Articles You May Have Missed

Building a Culture of Compliance Creates Long-Term Business Value

Director, RF Code, Bob Ridout

Compliance in general, and audit compliance in particular, provides a great competitive advantage to businesses subject to all kinds of global and domestic regulations, as excellent audit compliance adds value by building customer confidence.

Maintaining this level of confidence comes from a commitment to understanding what the customer needs, often before they know themselves. It also requires ironclad processes and no small amount of transparency or accountability. Successful companies understand that this customer confidence is absolutely vital to their long-term success. They also know it can take years to build this level of trust, which can be wiped away in an instant with one mistake.

There are two forces at play here— satisfying customer expectations while ensuring compliance is met across the board. Just think about the supply chain, which may have a different set of regulations, but the ability to show that all of the links in the chain are in good order will boost credibility, show stability, and ultimately lead to more market share. Think of compliance in this instance as the grease that keeps the chain from rusting.

A company may decide to have two manufacturing plants separated by hundreds of miles, for instance, so if one should experience a fire, flood, or some other environmental disaster that disrupts operations, they have another facility to continue production. This not only meets customer expectations, but it also builds customer confidence and trust based on the ability to perform. That gives a leg up on the competition, especially if they don’t have a similar strategy or the right technology in place to help them adapt or course correct. Having this second, fully operational facility also bodes well for compliance as business operations will still function properly.

Without these tools and systems in place, a scenario like this can not only shake customer confidence, but it could also lead to compliance nightmares that impact the bottom line. This is where audits come into play. Generally speaking there are two types—those audits conducted internally as well as those conducted externally, which involve an outside auditor. I’ll focus on internal audits, which are typically in the context of a broad framework and as such, can include manual oversight and other inefficiencies that can drain resources. But how we adapt is key.

The point being is that compliance is the end goal but how you conduct internal audits is crucial. They should be inexpensive and effective if they’re to provide any advantage. Compiling a master checklist of all of the necessary components—such as regulations and standards to adhere to as well as who owns that checklist—is a necessary precursor to an efficient internal audit. Additionally, IT tools need to be in place to allow for audit standards to be met. Often organizations don’t have visibility into remote warehouses but there are mission-critical IT components at these locations that are part of the IT infrastructure. So it’s imperative that remote locations be included in whatever checklists are put in place and that the proper tools are available to the IT team to ensure resilience and compliance of all locations.

With a comprehensive, efficient, internal audit system in place, it’s less likely for headaches to occur when the outside auditors come in. It’s also important to note that, while understanding how these agencies conduct their own audits and leveraging their playbook can be incredibly helpful, it should never be seen as a silver bullet. There’s no substitute for internal accountability and strict ethical standards.

That brings us to assets—specifically, how they’re managed and accounted for. Depending on the industry, assets could be anything from pharma lab sequipment and retail POS systems to enterprise servers and, perhaps most importantly, customer data. While accounting for assets is just one part of an audit, it’s arguably one of the most important as you also need to know if these assets need to be updated, replaced, or even retired.

These assets can also be costly and usually contain sensitive or mission-critical data. Losing critical assets due to theft, loss, or negligence leads to two scenarios, both equally problematic. First, it forces the company to shell out more in terms of operating expenses. With supplies already committed, the organization will have to reorder and pay to replace the missing items. Second, the quality of service provided by the facility will likely be affected if critical equipment or supplies suddenly become unavailable. By prioritizing visibility of IT assets, organizations can ensure continuous operations at remote locations such as warehouses. This ensures the integrity of customers’ supply chain and the bottom lines for all parties.

Efficient tracking processes can take care of varied tasks, such as locating equipment, providing up-to-date data on each item, and offering complete access to maintenance records. With this anytime-anywhere access to critical information, organizations will spend less time searching for equipment and more time focusing on strategic initiatives to grow the business.

During my nearly decade-long tenure as CIO of DuPont, I spent a lot of time abroad overseeing operations at various remote manufacturing and IT sites. At these locations, we produced various materials, some involving hazardous chemicals. But we were also challenged by weather extremes, unreliable utilities, power, communications, and so on.

There were other global influences that impacted the company’s operations, which were outside of anyone’s control but forever changed how we conducted business. After 9/11, for instance, the government started working much more closely with businesses and organizations that could be potentially compromised or targeted due to their sensitive nature. They were seen as something that bad actors could potentially exploit and weaponize— either directly or indirectly, as with cyber-attacks—so the Department of Homeland Security partnered with us to create standards that regulated “security at high-risk chemical facilities”.

We worked with industry groups to ensure we were putting protocols in place that also included remote locations that likely didn’t have IT teams onsite. By creating a system that ranked hazards as high, medium, or low, we then firewalled all of the systems starting with high hazard assets, which only a handful of process engineers had access to. This ensured those specific assets were protected and not accessible to anyone else. These process control systems also led to increased accountability and transparency when managing assets across the board.

Technology has made significant strides since those days back at DuPont, but the increasing speed of business processes continues to put an immense amount of stress on the reliability of supply chains. This couldn’t be truer of decentralized or remote IT sites that come with inherent vulnerabilities not found in centralized IT environments (i.e., data centers). These edge environments pose greater risks, as they’re usually unmanned so security video feeds or monitoring humidity levels and unforeseen weather instances, for example, can be incredibly challenging.

Assets in these edge environments are therefore more likely to be non-compliant, outdated, and much more vulnerable to network attacks. In fact, it was just 10 years ago that one of the biggest consumer retail chains had one of the largest data breaches in history. Why? Because the hack was at a remote IT edge location that was not compliant and didn’t have sufficient standards or protocols in place. So whether we’re talking about assets in the data center or some remote IT server closet, we had hundreds of these scattered across warehouses globally. The importance of having an end-to-end value chain in place is crucial—not just for the company but also for bolstering customer confidence through transparent, ironclad, ethical practices that ensure the integrity of every link of that chain.

In some ways compliance is what we make of it. And by that, I mean it’s not just what regulations each organization or industry faces, it’s how well an organization can establish a proactive, strategic approach. I’d argue hand over fist that it must be part of the company culture, which organizations like DuPont hold in high esteem to this day. To be considered competitive in the slightest, compliance should be regarded as a standard—not in its own right, but as a standard of company excellence. At the end of the day, companies want to work with those partners who prioritize security and visibility, with controls in place for all locations that are part of the IT infrastructure and critical operating systems. Having an IT approach that is built on trust, accountability, and productivity will make you the player that customers return to time and again.


Bob Ridout has spent nearly 40 years in the IT sector and currently sits on the Board of Directors at RF Code. He was previously CIO of DuPont for nearly a decade and has also served on the customer boards for Microsoft, HP, AT&T, Lotus, and IBM.

Subscribe to our bi-weekly newsletter Ethisphere Insights for the latest articles, episodes, and updates.


Free Magazine Access!

Fill out the form below, and get access to our Magazine Library

Free Magazine Access!

Fill out the form below, and get access to our Magazine Library