Compliance is defined by at least one online dictionary as ‘the act of complying with a wish, request, or demand; acquiescence’. It also has a medical context meaning a ‘willingness to follow a prescribed course of treatment’. A final reading of the word is ‘a disposition or tendency to yield to the will of others’. We’re issuing a challenge to IT directors: have you unwittingly followed all three courses of action since the dot-com collapse led to the growth of compliance, IT salesman style?

In IT parlance, especially over the past few years, compliance has come to mean ‘buy this software because if you don’t your CEO will go to jail’. Compliance certainly seems to have become the de facto reason to buy or do IT, as regulations and laws as diverse as Sarbanes-Oxley, Basel II, the Freedom of Information Act (FOI) and others have been deemed to impinge on all sorts of organisations.

There can be no denying there is a mini compliance industry, generating articles, market research and conferences. But compliance is often at best a very generic term. Specific US financial reporting regulations like Sarbanes-Oxley are routinely bandied around in the face of UK or European organisations to whom it does not apply; Basel II is an initiative that only applies to banks, not any other sort of enterprise; while FOI is only really of weight to organisations working in the public sector. And anyone active in IT must have heard the ‘CEO will go to jail’ line by now – a reference to strict jail terms handed out in the immediate aftermath of the Enron and Arthur Andersen collapses, which were of course US, not UK, scenarios.

Is it too sceptical to reject the entire compliance bandwagon? Is all this just a way to make us buy stuff we do not need. You need to store all your emails for ever being a typical sentiment?

At least some users and IT observers seem to be coming round to this conclusion. “It is theoretically true that executives could face actual jail time because of compliance issues,” says Kit Burden, a partner at law firm DLA Piper. “That is less likely now than when the temperature was so high post Enron and it’s much more likely I think to be a financial sanction now.”

Seizing an opportunity

But let’s face it, the threat was too sexy to ignore. “Naturally this angle has been picked up as a risk by the vendors, who see opportunity here,” says Gavin McGinty, a lawyer specialising in IT with Pinsent Masons. “I do agree it has become a bandwagon. Suppliers are taking products that fit many categories of business use and trying to make it sound compliant, as in phrases that make me laugh like ‘Sarbanes-Oxley in a box’, which is just impossible,” he says.

“Compliance isn’t about products at all but risk, and managing those risks. You need to sit down and do that work long before you even look at a product, as there are a lot of snake oil merchants out there touting this topic.”

That may already be the common reaction. The Corporate IT Forum (tif) representing the CIOs of 140 major UK organisations, agrees there has been a hype cycle around compliance, but argues that it has now settled down.

“Compliance is not a reason to do IT, it’s a reason to look at your business processes,” points out its chief executive David Roberts.

“There was definitely something of a panic in 2000 and 2001 among some IT people as messages about responsibility for information got out there. There was lots and lots of publicity.

But it’s gone from panic to a challenge to a consultation process, in our view. There’s a legal minefield certainly and very little actual case law to rely on, but I think the user community’s response is much more measured now.”

What do financial services customers make of the compliance propaganda? Do they see it as valid or as hype? MIS UK encountered a range of responses to this suggestion, but there seems to be a definite sense that compliance should be seen very much as ‘business as usual’ for these guys.

Take Stephen Ashton, global IT business manager at Dresdner Kleinwort Wasserstein, a major European 6,000 strong investment bank headquartered in London and Frankfurt. Plainly, compliance is a central issue for this type of organisation. How does he feel about the IT industry’s take on compliance?

“Governance and the control of our environment is absolutely critical to us, and as a regulated financial services institution, it’s the bedrock of our reasoning. What does not concern us, however, is the ‘CEO will go to jail’ argument. “It has always been the case that if you are
negligent, you face legal strictures; we’re very aware of the serious fines environment.

“You can’t blame IT vendors for looking for some leverage with points like this, such as the Sarbanes-Oxley ‘baseball bat’, but it’s not a reason for an organisation like us to ‘do compliance’ – or even buy more storage, say.”

Best practice for best practise

For Ashton, a better approach is to always strive to have a world-class governance and control structure based on standards, as this will not only support compliant behaviour but promote best practise. “The common sense way to look at compliance in 2006 is in the context of how a professional IT organisation should operate anyway,” he says.

A systems analyst at another major City firm, requesting anonymity, echoed these sentiments. “As we are so heavily regulated anyway, we’ve always been compliant. Yes, there’s been a growth in the last seven to eight years, but in some ways the umbrella’s got too wide.

“There are certainly bits of information you want to keep, but some of this stuff really is using a sledgehammer to crack a nut.”

So even in the heartland of compliance customer country, as it were, not all eyes are fixated on the compliance tickbox.

“How seriously do financial services firms take all this?” wonders DLA Piper’s Burden. “I think it’s very Millennium Bug in some quarters – a feeling that we’ll do it all only when we really have to. There’s also a question mark really over what being fully ‘compliant’ could mean.

“I’ve heard a CIO at a major institution saying he could spend an extra £5 million on being [UK security management standard] BS7799 compliant, but would it really give the bank any more practical advantages? I think these people are looking at compliance IT expenditure very much with a pragmatic perspective,” Burden concludes. Other sorts of user organisations are even more pragmatic about compliance initiatives. “Compliance as a reason to buy storage is something dreamt up by storage suppliers, but storage is storage is storage,” sniffs Colin Clark, business control executive at retailer Somerfield Stores. “Salesmen will try to do this, of course. Compliance is really just good business practice, there’s no need to add another layer here. And remember that enforced compliance is submission.”

And they are not the only ones. Even the folks selling this stuff think some of it hass gone too far. One supplier told MIS UK: “I can tell you rightly or wrongly that I do not go home at night worrying about whether I’m going to go to jail. Nobody in this country particularly gives a hoot about Sarbanes-Oxley, other than if they deal with an American company and they’ve got an obligation to do it for commercial reasons.

“I have been saying for a year now compliance isn’t the fundamental driver to why businesses do something about this – the fundamental drivers are if a business sees some operational benefit; if it sees that it can reduce some business risk; and only one of those risks in my opinion is the risk of going to jail.”

Another supplier suggests the pressure to push compliance is down to business, not them. “I do not think the IT industry is guilty of hamming up the effect of compliance. It’s accountability and personal accountability of directors of organisations. That is driving the move into large IT projects. The fear factor of non-compliance and making mistakes really sits in the boardrooms.”

So is compliance a con? No – but buying IT just because of the label being attached to it may not be a CIO’s brightest move.