Is it time to stop worrying about compliance?

Possibly you think the suggestion is stupid – in which case you’re probably a City IT executive; an outrage – which marks you down as a supplier (how did you get on the mailing list?); or as yesterday’s news – which means you are a mainstream CIO who’s already moved on to the next issue.

Though it’s way too early to start talk of a backlash – compliance is beginning to be a bit of a stale agenda item. The reason being that some of us are beginning to wonder if there’s been just a bit of overkill on the labelling of every software and storage solution as a must-buy because it helps in the compliance battle.

Where the truth lies

What does the evidence suggest? There is material to back up all three attitudes. It’s always been financial folks most affected by compliance, as they are the most heavily regulated industry sector, quite rightly.

A Freeform Dynamics’ March 2006 study of City IT types found almost nine out of 10 IT directors working in the financial services sector confirm complying with regulatory requirements is crucial to their business.

But then they were doing all that anyway. As a CIO at a major high street bank told me recently: “Sarbanes-Oxley will be live this year, that’s a no-choice issue – Markets in Financial Instruments Directive is hot but still moving around a bit, Basel II is there too of course.

Fine – but in some parts of the City there is resentment that we are being asked to fix things that don’t need fixing as we already work in a very compliant culture.”

"Compliance is really good news for the taxman, the lawyers and the suppliers. Doesn’t that suggest it might not be good for you?"

How about the rest of the market? MIS UK of course has its own poll of IT directors’ concerns – which informs a large amount of editorial content and direction – which placed compliance a rather low eight in the top ten and other surveys of the IT user community confirm that compliance is far from being the number one area of concern.

A global March 2006 poll by the IT Governance Institute of 700 senior managers in 22 countries, put staffing problems and operational incidents as the top two CIOs’ biggest IT headaches, well ahead of compliance and security headaches.

That leaves one group in our picture, the suppliers. MIS UK never quotes vendors, but we talk to them enough to know that for some, the last three years have been a Sarbanes-Oxley, Freedom of Information and Basel II bandwagon.

No responsible IT professional would cavalierly dismiss the legitimate business concerns of his colleagues and boards but some perspective is needed. There is, for a start, no such thing as Sarbanes-Oxley in a box. Implementing another technology layer is not what the architects of investor-protecting legislation had in mind.

Real compliance

Compliance is instead a constellation of people, processes and technology, not just a storage, ILM, document or email management issue, and it’s a bit disingenuous for our friends in the supplier community to suggest so. They do so because it’s basically the only game in town. One US website claims complying with government regulations costs the US economy $1.4 trillion, or 15 per cent of the entire nation’s gross domestic product.

In 2004 analysts AMR predicted a $5.5 billion price tag just for that year for firms to meet Sarbanes-Oxley, mainly due to specifications about how public companies must disclose their financial information. Of that $5.5bn, $1bn was IT cost.

Compliance is really good news for the taxman, the lawyers and the suppliers. Doesn’t that suggest it might not be good for you?

So be compliant but don’t spend your entire IT budget on this one thing – and if you are, shouldn’t you already be in jail?