Keeping up with compliance can be difficult, especially for those who operate in highly regulated industries. Sabrina Serafin interviews Anil Karmel and Travis Howerton of C2 Labs, a company that aims to simplify and automate regulatory compliance.
Read the Compliance Manifesto: https://www.c2labs.com/post/regops-has-arrived-lets-bring-devops-to-compliance
Culture of Compliance™ was recently named #1 in “Top 25 Regulatory Compliance Podcasts You Must Follow in 2020” by Feedspot.
Culture of Compliance | Continuous Compliance
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice.
Today, we’re talking to Anil Karmel and Travis Howerton of C2 Labs, a company that aims to simplify and automate regulatory compliance. Anil founded C2 Labs to develop innovative solutions to accelerate digital transformation within government and highly regulated industries. As an early pioneer of cloud technologies at Los Alamos National Laboratory, Anil continues to advance the state of the art, supporting new compliance standards and practices for the Cloud Security Alliance and the National Institute of Standards and Technology. Anil, welcome to the podcast.
Anil Karmel Thank you very much Sabrina, pleasure to be here.
Sabrina Now, Travis is the Co-founder and Chief Technology Officer of C2 Labs where he builds on past experiences, like serving as the CTO of the National Nuclear Security Administration and the Senior Executive with Bechtel Corporation leading strategic technology programs for highly regulated industries. Travis, welcome.
Travis Howerton Hello, thanks for having us.
Sabrina So, we’ve asked Anil and Travis to join us today to specifically talk about the idea of continuous compliance, I think this term will really resonate with our listeners because it captures the increasingly difficult situation facing compliance executives, especially those who serve in the highly regulated industries.
First, can we talk a little bit about the regulatory landscape and what companies in highly regulated industries are trying to manage today?
Anil Well, there are numerous regulations that exist. For both the regulator and the regulated and the regulatory burden is increasing we’ve got new privacy regulations that are coming up within the United States you’ve got GDPR in Europe, CCPA in California, Virginia is about to pass privacy legislation, not to mention financial compliance requirements.
Government compliance requirements like NIST has a new special publication, 800-53 Revision 5, which is going to require all Federal Government systems to be compliant with this new standard over the course of several years. So, given the increasing burden of compliance requirements and the associated burden with completing compliance artifacts and creating them, really, we need to try to understand, “What is a new way to really develop continuously compliant documentation?”
Sabrina Okay, so, given the regulatory landscape, could you explain what you mean when you talk about continuous compliance?
Anil Yes, so when you’re thinking about compliance, compliance today is done using a myriad amount of labor and point solutions, creating compliance artifacts and Word documents and Excel spreadsheets that serve as a point in time of your compliance to a given regulation or regulations. The challenge is it takes a lot of labor to create these artifacts, and they’re instantly out of date the moment that they’re created, so it takes a lot of labor to pull all this information out of these different point solutions. You know, similarly, when you’re developing new technology for organizations. In the past, developers would create that technology handed over to system administrators who would review that application and then promote it into production, so this concept of development operations or DevOps was born, where it was allowing these groups to collaborate and quickly roll out systems to production in an automated fashion.
So, what I’d like to posit is perhaps bringing that concept of DevOps to compliance and something we could potentially call Regulatory Operations or RegOps. Where we’re combining these cultural philosophies of how we do compliance our practices and tools to increase our compliance of our applications and our services against these regulatory standards that we’re required to be compliant with at a very high velocity and increasing our state of compliance and trust at a faster pace than done before.
Sabrina That’s a great concept, but I believe that some of our listeners may not fully understand what DevOps entails, can you give us some background into that?
Anil Definitely, Sabrina. The DevOps model, as defined by we’ll use an industry leader in the cloud, Amazon Web Services, their definition is it’s a combination of cultural philosophies, practices and tools that increases an organization’s ability to deliver applications and services at high velocity. It allows organizations to evolve and improve products at a faster pace than organizations using traditional software development and infrastructure management processes.
It’s really about increasing the pace of how you’re deploying applications in the DevOps model versus a traditional approach. The DevOps model employs these practices to automate processes that are historically manual and slow, as defined by Amazon Web Services.
