Instead of in or out the question should be how close and which direction are we heading.
Organizations are periodically asked to attest to their compliance. The question usually boils down to a simple one "Are you in our out of compliance?"
The answer expected and often given is something like this, “Of course, we are fully complaint with all applicable laws, regulations & standards, and internal policies as far as we know.”
This will, of course, be verified by internal and external audits.
The answer may be true for the most part but perhaps not as useful as it could be.
Organizations might be in compliance today or at the time of their last audit. But tomorrow a misstep may find them off-side. In fact they may have been heading off-side for some time but were not paying attention. Single point evaluations are poor predictors of risk.
What organizations don’t know is how close they are to stepping over the edge and as importantly if they are heading closer or farther way from that edge.
Where staying between the lines is mission critical, risk and compliance programs to be operational must provide credible answers to these questions:
How close are we to an incident occurring? and
Are we moving closer or farther away from that point?
These would be considered as measures of assurance.
Unfortunately, most organizations don't consider risk exposure in their decision making and so don't expect it from their risk and compliance programs. No wonder everyone is surprised when an incident occurs.
Although, successful organizations will expect more from their programs and ensure that they get the answers they need to keep the organization between the lines today and every day they choose to operate.
