You shouldn’t see compliance as a burden but instead as a way to add value to your business.
Compliance matters - it can empower your business and generate a culture of continuous improvement.
There are many reasons why businesses apply for ISO compliance and certifications. In some cases, they want to provide their customers and partners with assurances. Or they want to prove that their organisational structures promote improvement for regulatory reasons. Unfortunately, more frequently than not, companies apply for ISO certifications and international standards just so they can increase their perceived worth.
Businesses feel having certifications (particularly when the competition has them, too) is something they need to do to satisfy clients and stakeholders. However, they see little to no intrinsic value. Consequentially, they approach the issue of compliance as a burden and often just pay lip service to it.
It is a wasted opportunity to make compliance a tick box exercise. There can be a lot of value in adhering to ISO standards and risk management rigor. My father used to say, “If a job is worth doing, it’s worth doing well”. And I firmly believe this applies to compliance as well.
Two Very Different Approaches to Compliance
There are two distinct approaches to compliance, and most companies will fall into one or the other (more usually than not, on the first). On the one hand, you have the “lip service” approach. Doing things because they ‘need to be done’ regardless of your perceived value. On the other, doing the job properly, committing to the process and keeping an open mind to continuously improve things when necessary.
Before we jump into the different approaches to the issue of standardisation, let’s quickly cover what ISO compliance stands for and how it’s usually achieved.
The Meaning of Becoming Compliant
You achieve ISO compliance when your organisation meets the requirements that are outlined in a specific standard (the standard is developed by the International Organization for Standardization or ISO - hence the name).
ISO has thousands of international standards or frameworks developed by experts, covering every area of business. Some of the benefits of compliance include enhancing external reputation and driving improvements to internal operations. They can also align your company’s practices with international standards. Compliance is rarely a one-time thing; you are encouraged instead to perform ongoing monitoring.
Approach 1: Compliance as Lip Service
When you respond to the requirements of standards, you have the choice to see it as a necessary evil, a burden even; something that will provide no value other than as a (reasonably expensive) marketing trick. This approach will only make things more difficult to stand and leave little benefit to your company beyond making your stakeholders or customers happier.
However, every step of a compliance certification is there for a reason, so seeing it as a hassle might make you miss important lessons that could help your company significantly.
Approach 2: Compliance as Doing the Job Properly
Facing compliance and certifications can also be done with an interest in adding value to your business and not treating the work as an annoyance. Rather, you can focus on the benefits it will bring to your business and its teams. It’s been long proven that doing a good job (in any area of your life) can lead to boosting productivity, enhancing performance, and just feeling better overall.
When it comes to compliance, it can also lead you to find many new opportunities to improve your business’ processes, work better with your teams, and learn new things about yourself and your company. ISO compliance can also help you upscale and optimise operations, driving an environment of continuous improvements to both processes and procedures.
If a Job is Worth Doing, it’s Worth Doing Well
The problem with approaching compliance as lip service is that it turns all related activities into a pointless job with little to no perceived value. You know it doesn’t matter, other people doing it know it doesn’t really matter, and nobody is motivated to do things properly. The job turns into checking boxes and surviving the certification process.
If you instead try to do the job properly, you can then choose the parts of the framework that make the most sense and cut away the bureaucratic aspects of it. This would mean that everything you do for your compliance process is adding value to your company.
When you choose the parts of the process that are more valuable and relevant to you and your business and engage with things properly, others will also see you treating compliance as a beneficial tool instead of an annoyance.
The Case with ISO 27001
ISO 27001 is a leading international standard for information security. It protects data crucial to businesses, mitigates risk, and ensures stable operations. It also provides more confidence to customers and stakeholders, and this is the main reason many companies apply for an ISO 27001 certification.
If you are in the information security management business, chances are your competitors have already obtained this certification - and customers expect you to do as well. After all, the standard protects their information’s confidentiality and ensures the integrity of IT businesses.
However, there are so many more benefits to doing ISO 27001 than giving stakeholders and customers high standards for information security. The certification can help you mitigate risks and reduce disruptions, preventing, for example, the financial losses that come with breaches. It can also align your organisation with the international community and standardised global business practices.
Changing Business Culture Through Compliance
Taking things more seriously can also motivate everyone involved to continue thinking in terms of advancing the company. This applies to all types of compliance. When you professionalise your business, you will get payback for your investment because you will most likely improve the culture. People will begin to act differently when they see how you approach compliance and certifications.
There is one comparison that I think makes a lot of sense, and that is a dirty kitchen versus a clean kitchen. You probably won’t tidy much after yourself when you walk into a messy kitchen. There is little motivation to do so, as things won’t significantly change if you do. However, when you visit a spotless one, you will most likely try to do your best to keep things organised. This is because the benefits of keeping things well-organised are made instantly apparent to anyone involved - and people will want to keep things so.
In the same way, approaching compliance as a clean kitchen can improve not just your business processes (in terms of efficiency, security, optimisation, upscaling, etc.) but also enhance your recruitment and your culture as a whole. While not doing it can potentially lead to dishonesty and fraudulent behaviour - because nothing makes people more sluggish than an uninspired leader.
How Not to Think About Compliance - Thoughts
If you think about compliance as merely a marketing expense or a bureaucratic hassle, you will probably be backing yourself into a corner. A better way to think about these certifications is to do so in terms of the added value they can instead bring to your business.
Once you have gone through a certification process, you will be able to see which parts of it are the most beneficial for you and focus on which aspects of your business you can improve. You will, in turn, further enhance your existing processes and/or create new ones to address new opportunities.
Try to look at compliance differently than just something that needs to be (reluctantly) done. Commit to it, and others will follow. People tend to dislike compliance processes because they see them as bureaucratic - but that is only because they are. When you make compliance meaningful by actually ensuring you are always adding value, your processes will make sense to people.
If you take this approach, you will soon see compliance certifications as empowering and not needless bureaucracy.