20 Seconds to Comply

It’s the 30 year anniversary of Robocop this year and it would be remiss of me not to post about one of the all-time greats and tenuously link it to today’s world. I’ve been through the wringer of compliance from the ISO through to PCI and every stress-laden step in between, so you get to hear my ramblings lucky reader. 

Check out the range of available guidelines, there’s an ISO for everything and if you ask me it’s a lovely little niche. Check out ISO 11869 as one of my personal go-to references…..unreal. In the same manner, there was a fixation with ITIL a few years back the game of compliance adherence continues in the same way drugs cheats continue to stay one step ahead. A loser takes all battle of attrition. 


I am a strong believer in defining the frameworks around how to operate, and publishing a standard is a great way to show that your company has a structure and control around it’s operating procedures. My concern is the manner in which these things are obtained and the credence giving to the certification. 

Taking ISO20k for example a quick google search turns up the benefits of being compliant. I’ve edited the syntax to protect the innocent but let’s take a look at these ‘great reasons’;

…benefits of ISO20000 certification for…providers are:

1. …competitive differentiation demonstrating reliability and high quality of service;

Sadly this is true through a form of ignorance rather than the demonstration of ability. The fact that next door have Ocado trucks deliver rather than the Iceland(1) truck that turns up at my place doesn’t mean that he’s a better chef than me.

The point is that having a certification simply means you’ve passed a single day’s scrutiny from an auditor. More than likely it was one hour of work with a seven hour chat about nothing in particular.

2….gives access to key markets…organisations in the public sector demand that their IT service providers demonstrate compliance;

Sadly, this is somewhat true, there is a demand for compliance and rightly so. My issue isn’t in the desire for approvals, in much the same way we all went safe cars that score well on the NCAP rating. I question whether you would be quite so influenced had you realised the car submitted for the crash test had been reinforced for that particular test with a roll cage and a less sensitive dummy.

3….assures clients that their service requirements will be fulfilled;
There’s more wool being pulled over eyes here than there is at the annual sheep gymnastic championships. It assures nothing of the sort to a savvy client.
4….enforces a measurable level of effectiveness and a culture of continual improvement by enabling service providers to monitor, measure and review their service management processes and services;
Come on, we’re into the realms of Tolkien here. If you run a company and you believe that ISO compliance enforces your culture you are in the wrong job. Continual commitment to excellence enforces culture. Sure the frameworks outline things, but don’t for one minute think that by achieving the status of ‘compliance’ your company will transform into the new Netflix, Apple or Virgin of this world.
4….drives down the costs of conformance to a multitude of other regulations, including the PCI and S-Ox;
It does, but……only because there’s so much overlap in the made up standards that you’ll write less copy. Got ISO20k? That’s a chunk of 27k you don’t have to do! Surely more focused compliance measures would allow better and more specialised work to be done?
Courtesy : Dilbert.com

So what’s the point?

Compliance is absolutely the right thing to follow, but embrace it as a cultural shift, not a knee jerk reaction. Financial regulations, security regulations, they’re all there for a reason. They aren’t there so you can game the system and pretend you run a tight ship. 

Don’t aim for compliance to a standard, aim for best practice and the cogs will naturally fit into the ‘framework’.

Too many companies claim compliance only to spend the week before an audit brushing up documentation, briefing the individuals and generating enough collateral to guide the external auditors to handing out a certificate.

If you want to eclipse the competition embrace the frameworks as part of your culture, pick the relevant standards and live and breathe your version. If you employ internal auditors, empower them to make change. Chastising a department manager for weak KPI’s does nothing. Challenging and helping set targets that fundamentally change the ability of your company to perform will reap benefits.

Alternatively, keep ignoring your strategy and then panic when audit time comes, after all, you’ve got 20 seconds to comply.

  1. I’ll caveat that by saying that I’ve never been to Iceland. The truth is my better half would kill me, some time after she’s resurrected herself from the grave of shame in which she would languish if I deigned to shop there – other delivery firms are available).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s