Compliance Framework Planning

5 Reasons Why Compliance Frameworks Should Start with a Content Strategy

 Financial Institutions are intentionally late adopters of technology trends. The practice was established to reduce the risks posed by new technology with little to no track record. In today’s environment, mounting pressures from regulatory bodies on the protection of privacy and assets from cyber risks are necessitating a shift towards a proactive adoption of new technology and processes. In other words, a “wait and watch” approach is no longer feasible from either a compliance or leadership perspective. 

 A current example in Canada is the introduction of the B13 Guidelines. The Office of the Superintendent of Financial Institutions (OSFI) issued a release urging all Federally Regulated Financial Institutions (FRFIs) to establish frameworks upon which they will be evaluated as compliant with the OFSI B13 Guidelines. Enforcement comes into effect on January 1, 2024. 

What these new regulations are indicating is that tools alone are not enough. Addressing compliance, such as the B13 Guidelines, is more complex than simply throwing up more firewalls and security measures. The goal of this compliance standard is to establish frameworks and structures that reduce risk by design, rather than implementation. FRFIs are expected to set clear expectations for accountability and be able to prove process management as it relates to cyber security. 

 The foundation of these frameworks lies in the processes. The information about and around these processes including the documentation in which it is presented is considered ‘content’. Addressing how these foundational pieces are developed and managed relies heavily on a content strategy. For executives looking for the best place to start with their compliance planning, content strategy is certainly worth considering. In the long run, a content strategy can reduce risks by ensuring: 

- The completeness of processes. 

- Control points are not missing. 

- There are no incomplete or undocumented processes. 

Taking a content-first approach facilitates designing a compliance program that is easy to implement, and scale, and can evolve with subsequent versions of regulations. Working through the process of balancing the urgency of compliance against the sensitive nature of the materials involved may also reveal new vulnerabilities going forward. We regularly see organizations struggling to implement, execute, and maintain programs that bypassed the content strategy step. Some key issues are:  

Findability 

 People cannot find information. When people are not able to find the relevant information when they need it, tasks get delayed, and progress on accomplishing goals and objectives slows down. Searching or scanning through multiple documents, constantly flipping between applications, and sending out requests that interrupt the workflow of colleagues are not only detrimental to productivity but also leave the door open for exploitation of systemic weak points. With a content strategy-centric approach, the information becomes readily available and easy to find while maintaining the integrity of security controls. 

 Lack of complete and relevant information 

When multiple upgrades or changes to technology, software, related systems, and processes occur, even the most resourceful teams may find themselves working with an outdated knowledge base and poor information architecture. When teams lose faith in the tools and information they are provided with to complete their tasks, it can create negativity and frustration. Neither of these is conducive to maintaining a high degree of vigilance, care, and consideration toward security and compliance. 

 Duplicate information 

 FRFIs typically span large geographical areas, with regional or local information interspersed with national and/or global level information, in which case multiple versions of the same content may be available. Sometimes these versions contain slight variations and users may be confused as to which version is the most current and accurate which can lead to costly oversights and compliance irregularities. A content strategy establishes a qualification and approval process for documentation to ensure time and resources are not spent sifting through duplicate content. 

 Trivial information 

Sometimes information is arbitrarily created. Whether out of frustration or with good intentions, documentation may have been created that simply isn’t needed, or is in direct conflict with approved processes that are important to meeting compliance standards. Avoid auditors raising the questions “Is it accurate?” or “Has it passed through a formal approval process?” about content that management may be unaware of.  

Fragmented Information 

The scope of documentation required across an organization, particularly in FRFIs and highly regulated industries, is vast. This can include organizational policies, process descriptions, procedures (e.g., estimating procedures), development plans, acquisition plans, quality assurance plans, training materials, process aids (e.g., checklists), reports, and more. Compliance concerns arise where that information is fragmented or suffers from a lack of centralization. 

Adopting a content-first approach to compliance framework planning is worth considering. Taking a ‘wait and watch’ approach is no longer an option. Executive leadership and governance managers should critically assess their priorities with compliance and long-term strategies for risk management. Incorporating a content strategy ensures the content and processes in place are robust enough to meet compliance requirements over the long term while improving the efficiency of implementation and encouraging a culture of actionable accountability. These frameworks are meant to improve risk management by process design. Otherwise, security software, firewalls, and other tools will not be enough to satisfy auditors, and someone will be accountable for that.