Effective compliance and risk management goes far beyond a set of policies. To be effective, a company’s compliance and risk management program must be embedded in its culture. All too often, companies see compliance as a separate activity that does not need to be integrated into the day-to-day business operations. All employees should share responsibility, and an intelligent risk framework should be created that brings compliance out in the open — letting employees know the importance of compliance while allowing them to communicate. But that’s often easier said than done.

Despite years of preparation and billions of dollars in spending, today’s businesses still aren’t prepared for cyber-attacks. Just turn on the evening news and you’ll be greeted with the name of the latest company to suffer an attack.

The ultimate goal of a compliance program is not only to make sure your organization meets the requirements for compliance, but to also ensure employees do the right thing. But it can be difficult to determine the success of your organization’s compliance. What do you measure? How often do you measure? What do you focus on?

NOTE: Schellman has since updated and expanded on this information in an article here. Nobody likes a compliance audit, but they serve a necessary purpose in the business world. If an organization is lacking in its adherence to global compliance regulations, there could be serious fallout. Employees or customers may lose trust. Your company’s reputation could be damaged, and worse — lawsuits and fines can significantly damage financial health. For this reason, chief compliance officers must change the way they think about audits. Painstaking as they may be, an audit provides you the opportunity to rectify issues before they become larger problems. Instead of dreading and avoiding an upcoming audit, here’s how compliance leaders can prepare their company to make the review process less agonizing.

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.