The Death of the Compliance Calendar

From Documentation to Continuous Proof
For decades, compliance has been managed by the calendar. Annual audits, quarterly reviews, periodic attestations, scheduled assessments, point-in-time certifications, and recurring evidence requests have shaped how organizations understand whether they are compliant, controlled, resilient, and trustworthy. The compliance calendar became the operating rhythm of governance, risk management, and compliance (GRC). It told people when to gather documentation, when to test controls, when to complete questionnaires, when to update policies, when to review access, when to certify obligations, and when to prepare for the auditor.
The problem is that the calendar was never designed for the velocity of modern business.
Point-in-time compliance assumes the organization can periodically pause, collect evidence, review activity, and determine whether controls were operating effectively during a defined window. That model may have been workable when business change was slower, technology environments were simpler, third-party ecosystems were smaller, and regulatory expectations were more stable. It is structurally broken in today’s organization.
Compliance risk does not wait for the annual audit. Regulatory change does not wait for the next compliance review. Cyber threats do not wait for quarterly testing. Third-party failure does not wait for the next vendor assessment. Access privileges, configurations, exceptions, policies, controls, incidents, and obligations change constantly. Yet many compliance programs still operate as though assurance is meaningfully achieved through periodic evidence collection and retrospective documentation.
This is the death of the compliance calendar. Not because . . .
[The rest of this blog can be read on the Strike Graph blog, where GRC 20/20’s Michael Rasmussen is a Guest Blogger]
