Pre-IPO Service Providers: Compliance as growth accelerator? Really?

Yes. Really. For many company founders, compliance is a costly, time-consuming distraction from their core business. Avoiding, deferring, and minimizing the part of their business subject to regulation until regulators are knocking on their door tends to be their preferred strategy. And, when businesses are not yet profitable or funding is provided for a 12-18 month time horizon, compliance is a low priority. Many B2B privately owned service providers, however, are finding that compliance can become a critical and sometimes necessary part of their growth strategy even before thoughts of an IPO surface.

Compliance as growth accelerator has three primary drivers – growth, competitive advantage, and as a catalyst for organizational change.

Growth

Customers are relying more and more on service providers for a wide array of products and services. And, as a result, are transferring their compliance obligations to these service providers. Federal and state governments require FEDRAMP and CJIS compliance, respectively, before they are willing to consider a service provider. Microsoft responded by building a discrete data center that is fully compliant with government regulations. HIPAA is a barrier to entry for healthcare. Online credit card transactions are subject to PCI. If you do business with a financial services company, they will transfer some of their FDIC, FFIEC, and SEC requirements to the service provider.

Building a new data center or being fully compliant with all of your customers’ regulations isn’t required for all companies, but clearly understanding your product marketing roadmap and the associated compliance requirements is critical to ensuring an accelerated growth plan by removing those obstacles to growth in advance.

Competitive Advantage

Customer trust is one of the most important aspects of a customer’s decision to buy a product or service – particularly in an environment where the buyer is relying on the service provider to host data or provide critical infrastructure support. Buyers have limited capacity to understand the inner workings of your company before buying. They are looking for efficient ways to compare you to your competitors and give their senior management confidence that you will keep their business secure. Certifications are a fast way for a buyer to gain confidence that the service provider is paying attention to confidentiality, integrity, availability, security, and privacy. A SOC 2 report is the most common certification provided to customers. And, depending upon your target market, the ability to promise that your product meets EU SAFE Harbor, ISO 27001, FERPA, or other standards may tip the balance in your company’s favor.

Catalyst for Organizational Change

When a start-up reaches about 200-300 people, spans of control become stretched and process and control differences between locations and groups become more apparent. At this stage, most companies have hired or have some core expertise in security and privacy, be it a defined information security manager, privacy legal expert, and/or a security savvy engineering team. Your company may have experienced a security breach and your Board is demanding better security. Regardless, the need for some increased process and control consistency is important to setting up the finance and technology infrastructure for growth. For some companies, going through a SOC 2 readiness effort, introducing the company to ISO 27001 standards or introducing the organization to a Pre-IPO SOX assessment can be the trigger to align the organization around common standards, gaps, and priorities to addressing them.

Efficiently capturing compliance benefits at the right time to support your company’s growth without creating burdensome overhead requires a right-sized, flexible approach to your compliance needs. A successful approach requires understanding which combination of the above three drivers is most important to your organization, what your time horizon is, and then applying a flexible and harmonized compliance strategy to your organization. For example, a SOC 2 assessment and certification may help smaller organizations with a short- to mid-term timeframe satisfy the minimum standards for customers, and drive enhanced control standards into existing organizational processes. Conversely, larger, more mature organizations may benefit from a more comprehensive strategy that involves a harmonized control framework and an on-going audit readiness program. Accretive Solutions believes that the right solution for companies of any size is one that incorporates compliance activities into existing organizational processes; that is part of the overall growth strategy; and that is scalable to the growth of the organization.

Susanne Elizer (Practice Director)