COMPLIONS-GRC IS LOOKING FOR PARTNERS WHO WANT THE CUSTOMER TO BE IN CONTROL
In this issue of ChannelConnect, security and the AVG/GDPR are central. The first is in the trusted hands of suppliers with, as a rule, a long track record. The second is remarkably often picked up by companies that have been active for a shorter period of time. An exception to the latter is CompLions-GRC from Deventer. The board of directors, Ron Boscu and Frans Broekhof, discussed this special position and, of course, the company’s own services.
Co-founder and current sales director Ron Boscu starts the conversation and goes back in time. “In 2005, I was jointly responsible for three data centres. At that time, the first questions came from customers who wanted to know whether we had done our job properly. It was specifically about information security and quality. These customers also indicated that they no longer wanted to see this laid down in contracts and SLAs. They wanted to be sure that the contractor had done everything objectively measured. In other words, they asked for certifications.” They were the first to ask for certification from governments, enterprises and the healthcare sector. Boscu foresaw that this trend would continue. After all, even smaller organisations, such as data centres, are often essential links in value chains and would sooner or later have to deal with them.
Boscu also describes how the certification and audit processes went at that time. It was almost exclusively the business of the large consultancy firms that applied enterprise rates for companies that were strictly speaking too small and had no alternative. It was also important that these consultants did not do enough to provide the companies with the required knowledge and resources. Although there was tooling, software that could be used to describe and control the processes, it was only there for the auditors.
START OF COMPLIONS
This practical experience and, as he says, frustration made Boscu decide to develop its own tooling, specifically intended for SMEs and SME+. CompLions was founded in 2008. The requirements that the tooling had to meet were clear. Boscu: “Our vision and mission were expressed in the slogan, to be delivered on the basis of the ‘fixed price & fixed date’ principle. This was linked to the promise not to create a vendor lock-in or other dependency. We were going to teach people how to fish instead of giving them a fish every time.”
CompLions thus became the first provider in the Netherlands of such GRC (Governance, Risk and Compliancy) tooling, developed for SME and SME+ entrepreneurs. With this tooling, the entrepreneurs not only get optimal insight into whether they meet the requirements for quality and information security, for example. It also makes continuous quality improvement according to the PDCA cycle (Plan Do Check Act) a lot easier to implement. Furthermore, periodic audits by third parties require less time and therefore lower costs because what is relevant for a large number of certifications and other quality requirements (in addition to ISO and NEN, BIG and ISAE3402, among others) is kept permanently and uniformly.
GOVERNANCE RISK AND COMPLIANCY MADE EASY
The company, which used the slogan ‘Governance Risk and Compliancy made easy’, turned out to be a bull’s-eye and its success did not go unnoticed. In 2015, a larger consultancy organisation made an offer for CompLions. As a result, the consultancy branch was sold in 2016 and software development was given full focus. Boscu: “We now had a good reputation in the market and a growing number of customers. People who had worked with it and had changed employer asked us if they could purchase the service without further support. After all, they already had the experience and knew how easy it was to use.” That powerful signal confirmed to CompLions that it had to remain a software developer. For support and implementations, it relied on cooperation with external partners.
In 2017 the company made a new start and Frans Broekhof came on board as CEO. Broekhof, who had already earned his spurs at many other companies, explains why he took this step. “It all started out of pure interest, but it soon became clear that this is a very nice company with interesting services and enormous potential. Although CompLions has focused on SMEs and SME+ from the start, other sectors and segments are now also taking over the services. Governments, care institutions and enterprises are convinced of the advantages and are now part of the customer base. They choose CompLions-GRC because they notice that the periodic audits are actually not sufficient. These snapshots are not suitable for demonstrating that people are permanently in control. This traditional way of working, with the involvement of external parties and having these reports drawn up, is felt to be too slow, too rigid and too expensive. “If you know that this is happening in the boardrooms and you see what the track record of CompLions-GRC is, then you also understand why I am enthusiastic about this company. We have a huge market ahead of us and then there is the AVG/GDPR that everyone has to meet by 25 May 2018.”
