Ignoring the need to keep pace with legislation can result in a company being fined and damaging its brand image
rganisations fall into three main categories when it comes to regulatory compliance. The first group become paralysed under the huge weight of legislation and end up like rabbits caught in headlights, unsure of where to go next.
The second group go to the other extreme and become bogged down as they desperately struggle to comply with every tiny detail of the law. The third group – generally to be found in highly-regulated industries such as financial services and pharmaceuticals – see compliance as being part of a broader risk management approach and merely one element of a bigger picture.
As a result, a study undertaken last year of 1,000 IT managers and directors (sponsored by Dell Computer), indicated that 75 per cent were not confident that they were meeting all of their legislative obligations.
Some 61 per cent felt that compliance was a problematic issue for their organisation, while a further 65 per cent said that it had made their jobs more demanding.
What is important to bear in mind, however, is that no matter how burdensome the compliance issue might appear and no matter how companies try and deal with it, there is a heavy price to pay for failure.
At the highest level, lack of compliance, if prosecuted by the relevant authorities, can bring down varying degrees of financial penalties on the heads of culpable organisations.
"Most people haven’t got the foggiest idea of what something like Basel II is but they still want to know that you comply with it and it looks like you can't manage the business if you don't"
Neil Hershaw, information management officer, M&S Money
On 3 December 2002, for example, the US Securities and Exchange Commission, New York Stock Exchange and the National Association of Securities Dealers jointly sanctioned five securities firms – Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney and US Bancorp Piper Jaffray.
Each of the five firms had to pay $1.65 million for violating regulations requiring them to maintain email communications for specified periods of time and be in a position to make them available on demand.
A few months later, in April 2003, 10 top Wall Street banks jointly paid $1.4 billion to settle charges that they had misled investors by issuing stock reports that were more designed to help them win business than to benefit ordinary investors.
Legislation such as the UK Companies (Audit, Investigations and Community Enterprise) Act 2004, meanwhile, attributes directors with criminal liability for not disclosing all relevant data relating to trade, transactions and accounting practices in an auditable format. The Act is seen as the UK’s answer to the US' Sarbanes-Oxley and applies to public and large private companies.
If abuse of the Data Protection Act 1998 is found to have taken place, however, the Information Commissioner can force an organisation to stop processing data, effectively closing it down.
But monetary and personal penalties are often just the tip of the cost iceberg of non-compliance. Because any legislative breaches become subject to inevitable feasting by the media, corporate credibility, brand and reputation can literally be destroyed overnight.
Neil Hershaw, information management officer at M&S Money, explains: “It’s a brand issue and it’s not going to look good for any financial organisation, if they fail to get it right. The question that they’ll be asked is ‘why not?’ Most people haven’t got the foggiest idea of what something like Basel II is, but they still want to know that you comply with it, and it looks like you can’t manage the business if you don’t.”
Moreover, building a respected, trusted brand takes many years and in many instances huge amounts of money, and as such is a valuable corporate asset.
As brand consultancy Citigate Lloyd Northover points out when analysing the results of a three-phase brand-related research project called BrandGap: “It shouldn’t need to take an Enron, and the Andersen fallout, to reinforce the importance of reputation, and the intimate connection between boardroom policy, public image, and basic survival.”
The idea behind this is that brands are rooted in the trust that customers place in them, which means that if that brand becomes tarnished, public trust in it is likely to be damaged. This, in turn, tends to bring about customer defections and may eventually impede an enterprise’s ability to acquire new ones.
Which all means, as they say in Hollywood action movies, that failure is not an option.
Case Study - Runnymede Borough Council
“You’d have to be very brave to say to central government that you weren’t going to comply with regulations. Technically, you could say that ‘we’ve got a different vision that’s nothing to do with electronic government’, for example, and show that you had a well thought out way of going forward, but you’d suffer in a lot of ways,” says Nigel Watson, head of ICT at Runnymede Borough Council.
On the one hand, the public authority in question would be likely to lose out financially as a result of no longer being eligible for different grant regimes, but on the other, it could risk damaging its reputation.
“There’d be a presumption that you weren’t achieving your goals so you’d have to prove that what you were doing was better than whatever had been recommended, and the councillors would have to be totally committed to the alternative,” Watson explains.
"Bringing all our content over to the content management system under the portal meant that we could train staff in the departments to look after their own information and keep it up-to-date themselves rather than having to go through the web team"
Nigel Watson, head of ICT, Runnymede Borough Council
Runnymede began working on its e-government compliance initiative a couple of years before the deadline of 31 December 2005. The local authority employs a staff of about 350 to provide services to 78,000 citizens in Surrey and is in the top third of highest performing councils in the country.
“When we did an analysis, it was clear that some of our existing technology would not permit us to comply. The biggest barrier was that we had an essentially static, presentational site, with most pages hand-coded in Dreamweaver so to change information, you had to physically go in and change the text,” Watson explains.
This meant that it would be impractical to provide large amounts of information online without hiring a big team to undertake coding. But at the same time, it was also necessary to find a way to comply with the W3C’s Web Accessibility standards for enabling disabled surfers to access the web site.
As a result, the council started evaluating different content management offerings and at the end of 2004 opted for Vignette’s J2EE-based portal system. This was integrated with its existing document and records management applications from Tower Technology (now part of Vignette), which meant that both types of information were automatically cross-referenced and could be accessed from a single point.
“Bringing all our content over to the content management system under the portal meant that we could train staff in the departments to look after their own information and keep it up-to-date themselves rather than having to go through the web team,” says Watson. “It’s also allowed us to move from a pure presentation site to being interactive with the public so that now they can apply for services, download forms or, heaven forbid, make a complaint online.”
"You’d have to be very brave to say to central government that you weren’t going to comply with regulations"
Nigel Watson, head of ICT, Runnymede Borough Council
The move also meant, however, that achieving compliance with the Freedom of Information Act (FoI), which came into force on 1 January 2005, was relatively straightforward.
“Because we’d started the process of identifying and cataloguing our information in a way that it could be readily retrieved, it meant that achieving Freedom of Information was manageable and didn’t give us big headaches,” Watson said.
The fact that the system also has full indexing and search facilities likewise helped the situation, and “we now have a major project ongoing to move all of our historical documents, especially those that we’re going to keep indefinitely, into it,” Watson adds.
“It’s really about providing quality of service to the public and if you can improve the quality of information and the means of accessing it, then you can go a good way down the path to getting there,” Watson concludes.