Cyber risk leader Quod Orbis launches inaugural report into the compliance capability of UK businesses


Quod Orbis, a leader in cyber security and Continuous Controls Monitoring (CCM), today launched its inaugural report into the compliance capability of UK businesses.  Drawing upon research that spans senior IT decision-makers at UK businesses of more than 1,000 employees, drawn from a range of sectors, Quod Orbis warned businesses that ignorance of their current compliance capability could lead to costly mistakes.

The current state and scope of compliance capabilities

42% of businesses claim that they have a dedicated in-house compliance capability with direct access to all necessary data and systems. A further 26% use in-house teams that consult with other departments for this data. Regardless of access, just 14% maintain continual compliance readiness. More than half (52%) would characterise compliance processes as manual and fragmented.

48% track the cost of the compliance team acquiring data from other departments, with 42% worried about the time spent processing or formatting data to make it usable. Just under a third of respondents (30%) monitor the time spent by other departments preparing data for compliance, and a further 30% track the time spent checking the veracity of internal data.

When it comes to the scope of these activities throughout the business, 15% of businesses reported that they need to access more than 90% of their technology for compliance purposes. A further 37% said they needed to access between 70 and 90% of the estate, a quarter of businesses said they needed to access between 50 and 70%.

16% of respondents felt they needed to access less than half the estate to achieve compliance.

The current spurs and snags for compliance capabilities

47% of respondents report a general level of ignorance of key risk indicators throughout the business. When it comes to the reasons behind compliance activity, an active risk reduction strategy was the clear leader. However, validation of security controls was the second biggest driver, with 60% identifying it as the main motivation, reflecting the increased link between compliance and security.

When asked about the barriers to improving compliance capability, 28% cited the fear of embracing new processes.  This was the top obstacle overall, related to the additional 23% that identified attachment to the time and effort invested in developing the existing processes.  A lack of senior management sponsorship of new initiatives by a further 27%. The biggest technological issue reported was the inability of solutions to access all necessary data and systems, identified by 25% as a barrier.

“There is a worrying air to these figures,” said Martin Greenfield, CEO, Quod Orbis (pictured right).  “Firstly, despite decent numbers of businesses investing in dedicated compliance teams, they do not seem to be able to deliver continual readiness. Secondly, they don’t have the visibility and insight into the full technology estate to deliver high levels of confidence to the board, even though compliance teams are clearly being tasked risk reduction and ensuring cyber security controls are up to scratch.”

“The traditional fear of new processes is clearly playing a part, but we can address the misunderstandings around the possibilities of modern technology to deliver better compliance.  Systems do exist that provide more accurate insight, connected to all data sources and frameworks, delivering comprehensive insight into the compliance posture of an entire business.”

‘A delicate poise: The compliance capability of UK businesses’ is available for download here