It uses technology, it uses tooling it uses services, that help staff operate and evolve applications and allow folks to independently accomplish tasks that would normally require help from other teams. Allowing this DevOps model to really underpin and inform how regulatory operations might leverage a similar model is how RegOps was born in our view.
Sabrina I think this is an important point, you’re saying that companies can achieve continuous regulatory compliance more easily and effectively by adopting tools and services that apply the principles of DevOps, which is all about aligning regulatory compliance with the pace of IT and business?
Anil Exactly, DevOps, now in this model RegOps, is this cultural transformation, where you’re coupling new practices and tools that allow teams to collaborate effectively, allow teams to build trust and increase velocity. The reality is come companies are moving at an incredibly rapid pace which increases their risk of being non-compliant, so changing the way we approach compliance leveraging this RegOps mindset will give companies and incredible edge in staying continuously compliant.
Sabrina Travis, in one of your blogs you wrote about digital transformation as inevitable, unstoppable and ubiquitous and the inherent tension between compliance and transformation was discussed, can you tell us about that?
Travis Sure thing, I think when you talk to most CEOs today, they would tell you that digital transformation is the lifeblood that’s going to fuel their business, they all know that they have to ride that wave to be successful and to dominate their market. They also know that if they get left behind, they may not exist in 10 years, so nearly every company knows they’ve got to be doing this. According to Gartner and others, almost two thirds of them say they’re way behind or not successful in their transformation initiatives.
What we think is that compliance is the equal and opposite force to digital transformation. It’s the thing that slows everything down and makes it harder to do because they don’t want to add new risk, they’re worried about failing audits, they’re worried about breach and what may happen if they have compliance problems in these well understood programs and systems that they built over 20-30 years.
So, we thought we’ve got to find a way to help companies knock that down and that’s when RegOps was born. As part of that, we don’t think we’re pushing just a tool, we’ll be one of many tools in this new RegOps movement. But we think it’s kind of like the early days of agile project management, and so in this similar sense we put out our Compliance Manifesto which basically gives you a set of principles you can use when thinking through how you apply RegOps inside of companies and organizations.
It starts with not bashing regulators. Regulations are good, they keep us safe, they keep us secure. They’re written by well-intentioned people. That being said, when people do bash, it is because they’re expensive, they’re hard to follow, so we think the second principle is that they should be affordable and transparent and easy to use. We also believe that anything you do more than once that you should try to automate, which is really where RegOps comes in and the tooling comes in. This is still one of the last bastions of paper empires, where you just get huge stacks of paper that are created by hand and we think there’s broad applicability and how you might automate that.
We also think it should be simpler and less risky to go through an audit, you shouldn’t be worried about losing your job and having audit findings that put your company in a bad position. So, that transparency and real time nature, which is the next thing, again, that real time evidence, which is quarter our RegOps principles, means risk falls, because you know the problems before the auditors get there. It’s not an after the fact audit or data call you do, it’s just part of how you do business now.
We also think you have to change incentives for regulators and the regulated to make it easier for both sides to have mutually beneficial incentives that move everybody forward against those regulations that are so important. Even though we’re tool vendors, we think it has to be technology agnostic and should leverage standards because you don’t know how the world is going to change in two years, much less 10. So, as we move into a RegOps world on a standards-based approach can help people interact with less risk less technology disruption over time.
Another thing we’ve started with is our core tool that we put out is free, because we think compliance shouldn’t be unaffordable. We have free tools to help people get started, and then we have enterprise class tools you can grow into and unlock additional value in the paid version as you scale and get more mature in your RegOps practices. The last thing is just do no harm. It’s a new world, we’re doing new things in different ways, so we should always be cognizant to measure what we’re doing, “Is it truly better?” and if it’s not better stop it. Taking some of those agile DevOps techniques that worked in the past, apply them to RegOps, and really fundamentally transforming how compliance is done in organizations across the globe is kind of our vision and mission and what we’re setting out to do as a company.
Sabrina Travis, I’m fascinated by the concept of a Compliance Manifesto. How do you find your clients are best applying those concepts?
Travis So, I think right now with our customers we’re in the very early stages of this, and so it’s a bit of a crossing the chasm problem where we found some thought leaders who can share that vision with us. What they’re doing is finding if you take a lean view of their process and going sort of end to end, where are the bottlenecks, where paper and compliance or slowing us down. And out of those bottlenecks, which ones are those lend themselves to automation. This is more vision than practice today, in the sense that you can’t necessarily automate 100% of everything today right out of the box, but you might be able to get to 60%. You might be able to get to 80%.
