How to Ensure Compliance with Risk Management Standards

Each Monday in July, I’m going to throw out an idea to small businesses in the #DIB who may feel like although CMMC is on the horizon, it’s still overwhelming. I hope these Mondays in July help to reframe things in manageable, realistic bites that are value-added to your cybersecurity and compliance efforts. 🧠 Bite 3 of 4: Set Reminders Without Buying More Software Use what you’ve got! Get organized and set reminders for periodic CMMC tasks You don’t need a fancy GRC tool to start building a security habit. Use your existing software to set recurring reminders for these essential CMMC-related tasks: Use Outlook, Google Calendar, Teams, or something like Unipoint/Quality Toolkit or software your shop uses to issue tickets and reminders for calibrations and maintenance. (If you have something you already use and like, feel free to share in the comments. GRC tools for the sake of GRC tools will be deleted.) Do you ever wake up in the middle of the night with things going through your head, and you need to write them down in order to get back to sleep? Consider this kind of like that. If you can get organized and automate certain tasks, you can focus on prioritizing what's next. 🔁 Weekly / Biweekly ·      Review security logs and alerts ·      Run antivirus scans / verify endpoint protections are up-to-date ·      Confirm backups completed successfully and are restorable 📅 Monthly ·      Conduct internal account reviews (disable stale accounts) ·      Validate software patching status across devices ·      Check if your asset inventory (hardware/software) needs updating 🧾 Quarterly ·      Check/update data flow diagrams ·      Review incident response procedures with your team ·      Run a phishing test or basic cybersecurity awareness check ·      Assess vendor access or software/service compliance (FCI/CUI exposure) 🧠 Annually ·      Review and update policies and procedures ·      Conduct a mock incident response tabletop exercise ·      Perform a risk assessment or gap analysis ·      Review training logs and retrain as needed

Quality Management and Compliance Consulting 101 In the past decade, I have worked extensively in quality assurance consulting with life science companies, helping them achieve regulatory excellence. And I use the same 5 techniques every time: Technique #1: Regulatory Gap Analysis How it works: • Assessment of current processes and procedures • Compare existing practices with regulatory requirements • Develop an action plan to address identified gaps This systematic technique allows you to align your operations with regulatory standards and mitigate compliance risks. ----- Technique #2: Document Control Optimization How it works: • Improve document management processes/systems • Implement version control and document writing guides • Properly approve, distribute, and archive documents Quick note: Don't overlook the importance of document management. It's the easiest technique and often the most neglected. You'll thank me later if you set the ground rules from the start. ----- Technique #3: Training and Competency Development How it works: • Determine job-related and regulatory training needs • Create targeted training programs and materials • Develop a competency assessment framework for employees (NOT a quiz with 3 attempts! 🤣 ) Invest in training. Your employees will be more productive, compliance awareness will be increased, and quality will be fostered. ----- Technique #4: Risk Management Implementation How it works: • Identify potential risks and hazards within your processes • Assess the likelihood and impact of each risk • Implement proactive controls + risk mitigation strategies Risk management minimizes quality incidents, ensures patient safety, and meets regulatory requirements. Don't go overboard with risk assessments. Be practical with the best information you have at the time. Get over the idea that you can 100% eliminate all risks. ------ Technique #5: Continuous Improvement Initiatives How it works: • Inspire continuous improvement and innovation • Make QA projects more engaging for employees • Keep an eye on KPIs and take action when necessary Continuous improvement will enhance operational excellence, resource utilization, and customer satisfaction. ------ That’s it! Here's a recap of the 5 techniques: 1- Regulatory Gap Analysis 2- Document Control Optimization 3- Training and Competency Development 4- Risk Management Implementation 5- Continuous Improvement Let me know which one of these techniques you found most helpful in the comments. Happy to do another post going into more depth on whichever technique you find most interesting.

Maybe it’s my age, but I have grown tired of organizations that proclaim their dedication to safety and yet they have no desire to put in place a formal and measurable SAFETY PROCESS/SMS that INVOLVES the men and women we work to protect. It is not rocket science, it is the most basic and PROVEN model to reduce risks to the men and women doing the dirty and dangerous work… 1) Hazard Identification - establish standards for the physical workplace. OSHA is a great starting point. TRAIN personnel at ALL levels of the organization to be able to IDENTIFY deviations from those standards (e.g. hazards) and BEGIN LOOKING for these deviations. 2) Analyze those Hazards using a recognized methodology. In most workplaces, a JSA/JHA can be a great starting point. But TRAIN those who will be facilitating these hazard analyzes to ensure a level of quality that will drive excellence. 3) Assess the Risk those hazards pose to the workforce, the business, and the environment. This will put the risks into perspective so we can allocate resources where they are most needed. But again, TRAIN those who will be facilitating the risk assessments to ensure a level of quality that will paint an accurate picture of the risks. 4) Mitigate the risk down to an acceptable level - we use the Hierarchy of Controls when doing this. TRAIN those who will be formulating, managing and implementing the corrective action plans (CAPS) that come from this process so as to ensure timely resolutions of REAL management system fixes related to the hazards and risks identified. Rinse and Repeat with as many workers as possible… this is the path to World-Class Safety.