer to serve as the definitive, objective, and authoritative witness.
Take a quick look at the headlines announcing virtually any new enforcement action or agreed settlement, whether in the United States or any other nation—time and again, the government agencies are building their case and prosecuting compliance actions based on digital information and records extracted from the computers. These are not merely electronic mails that someone was careless enough to send (and too busy to think about deleting a long time ago). Instead, compliance is being proven by telephone call records (including from mobile phones), application and device log-in data, revision histories to critical digital files, operating logs documenting improper access to, or alteration of, a company’s digital histories, stored in the form of routine business records.
So, how about a new, easy to explain definition of what compliance means in the 21st century? It is actually quite simple. Compliance is defined as follows:
First, compliance requires rules, rules for which their performance (or absence of performance) can be recorded and documented. That means that any rules that rely on ambiguous expressions such as “reasonable,” “adequate,” “appropriate to the level of sensitivity of the data,” or similar vocabulary are not workable.
Second, compliance requires performance pursuant to the rules. No shoulda, woulda, sorta did explanations are functional. The activities of the actor to which the rules apply must be executed in a manner that allows performance to be measured against the rules. The actor can be a human, an application, a device, a system, or a company—what matters is that their conduct can be affirmatively measured and compared against the rules.
Third, compliance requires the evidence of performance (or non-performance) of the rules to be preserved and accessible. That evidence must be authoritative, objective, and its integrity cannot be questioned—in other words, the records of a company’s performance must be trusted. Without such evidence, compliance becomes merely a calculated guess as to whether a company is, in fact, performing the rules.
Stop the presses! That means compliance executives have, as perhaps their most important role, the creation and preservation of the evidence of how their company performs the rules that apply to their business. Yes, training, cultural norms, and ethical values are important to develop. But if a compliance executive does not succeed in demonstrating their job is to create and preserve the digital evidence of due performance, they will fail in their job.
So, compliance is defined far more simply: know the rules, perform the rules, and create the trusted evidence of their due performance. It really is just that simple.
But writing rules, especially within companies required to navigate different sets of public rules, can be really hard. So, in my forthcoming book, I have included the Rules for Composing Rules, a set of eight rules for how to author rules in order to enable true compliance to be achieved in a digital world. What is really cool is that I have tested these rules with graduate students in both law school and information systems engineering, and both groups of students are thriving at applying the Rules for Composing Rules (affectionately known as the RCRs).
Do you think that definition works? What makes compliance more complicated? Feel free to post your ideas.