What we’re working with as customers who have that vision who have the expertise, who are willing to lean in with us and find those discrete processes, where “Why am I issuing a data call every quarter to my active directory guy to go give me logs to go pass this audit?” I could script that and I could get it every day or every week or every month and the A.D. guy is going, “You’re never going to bother me again this is wonderful, because I have a real job and you’re a distraction.” Right? And so, that’s where we find it, is you find sort of these thoughtful leaders who share a vision and are excited about getting there. Then you combine it with finding where’s the greatest pain in the organization and getting rid of it.
Then you get sort of that grassroots support for what you’re doing because this thing that was super painful for them to do manually is now completely gone and automated. So, bringing those things together, and then wrapping software around it and automating everything we can using our RegOps principles and our Compliance Manifesto, is how we’re working with customers today.
Sabrina Thank you, Travis. We will provide a link to the blog where our listeners can read about the Compliance Manifesto, and as we start to wrap up do you have any closing thoughts you’d like to share with our audience?
Anil RegOps, just like DevOps, it’s not going to happen overnight, it is a cultural movement that is going to allow companies to really embrace continuous compliance. It’s part of this longer-term cultural transformation of the market and how companies approach compliance. So, this RegOps movement will allow compliance professionals to move from a reactive stance to now taking on a strategic role within the organization that allows your compliance professionals to protect the company from risk and its associated costs.
Travis From my perspective, the thing to really think through is if you’re a CEO of a large organization and you’re thinking about, “How do you win in the next generation digital economy?” When digital transformation hits your industry, how are you going to survive, how are you going to thrive? One of the key areas, you can focus on is pulling costs out of compliance, automating things and really allowing your organization to move faster. It’s one of those great levers that organizations have to unlock productivity. Just imagine if your business could move at the speed of the cloud, and at the speed of automation, at the speed of machines instead of always being held back by these archaic, paper-based manual processes.
We think customers who adopt and understand RegOps will help be winners in this next generation economy, and we want to be the company that helps them get to where they need to be that automates a lot of this sort of slow, archaic processes they have in place and reimagines a world of compliance without paper that moves at the speed of business and that’s what excites us.
Sabrina What would you consider the low hanging fruit for organizations that are trying to digitize their compliance process?
Anil I’ll take a high-level approach to that. First, state that you know it’s very important to know that compliance is a people driven exercise. It’s always going to take people to understand risk and understand your state of compliance. So, really employing automation where it makes sense is really a foundational principle of RegOps, for both the regulator and the regulated. So, understand your compliance obligations is the first step, get your hands around, “What are your compliance requirements?”
And then employee digitization where you take those compliance obligations and you put them into a digital platform. Then determine what are those processes and steps that are indeed repeatable that can be automated, and employee automation leveraging tools and leveraging services to really bring the benefits of DevOps to compliance and this RegOps model. Travis?
Travis I would say the low hanging fruit is a couple things. Anywhere, where you know you have data. It’s just you’re taking people to go manually fetch it or you’ve got some paper-based form that you’re routing around or something’s going outside the system for something to happen and you’re waiting. Waiting is kind of death in DevOps because waiting is what slows everything down. Anything where you feel like there’s waiting or anything where you feel like there’s manual collection. To build on what Anil said, the thing we’ll never try to do is replace people’s brains and the intrinsic value they have because there’s always going to be a person who sits across the desk from an auditor and defends the program. It’s always going to be a person who accepts risk, on behalf of the company.
But, machines can help that person be empowered with better information, to do their job more effectively and to get them out of this reactive mode where they’re scared to touch anything because they’re afraid of what will break and what risk will happen and get them into a more proactive mode where they’re using their mind more and they’re using their hands-on keyboards last to get their job done. So, I think that’s where the low hanging fruit is and understanding that the job is not to get rid of all the people in compliance, the job is to strengthen sort of the effectiveness and the power of those people so they can do their job better because they’re important, they’re valuable and they’re necessary.
Sabrina Anil and Travis, I want to thank you both for being with us today and discuss this really exciting view of compliance.
And to our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode, as we continue to discuss transforming compliance requirements into investments in your business.