Compliance in client relationships is a matter of prove it or lose it…here’s how
When it comes to compliance, risk management and all that jazz, if you can’t demonstrate that your business can meet the standards your client is accountable to, they will have no choice but to look elsewhere…
Most businesses (should) spend time reviewing their own risk and compliance obligations. But many fail to fully recognise their part in their own clients’ compliance chains. Let’s say for example, you have clients that are government funded, or involved in healthcare, education or finance; these clients will have their own compliance and reporting obligations and this will involve benchmarking the products and services you provide them with against their industry-mandated standards.
What does that mean for your business? Essentially, if they find your products and services don’t cut the mustard, then your client will have to make some hard and fast decisions, and those decisions will likely no longer involve you…Look no further than Medibank’s loss of 13,000 policy holders in the immediate wake of their 2022 data breach!
If your client is bearing risk associated with the products and services you supply them with, and you cannot demonstrate that you are supporting your client to manage that risk, then it follows that they will seek out another provider that can; it’s a matter of prove it or lose it.
When your clients assess their risk exposure, they’re also assessing yours
Any business that is in scope of the Australian Privacy Principles (APPs), Victorian Protective Data Security Standards, ISO27001/9001 Information Security and Quality Standards or any one of countless other standards and compliance frameworks that span the Australian business landscape, will be regularly reviewing the likelihood and impact of a range of risk factors as they relate to their own systems and operations. A critical part of this process also involves a business examining the upstream risks associated with their suppliers, as well the downstream risks associated what they supply to their clients. As an ISO-certified Managed IT Services provider ourselves, we know this all too well!
Your client might not be explicitly discussing their risk assessment or compliance processes with you, but you can be sure that they have standards to meet. Behind the scenes, they will have procurement, accounts or risk team members quietly monitoring and reviewing the service you provide, how you work, how you deliver services to them, and most importantly, what risks you pose not only to their business, but their clients as well.
Data breaches have been a compliance wake-up call, but it’s not all about a breach
You could be forgiven for thinking that compliance and risk management are only flavour of the month given the succession of Australian companies large and small that have fallen victim to data breaches over recent years. Whilst these incidents may have caused consumers to reactively jump ship, in the B2B sector they’ve driven a broader move towards proactive prevention to get ahead of any security incident occurring.
Today we’re seeing this impact long-standing client relationships. Some of these tried-and-true relationships are coming under threat, not because anything went wrong, but because a supplier can’t demonstrate that they they’re managing risk effectively and continually improving and adapting their compliance practices over time.
Risk-aware B2B clients are asking new questions:
- What regulatory or compliance standards do you work to?
- Can you show how your staff are trained on data privacy and security?
- What sort of data do you collect, process and store, and how do you protect it?
- Do any third parties have access to our data? Who are they and how do you manage that?
- Can you provide details on your Data Breach or Incident Response Plan?
If your clients are asking these sorts of questions, you can be sure they are looking for tangible proof of your business’s capacity to meet their compliance needs.
A Real-World Example
A well-established professional services firm had been a trusted supplier to a government-funded healthcare provider for over a decade. The relationship had always been solid. But when the healthcare provider underwent a routine audit, the risk assessment flagged a gap – one of their suppliers didn’t have a documented security policy or procedures that met their current ISO27001 requirements.
Neither party had been compromised, nor were there any security incidents in play. The healthcare client needed to answer their auditor’s questions, but their trusted supplier simply couldn’t produce what the auditor needed to see.
Within weeks, their contract was reviewed, and they were asked to demonstrate improvement – or risk being replaced.
In this case, the issue was not cybersecurity; the issue was supplier compliance and risk management (or lack thereof), with expectations unclear and unmet on all sides.
Clarifying your compliance needs and expectations
If your business provides products, services or support to clients where trust is implicit, client-side expectations need to be uncovered and met. And remember, you are also a client to your suppliers, so you have a responsibility to drive these discussions both upstream and downstream
Ask yourself:
- Do we know what our clients cerfitication and compliance requirements are?
- Do we have the capacity to support our clients through an audit to the standards they must certify to?
- Do we have up-to-date documentation on policies, procedures, training and reporting on risk managmenet privacy, security or supply-chain management we could readily supply within 24 hours?
- If we were audited by our client, would we pass?
Where to from here
At Maxsum, we help businesses identify where their IT, compliance and risk functions intersect, and how to close any gaps that may put your client relationships at risk.
If your business partners with regulated industries or publicly funded clients, we’ll help ensure that we’re not the weak link in your compliance chain, and neither will you be for your clients.
Want to find out how audit-ready you really are? Let’s talk.
