Creating a Compliance Management Culture

Now is the time for CIOs and IT administrators to get ready to deal with the oncoming flood of regulations that are washing their way. Creating processes and architectures will make it easier to deal with.
Posted September 27, 2004

Steve Ulfelder

Technology managers need to understand that they can't rest after ensuring their companies comply with Section 404 of the Sarbanes-Oxley Act. Like it or not, the flood of regulations has only just begun.

Industry, state, federal and international regulations related to IT will multiply over the next few years, industry analysts say. That means its vital that CIOs and other technology leaders create processes and architectures that make it easier to comply with new regulations.

The good news is that most enterprises already possess the technology needed to meet this new challenge.

''A lot of the pieces are already in place for companies that have invested in ERP [enterprise resource planning] and content or document management software,'' says Stan Lepeak, an analyst at Stamford, Conn.-based research firm Meta Group. ''When you get down to it, most of these new regulations are about increasing visibility into operating processes and maintaining control over your data. There are a lot of tools that can help do that, but as of now, they're not fully deployed.''

Additionally, a compliance-friendly enterprise tends to be one that is well run, experts say. And because improving compliance-readiness is such a technology-intensive job, it is ''in many respects an opportunity for IT,'' according to Joe Rizzo, a principal with Deloitte Consulting's CIO Advisory Services group.

''Companies shouldn't merely comply with new regulations -- they should use them for business improvement,'' Rizzo says. As examples, he cites some Sarbanes-Oxley requirements, such as those addressing access control. Sarbanes-Oxley mandates that enterprise software developers cannot have access to production systems, so that applications under development cannot be slipped into production before they're fully tested. ''That's just good business practice,'' Rizzo says.

The problem is that far too many businesses lacked such a policy until they were forced to adopt it.

These benefits are persuasive, but there is a significant drawback inherent in creating a compliance culture: expense.

The processes and technologies that surround compliance tend to spawn ''meta-data'' -- that is, information about information -- that, by its very nature, adds complexity. ''Compliance creates inefficiencies. There's no way around it,'' says Ann Senn, who is the global leader in Deloitte's CIO Advisory Services group. According to Senn, it's vitally important that CIOs and IT managers prepare their company's business officers to face the additional expenses that all enterprises will face in the era of compliance.

''All these compliance issues are becoming a cost of doing business,'' Senn says. And it's up to IT to broadcast that message so the company is willing to make the needed investment.

Expensive Teams

To date, many businesses have met the requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) and other regulations by creating task forces composed of valuable professionals -- from both IT and business -- who drop everything for several months and pull all-nighters. These teams are often augmented by consultants, further driving up the cost of compliance.

But with regulatory pressure expected to increase, it makes sense to institute a compliance management culture.

The price enterprises have paid for Sarbanes-Oxley underscores this. According to industry group Financial Executives International, the average compliance cost for large companies is $4.6 million. Additionally, when the Business Roundtable surveyed 150 CEOs, half said their compliance costs will range from $1 million to $5 million.

It is untenable to face this type of expense each time a new regulation is rolled out. And make no mistake, they will continue to roll. In addition to HIPAA and Sarbanes-Oxley, here's a sampling of regulations facing many companies, depending on where they do business and their industry:

  • The USA PATRIOT Act is a broad set of anti-terrorism regulations that require financial services and insurance companies to gather information on customers and flag suspicious transactions;
  • Basel II creates international guidelines (set to take effect in 2006) that will make sure banks have a sound risk-management strategy;
  • The Gramm-Leach Bliley Act compels U.S. financial institutions to improve the security and confidentiality of customers' personal information;
  • California Senate Bill 1386 states that when confidential information about a California resident is potentially compromised by computer errors or crime, the resident is notified;
  • SEC Rules 17a-3 and 17a-4 are Securities and Exchange Commission rules setting information-retention policies for brokers and dealers. All transaction-related data must be retained for three years.

    That's why AMR Research Inc., Gartner Inc. and other industry analysts are urging businesses to leverage the lessons of Sarbanes-Oxley and HIPAA to meet future regulations.

    According to Stamford, Conn.-based Gartner, publicly held companies that adopt a comprehensive compliance management architecture can save 50 percent a year on regulatory expenses. Moreover, a documented, repeatable compliance strategy offers a competitive edge -- enterprises that are set up to act quickly when new regulations crop up will have a leg up on those that are not.

    Unfortunately, IT organizations may face an uphill battle when they attempt to serve as compliance leaders for the business. ''A lot of corporations assume regulatory compliance is an issue for the finance and external audit [groups],'' says Lane Leskala, a Gartner analyst. If a proactive CIO makes an effort to play a leadership role, finance says to IT, 'you'll get involved when we say you'll get involved.' That's a critical mistake, Leskala adds. ''This is an IT issue automatically.''

    The bottom line is that the flood of technology-related regulation -- from state, federal, industry and international bodies -- will grow for the foreseeable future. Businesses can either react with panic to each piece of regulation, or create a culture and set of processes that allow them to easily absorb fresh regulations. The latter approach, while challenging for the IT group, is far preferable in the long run.

  • 0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.