Choosing the right compliance software is crucial for businesses operating in compliance-intensive environments. There are many options on the market, each varying in flexibility, support, costs and other factors.
In this article, we’ll explain how ISOPro, as an enterprise compliance system, compares to and is different from, commercial off-the-shelf compliance systems software, also known as “COTS”.
Before diving in, it is crucial to understand the fundamental difference between the two software categories.
Enterprise compliance is computer software designed to meet the needs of an entire organisation, rather than just individual users. It's a key part of information systems, helping with a range of business tasks, like improving reporting, supporting production, and managing back-office operations. These systems usually need to process information quickly.
Enterprise software provides business-focused tools. Since many companies and organisations have similar departments and processes, this software is often offered as a suite of customisable programs. Common uses include managing databases, customer relationships, supply chains, and business processes.
Commercial-off-the-shelf or commercially available off-the-shelf (COTS) software, on the other hand, are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organisation, rather than the commissioning of custom-made, or bespoke, solutions.
COTS compliance software can be a great fit for businesses with relatively standard compliance requirements or in areas where there’s consistency across industries, e.g., WHS incident reporting, investigations, management system reviews, auditing, WHS risk assessments, etc.
This type of software is an ideal option for organisations focusing on simplicity or in their early stages of compliance development. They are also a good fit for organisations that don’t need a lot of compliance management because of the nature of the services they deliver.
ISOPro is an enterprise software and offers a fundamentally different approach to compliance COTS-type and may not always be the best fit for every business.
Below is a comparison of how we see ISOPro, an enterprise software, differs from COTS offerings.
We’ve tried to be as honest and transparent as possible and hope it will help you make a more informed decision!
In our experience, COTS typically come in one of two “flavours”:
To determine which “flavour” of COTS you’re looking at, a rule-of-thumb test is looking at the company website:
‘Specific’ COTS solutions take a “one-size-fits-all” approach, offering industry-typical solutions. This fits many businesses in their early stages of compliance or if their requirements are not too specific; however this may become a constraint further down the track.
As the business’ operational controls evolve and compliance requirements become more organisational and process-specific, teams can no longer adapt their control processes to fit the software’s structure.
‘Configurable’ COTS solutions are typically not flexible enough to manage multi-step operational processes.
Unlike COTS, enterprise systems adapt to clients’ existing operations, not the other way around. While most enterprise systems may have ‘library’ processes available for typical industry best practice, the final configuration will always be to replicate the client’s required processes.
Consequently, ISOPro is not built with pre-defined forms and workflows.
Like many other enterprise systems, we configure the system to suit each client’s required processes. This isn’t limited customisation, but full configurability and alignment with how they already work (or want to work!).
Implementing processes that closely replicate existing ones greatly reduces the impact of change management; yes, the organisation will need to train users in using the system, but everyone will recognise that the process and expected outcomes are largely the same as before. This reduces confusion with users and ensures controlled process change.
In addition, ISOPro’s clients’ system administrators can prepare most future configuration changes themselves, and updates are easy to test and fine-tune and fast for the support team to implement.
This gives clients more control over their processes and no dependency on external Developers.
Consider this scenario. An organisation starts off implementing a COTS Incident Management system. Starting from paper, email and Excel, the pre-built system provides immediate relief and allows better understanding of the WHS issues at play.
As the organisation’s compliance framework evolves and needs become more sophisticated and the COTS solution is enhanced and updated, the pre-built solution eventually cannot be configured further to support all the incident management needs from the various parts of the business (e.g., different types of incidents needing different investigation methodologies; notification requirements depending on type of incident; different reporting by business unit, etc.).
The organisation suffers from a sub-optimal solution and administration increases to manually handle the unsupported requirements. This would not be the case with an enterprise system.
COTS solutions are designed to address specific compliance requirements or standardised processes, making them effective at managing their particular aspect of compliance management.
Enterprise GRC software typically, and ISOPro specifically, have the in-built functionality to cover all the high-level components of an enterprise management system’s compliance framework:
With ISOPro, the system modules allow organisations to manage all the requirements of all management systems standards following the ISO High Level Structure.
This allows our clients to manage all their management systems through one integrated platform.
Consider this scenario. An organisation has a COTS Incident Management system. After a while, they decide they need a Document Management System to handle their many documents. Unfortunately, their existing Incident Management COTS does not provide a robust enough Document Management system, so they purchase and implement a COTS Document Management system to meet their specified needs.
As their compliance framework expands and the organisation seeks to improve visibility, responsiveness and productivity, they decide to implement a Monitoring System to handle regular checks like calibration, equipment inspections, workplace inspections, etc.
Neither the Incident Management nor the Document Management systems support their operational requirements. Looking specifically for a flexible system, their internal research indicates that to meet their unique set of control forms and checklists, they need a highly configurable (form-building) COTS. The same thing will happen for internal audits, risk management, training and onboarding…
The organisation now has multiple stand-alone solutions, and administration must increase to handle the consolidation and cross-functional visibility needs. This would not be required with an enterprise system.
COTS compliance software typically offers standardised customer service. These platforms often rely on help centres, FAQs, ticketing systems or chatbots, which can be very effective for self-help and resolving basic queries.
Enterprise systems typically offer customer-centric support with a deep understanding of the client’s operations and organisational structure.
At ISOPro, we provide specialist teams for different industries to workshop and implement the client’s system. We assigned a dedicated support team to each client to continue supporting the business after the go-live phase. This may include new configurations as the business’ compliance needs evolve.
