Smaller organizations simply don’t have the resources their larger counterparts enjoy to keep up with compliance requirements. Polyient Labs CEO Brad Robertson outlines how they can clear that hurdle.
There are those who still associate blockchain technology – decentralized, transparent immutable digital ledgers – with only two things: Bitcoin and hype.
The hype is undeniable, but hype is a natural outcome of mass adoption, and blockchain is being used by an array of multibillion-dollar organizations to meet a myriad of needs – everything from marketing and identity protection to supply chain management, cannabis funding and mitigating world hunger.
Here is another early-stage blockchain idea to add to the list of blockchain use cases: deploying blockchain to help third-party vendors and service providers keep up with the ever-changing compliance demands and security requirements of their corporate clients.
Right now, U.S.-based multinationals spend as much as 12 percent of their annual revenue keeping up with compliance requirements. And, according to a recent accenture survey, most of them anticipate compliance-related costs are only going to escalate.
This should come as no surprise when the regulatory tick sheet is examined. In the 1950s, the list of federal regulations U.S.-based businesses had to abide by filled 10 pages. In 2017, that list exceeded 180 pages.
For most U.S. corporations, this is simply the cost of doing business.
However, it’s a different story for the millions of service providers and third-party vendors that work with – and depend on – corporate clients. By law, service providers, contractors and vendors must meet the same compliance benchmarks their enterprise partners do. But in the majority of cases, these smaller organizations must do so with a fraction of the financial and human resources corporations can throw at the problem.
Small service providers must mirror the same hiring and training practices, the same data-security and risk-management policies, the same audit schedules. When a corporation makes technical upgrades, vendors are expected to as well. When enterprises introduce a new “corporate sustainability policy” or “cyber risk initiative,” contractors are expected to follow suit.
It’s little wonder that, according to the National Small Business Association, in its first year of business, the typical startup shoulders more than $83,000 in regulatory costs. After that, according to the nonprofit OCEG, it’s common for third-party organizations to spend between $15,000 and $250,000 each year keeping pace with enterprise-client requirements.
Why are small providers pressured to operate with the same governance, risk and compliance (GRC) standards as the mega-corporations they serve? Because corporations are accountable for the actions and behavior of the vendors they hire. As Drew Hendricks explained in Inc. in 2017: “While … vendors may be entirely separate from the organization, if they commit violations on behalf of the company in question, that company can also become liable.”
Unfortunately, the costs associated with keeping up with the regulators is the responsibility of the vendors – regardless of their size.
GlobalScape confirmed this three years ago: “larger companies have access to leading data protection technologies and highly-skilled personnel [with] expertise in data protection laws and regulations,” the organization concluded. “When adjusted by headcount … compliance costs are highest for organizations with fewer than 1,000 employees.”
In most cases, the “compliance costs” manifest themselves in the form of 200-page questionnaires – or “vendor security assessments” – required by the enterprise organizations. Vendor security assessments typically require input from across an organization, covering everything from training and SOC certifications to security audits to HR standards to “sustainability practices.” Completing them is an arduous, time-consuming, expensive – and recurring – chore.
When faced with these documents, most smaller vendors are forced to choose between two pathways: They either add additional staff, such as CISOs or CSOs, or they work with expensive consultants to ensure they are operating in lock-step with their corporate clients’ wishes. (There is a third, increasingly-more common option: simply declining to pursue lucrative corporate contracts.)
Blockchain offers a fourth option: the technology can be used to help small vendors identify and keep pace with all of the requirements corporate clients demand.
In recent months, I’ve been working with Scott Mitchell, chairman of OCEG and founder of Grayframe, a startup that’s exploring the use of blockchain in GRC. Together, we’ve been exploring use cases to determine the feasibility of deploying blockchain to help vendors and corporations improve their working relationships.
So far, our findings confirm blockchain can give vendors an edge: access to a decentralized ledger where internal stakeholders can log compliance updates in real time. Instead of circulating 200-page questionnaires, company execs can record all important events on an immutable ledger. Every new policy that is adopted, each new security upgrade, every certification that is earned can all be recorded in real time on a compliance blockchain.
Conversely, corporations can use the same technology to identify their compliance requirements on a public blockchain. Before a vendor even devotes time and manpower to completing an RFP, an executive can consult the ledger, review the compliance requirements of the large enterprise and calculate the cost and feasibility of winning the contract.
Used correctly, blockchain can quickly and accurately identify enterprise requirements giving vendors the tools they need to complete vendor security assessments and win enterprise contracts.