This week’s
blog is a bit of a dry one – kind of. It
doesn’t have to be a dry topic, but let’s talk about audits, logs, and culture –
they all tie together, I promise.
Our company
just finished our latest SOC-2 Type II audit last month, and the auditors complained we
have too many controls. Not surprising – our Task Log export for the
year was 13,388 separate tasks logged.
Seems
crazy, right? But it was easy to
implement, and caused no pain in our team environment.
Well, at a
previous company, I had a client that demanded all their collection vendors
become ISO 27001 certified in 90 days, or they’d stop doing business with
us. As you can imagine, my next 90 days
were a challenge, but we did it. The
problem is, you can build a Big Book of Policies, but getting people to follow
them consistently can be a challenge.
When I started
at this company, I knew that down the road we’d need to be SOC-2 or ISO-27001
certified for the bigger clients we’d eventually represent, so I decided to
bake a whole bunch of controls that were required into our environment, our
software, and our culture.
Automatic
Logging
So you can
create automatic logging for collection activity, payments, and whatnot in the
background of your CMS software – but there’s no reason you can’t also set up
logging for everything else. Every time
you access a credit card, require a password and log the access time, user id,
and file number, congratulations, you are now covering a big control for PCI
compliance!
If you create
an automatic logging system that will capture regular tasks like file
assignments, credit reporting, letter batches, well that’s great, your log file
is showing the work you are doing, and no one has to do anything extra. I’d say about two-thirds of our tasks logged
were automated.
Record …
Everything!
Task
logging doesn’t need to be just for IT folks and tickets to be resolved – you can
log absences and vacation with HR, you can log new clients coming on board with
Sales, you can log any escalations or complaints with an individual collection
file. All this tells the story of what’s
happening in your company when you export the Big Task Log List, it’s going to
be huge, which makes for happy auditors, and happy clients.
On the IT
side, of course you have to log exceptions (when things go wrong), but you can also
log maintenance tasks (when things are going right) or improvements (when they
make things better). IT folks often get
blamed for not doing enough when things aren’t broken, but you can show all the
stuff they do on a pro-active basis – data backups, log reviews, system
updates. That’s valid work too.
People
overseeing HR can log staff activity, managers overseeing operations can log
staff reviews, escalated file issues, training sessions – the list can go on
and on.
Building
Task Logging Into Culture
Here’s the
secret, tricky part that’s the most important thing to consider.
So imagine,
you have a process to log a client meeting, and share it with the entire
company. You can kill three birds with
one stone here – you can share information with your entire team, so they know
what’s happening, you can log a control (client audit, client performance review,
client requests), which meets a SOC-2/ISO 27001 requirement, and lastly, you
can reward the staff member for logging the task, building it into their staff
review – everyone wants to log their tasks, everyone wants to read and hear
what’s happening, and your auditors get a healthy list of what’s happening.
Give everyone
in your company the ability to log things – not just debtor complaints, but
suggestions for improvements, meeting results, project reports. Many hands make light work, and everyone can
share what they are doing. Admin work
for the sake of admin work is drudgery, sharing results, giving kudos to fellow
team members, and being rewarded for the time spent writing these things out is
a positive reinforcement for the good work they are doing.
As a specific
example, we’ve got an task function that helps culture – we let staff give each
other commendations, up to three every 30 days, that thanks their team members
for helping, covering for them, being good co-workers, whatever – and it
affects their monthly staff reviews. It gives folks the ability to not just say
thank you, but to put some weight behind it.
Way better than a middle-management supervisor giving some sort of ‘teamwork
review’ score. Our team is encouraged to
thank each other, and it’s baked into our culture, even across branches, where
some team members haven’t even met each other in person.
If your
team isn’t motivated to log tasks, everything falls apart, and is left on the
shoulders of a few key people – that’s not going to work in the long run to
create a comprehensive picture. Get everyone
on board, motivate them to log things, and reward them for doing so in a
meaningful way.
Managing
Recurring Tasks and Cross-Training
Some tasks
are one and done – a server crash, a new client onboarded, etc. But some tasks happen on a weekly or monthly
basis, and you can create a list of upcoming tasks to be completed.
Here’s the
insidious part – if you have a task (say, a Project Report) due every
Wednesday, and someone is off on vacation, they’ll think about having someone
covering that task while they are gone.
You could even have basic instructions on that task. A task is missed, someone will notice. A new task needs to be created, into the mix
it goes. Someone has too many tasks, it’s
time for cross-training and delegation.
So, How
Is This Not A Boring Subject?
Auditors
and compliance can be dull and dreary now, when everything is going right – but
if you aren’t logging tasks and something breaks or a report is missed, will
you notice? If a key person in your
company has an emergency leave, will someone have a list of what they need to
cover while they are away? It might be dull now, but wait until something
breaks, you’ll be thankful you thought of this sooner rather than later.
Our Big
Book of Policies is maybe 200 pages adding up all our high level manuals and policies, for a national company – that’s not terrible at all. We try to keep bureaucracy to a minimum – but
those 13,388 tasks, that’s where we can cover the small day-to-day tasks,
deadlines, and functions.
Got a
question about SOC-2 compliance, controls, or company culture? Happy to chat about it!
Blair
DeMarco-Wettlaufer
KINGSTON
Data & Credit
Cambridge,
Ontario
226-946-1730
bwettlaufer@kingstondc.com
No comments:
Post a Comment