Consider this scenario. An organisation runs multiple dedicated COTS; they would like to transfer specific information of their monitoring and quality system to their incident management system, e.g. to track incidents related to missed maintenance or defective equipment.
They would like to transfer information from their “flexible” Monitoring System COTS to their “specific” Incident Management COTS.
This is not going to happen because the two systems are not aligned. Their support teams are automated bots or FAQs and there is no ‘supplier-side’ overall project management. Consequently, the organisation decides to run raw data exports from both systems manually and manually prepare the consolidated cross-functional report. This soon becomes very time-consuming for the expected benefit and is dropped after a few months of nil results.
This would not happen with an enterprise system because the support team handles all the aspects of the compliance system.
Consider this scenario. An organisation runs multiple dedicated COTS; hackers contact a company’s system administrator users requesting information from them to assist with supporting a request that was logged. The user may provide the information with inevitable disastrous consequences.
This would not easily happen with ISOPro because client system admin users know their ISOPro support team members by name and speak to them via video call and phone on demand.
All COTS systems allow exporting individual records in pre-formatted templates such as PDF; these are typically excellent for internal distribution and management.
Most COTS offer customisable data export features; others allow export via pre-built raw data extracts in .xlsx or .csv and in many cases this is sufficient for reporting.
However, issues typically arise with COTS when looking to export large tranches of data and attachments and especially when transitioning out of the system. These systems may allow exporting 30 or 90 days of data ‘on demand’, but longer periods, like five years or more of data, is usually not supported. Bulk downloading of attachments can also typically be problematic.
Enterprise systems typically expect clients to have full access to their own data and attachments for data warehousing and further analysis, hence enterprise systems typically have built-in capability to export data in bulk.
Enterprise systems also typically have well-defined Transition Out processes and guaranteed data cleansing mechanisms to ensure none of your data is left lying on a server in an undefined location after the users stopped using the service.
ISOPro ensures the clients’ authorised users have full access to all their data at any time. For businesses in highly regulated industries, transparency and data sovereignty is critical and ISOPro delivers it by default.
Consider this scenario. An organisation runs multiple dedicated COTS; they would like to Transition Out to an enterprise system and export their whole information set, i.e., records, attachments, signatures and timestamps logs. This would be extremely challenging. This would be extremely challenging due to the fragmented data structures and proprietary formats of many COTS platforms, often resulting in incomplete transfers and significant manual effort.
This would not happen with an enterprise system because most enterprise systems have Transition Out plans (often agreed with the client at implementation), detailed secure data transfer processes and disk scrubbing protocols if applicable.
While most COTS offer manually downloadable data export via pre-built raw data extracts in .xlsx or .csv which is usually sufficient for reporting, they don’t usually offer automated data transfer options via SFTP or email.
Enterprise systems, like ISOPro, normally include automated data transfer options (both data import and export), such as secure SFTP and email-based syncing. This allows enterprise clients to migrate even the complex data between ERP and HR/Payroll systems seamlessly.
Consider this scenario. An organisation runs a dedicated Incident Management COTS; they would like to implement a data warehouse with business intelligence software (e.g., PowerBI) to run long-term statistical analysis. They request to export their 6 years of historical data with timestamps and then send new records to their data warehouse automatically each week via email or SFTP. This can be challenging due to COTS's limited historical data export range options and rigid data formats.
Consider this scenario. An organisation runs a dedicated Quality Management COTS separate from their manufacturing ERP system. They would like to import, from the ERP system, product information and purchase order line-item details daily into the COTS to handle inbound product receiving quality controls. In addition, they want to export any inbound non-conformance details to the ERP system for each event in near real-time.
This can easily be set up in ISOPro through an automated data interchange for both the daily imports as well as the real-time export via email or SFTP (or different data sets via different processes).
There are many good Australian COTS and while their data hosting may be local, because of their lower price point (and many having free accounts), their software may have development, testing and support teams in less expensive parts of the world.
Costs may compel commercial-off-the shelf software businesses to have offshore operations (such as support) with access to client data well outside Australian jurisdiction. Furthermore, there’s little visibility about what’s done in-house and what’s contracted out and to whom and what’s local and what’s overseas.
In contrast, except for ISOPro, enterprise systems are almost without exception overseas-owned, so while the code base is not local (and development and testing is done overseas), client configuration is usually handled by configuration / implementation companies who can be local (if the software is supported locally).
Many international enterprise software companies offer Australian hosting (Azure, AWS, Google Cloud, etc.) as an option as well.
ISOPro, on the other hand, is a uniquely Australian enterprise GRC software and company. We are based in Sydney and all development, testing, hosting and support happen in-house and in Australia.
Not sure if an enterprise system like ISOPro or a COTS commercial off-the-shelf compliance software is the best fit for you? If you’re unsure where to start looking for a system, consider the situation two to four years down the track. As your compliance requirements become more sophisticated and cover more areas, as pressure to get more done with fewer resources increases and as clients and top management dig deeper into compliance data to find value, COTS solutions may eventually feel like 1000’s of paper cuts.
In addition, software poses both change management and implementation risks; more software, more risks. Caveat emptor!
If you’re using COTS software within your compliance framework and are considering a more comprehensive solution, take our 2-minutes Compliance Health Check. It’s free, quick, easy and will help you understand if ISOPro (or an enterprise-style solution) can help you save valuable time.
Let’s discuss how ISOPro can automate your compliance administration. Get in touch today!
Co-Founder / CEO
