The 5 Pillars of Modern Regulated Business

Modern businesses are more regulated today than they have ever been, and despite political campaign speeches in both the US and Europe, there seems to be little change in landscape for as far as the eye can see. What’s more, the regulation is coming to ever smaller organisations who today are facing a burden that at the turn of the millennium was borne by organisations several times their size.

For those operating in the highly-regulated sectors of Financial Services, Law, and Pharmaceutical I believe that there are 5 pillars that every organisation needs to be addressing:


Cost is something all businesses must be aware of, but since 2008 many businesses, particularly in the highly-regulated sectors have focused more on this than they have previously; efficiency became the buzz word, and the mantra. For the IT leaders that Fifth Step often works with, they were being asked to create strategies for sweating assets and delivering projects that increased the efficiency of their organisations.

This has also encouraged some firms to look at changes based on cost, for example this has encouraged some businesses to move to cloud services rather than

Whilst there are some exceptions in the market, those who are looking to, or who already have implemented innovation programmes and above usual levels of R&D, most of the pack are not wandering far from the cost conscious, efficiency focused path that they have been on for the last few years.

Organisations that are thriving in this area are able to focus their resources effective and efficiently and evidence that they’re doing so., but they are also adept at cost and efficiency orientated innovation, to be able to find new and better ways of performing business processes, be those internal or externally focused.


The implementation and monitoring of controls is a major part of many organisation’s processing today. Most organisations have developed good controls, but some still have a way to go to be able to be able to evidence that they are doing quite as well as they are.

The regulatory burden instilled by regulation such as the Sarbanes Oxley Act has had a big impact on the way that organisations think about control within their businesses in comparison to those from even 20 years ago.

Where the organisations who are starting to move to the post-control era are doing, is to implement automated controls, making the controls that they need to adhere to as part of their operating more or regulatory requirements just the way that they do business. This requires systems to be very aligned with the business processes, and control requirements, and for the ability to implement changes in these linkages to be designed in from the beginning to be able to adapt to future changes.


Regulation and compliance is a major part of running any business, but if your business happens to be in a highly-regulated sector such as financial service, law or pharma, and particularly if you operate internationally, you could be forgiven for thinking that regions are taking it in turns to increase the regulation that you face. In many organisations, it is becoming a full-time role just to understand what regulation is in the pipeline and how it will affect the organisation.

Organisations that are dealing with this the most effectively are those that are creating a compliance framework, and implementing the requirements for multiple regions, reusing and adapting controls that have already been implemented in one region for reuse in another.

Interestingly regulators seem to have become more adept at copying or building upon what has been done elsewhere, and whilst many regions won’t copy exactly, if even parts of the requirements are the same it can save a great deal of time in implementation, monitoring and in ensuring compliance.


There is nothing more constant than the need for change. Businesses around the world are adapting to changing conditions, creating new products, and evolving to become part of the 4th Industrial Revolution, this combined with the volume of change is forcing businesses to look for more efficient at implementing change, but what does efficiency in change look like?

Efficiency in change is very much about being able to implement what you plan to implement, within the timescale and for the agreed budget, and at the end of it realising the planned benefits. Organisations that are more successful at this do some things that are common. These include things such as:

Implementing Project Governance

Whilst this sounds very officious, this is a means of examining projects, and approving those that are most closely aligned with the organisation’s strategic objectives, and are going to deliver the greatest benefits for the resources used.

Implementing a Project Methodology

The choice of standard or methodology matters less than having one. Having a standard provide a common lexicon and process around projects that everyone can understand, it ensures that projects are managed to the same standard and in a similar way, meaning that they can be measured in a similar way, and should a project require a change in project manager that the new PM doesn’t have a learning curve to understand how the project has been managed before getting the job done.

Recognising Troubled Projects

Organisations that recognise when a project is getting into trouble are more likely to do something about it, and are more likely ensure that the project is given the helped needed to realise the benefits as planned. Organisations who recognise when they need outside help to bring troubled projects back on track also benefit more.


Only a few years ago cyber was one of those things that companies knew was important but didn’t really see the need to implement. Several high-profile cases (Sony, Target and Talk Talk, to name some of the more high-profile ones) has raised the topic up to the board, with boards still asking simple questions of their people seeking reassurance that their company isn’t going to be the next one with their name in lights, or that they aren’t going to be one facing the press and the cameras.

Organisations who have or are getting their house in order have done these things:
Cybersecurity Assessment
If you don’t know where you are, then you don’t know how far away you are from you are from your destination. Undertaking a cybersecurity assessment is just common sense.

Implement a Common Framework

There are many common frameworks, from COBIT, through NIST, Cyber Essentials, and on to ISO 27001. As with the project management framework organisation get a massive benefit from having a framework in place, but the real benefit comes in the way that the framework ensures that things are not missed.

Implement and Incident Response Plan

If there is one thing that every organisation should have it is an incident response plan, it’s the equivalent of a modern fire evacuation test.

The number of fire related deaths in New York City reached an all-time low in 2016 to only 48 people. In 1916 (when records began) there were almost 3 times the number of deaths, this is despite the population of New York City being only 5m people in comparison to the over 8.5m people in 2016. If the number of deaths per million had remained at the 1916 level through to 2016, it would have risen to 248 per year. So, what brought about the change and what is the relevance to desktop resiliency testing?

The reduction achieved in New York can at a high-level be attributed to 2 things; firstly, learning lessons/improvements and raising awareness. The NY Fire Department are very good at studying the lessons that can be learnt from fires, with many of the recommendations that they make directly leading to changes in city’s building codes, leading to changes in the way that NYFD work, and the safety of the buildings built in the city. As part of that same building code, every building must now have fire sprinklers and fire alarms, and every building must raise awareness of fire safety by performing regular fire alarm and evacuation tests.

In my opinion well practiced incident response plans proved the same protection, as a fire alarm tests; everyone knows what they need to do, and where they need to be, nothing is left to chance, everyone is working hard to get the business back to operational normality.

Darren Wray