AVG/GDPR FROM HASSLE TO CONVENIENCE
“The AVG/GDPR means that everyone must be able to see what concrete measures have been taken to comply with the regulation,” says Boscu. “However, it is not just a snapshot. There must be a complete overview, i.e. the creation of a file. This is, of course, possible with our GRC tooling and it is integrated. This is due to our ‘Map Once, Comply to Many’ approach. Everything you have done, for example, to comply with the current ISO27001 certification requirements, which is also relevant to the AVG/GDPR, is immediately shown in our tooling. It shows why you are better off with tooling than with the traditional methods, in which a new certification expert and then an auditor have to visit for each process. Becoming AVG/GDPR compliant with our tooling means no more hassle and duplication but convenience.”
The CompLions-GRC GRC tooling is offered as a SaaS solution and for organisations that cannot work from the cloud there is an on-premise variant. The SaaS solution is most in demand. All the data that the customer needs to show that he meets the AVG/GDPR requirements is available externally. Of course, this leads to the question of how he can be sure that he always has access to it. Broekhof: “We have invested a lot of time in this and have come up with a solution that is unique for the sector. A separate foundation has been set up in which the management of CompLions-GRC does not participate. In the unlikely event of a major incident as a result of which CompLions-GRC is no longer approachable, the foundation will take over the work immediately and thus guarantee the continuity of the service.” This so-called Escrow agreement has been arranged with the clients on a separate contract basis. This gives them the guarantee that they can always access the data and the application, which is important to comply with the AVG/GDPR and other legal requirements based on the reversed burden of proof.
According to Boscu, attention to continuity cannot be dissociated from attention to one’s own quality. “The Escrow arrangement may seem like something that will particularly appeal to enterprise and government clients. However, that is not why we have taken this step. We simply want to be the best provider in the Netherlands with our tooling and services.” That is why, from the start, the company has made the Certificate of Good Behaviour (Verklaring Omtrent het Gedrag, VOG) mandatory for all employees. Furthermore, the application is fully developed and managed in the Netherlands. The data is stored in Dutch data centres, which of course comply with all relevant certifications. Last but not least, CompLions-GRC itself is of course also ISO27001 certified.
CompLions-GRC has formulated a number of objectives for the coming period. Broekhof: “It is our ambition to serve more customers, without compromising on high quality. We are looking for extra partners who are looking for new business and understand that AVG/GDPR offers a unique momentum to expand its services. We are looking at four types of companies: accountancy firms, legal service providers, consultants and IT companies.” In Broekhof’s words, what CompLions-GRC offers them is the necessary filling of the toolkit to meet the requirements that an auditor – and in the case of the AVG/GDPR: the AP – sets for reports and insights.
Broekhof: “We recently commissioned research into the range of AVG/GDPR solutions to be presented to the Dutch market. This gave us a picture of a complete tangle of partial solutions and many vendor-lock-ins. CompLions-GRC has emerged as one of the few providers in this market with a transparent service that is geared to maximum integration and clarity. We also score well because our tooling allows the customer to build and retain knowledge himself.”
Boscu and Broekhof invite service providers, who also want their customers to be ‘in control’ and are therefore looking for solid, clear tooling, to come and get acquainted with CompLions-GRC. Thanks to the ‘Map Once, Comply to Many’ approach, unique experience and extensive sectoral knowledge, the GRC tooling offers unprecedented integration possibilities and efficiency improvements. This is what an increasing part of the market is asking for and where there are great business opportunities for partners.
Streamer: ‘We teach people how to fish instead of giving them a fish every time’.
Streamer: ‘Governments, care institutions and enterprises are also convinced of the advantages and belong to the clientele’.
streamer: ‘Periodic audits lose value’.
Streamer: ‘Our tooling prevents duplication of effort’.
Streamer: ‘An Escrow Agreement has been concluded with the customers for each separate contract’.
Streamer: CompLions-GRC is of course also ISO27001 certified.
Streamer: ‘AVG/GDPR offers a unique opportunity to expand its services’.