Understanding the compliance risks for your company can be difficult, but it is really just a case of good business practice

In an atmosphere of cautious IT expenditure and risk-averse procurement, the word compliance has become synonymous to many vendors with beanfeast. As a result, they merrily repackage their widgets as the latest must-have, all the while warning that ‘if you don’t buy this software, your CEO will go to prison’.

To reinforce the point, a mini-compliance industry has grown up around this positioning strategy with doom-mongering articles, market research and conferences aplenty, all offering information and advice, and all playing on the fear factor.

So the big questions in this heated and somewhat confusing situation are: is there a grain of truth to the propaganda, and how are CIOs reacting to it all? The first point to make is that compliance is at best a generic, catch-all term, with individual vertical markets, geographical areas and class of company – each subject to their own raft of specific regulations and legislation.

This means, for example, that the much talked about Sarbanes-Oxley Act, which really does threaten executive jail sentences for non-compliance, only affects a very specific type of firm. Such organisations include those that report their financials in the US, are listed on one of the US stock exchanges or have more than 300 US holders of their equity.

"It really comes down to understanding the business you’re in to pick out the appropriate legislation and see how it affects the organisation"

– Andy Kellet, a senior research analyst, Butler Group

Downgrade to a financial sanction

As discussed earlier, Kit Burden, a partner at law firm, DLA Piper, believes that the threat of prison terms is now much less probable than it was previously. “It is theoretically true that executives could face actual jail time because of compliance issues. But that is less likely now than when the temperature was so high, post-Enron, and it’s currently much more likely, I think, to be a financial sanction,” he says.
Other high-profile regulations, meanwhile, relate quite specifically to certain industries. The Basel II risk management accords, for instance, apply purely to banks, while the Freedom of Information Act (FoI) is of interest only to public authorities.

The Data Protection Act, on the other hand, affects any organisation holding personal information about their customers, while the UK’s Regulation of Investigatory Powers Act makes it a criminal offence for any company to intercept “intentionally and without lawful authority” the mail, telephone calls and digital communications such as email of any staff without their prior consent.
As Andy Kellet, a senior research analyst at Butler Group, points out: “It really comes down to understanding the business you’re in to pick out the appropriate legislation and see how it affects the organisation.”

Nonetheless, there are generic guiding principles as to what compliance means and how it can be achieved. Jay Heiser, a research vice president at Gartner, explains: “Most legislative requirements boil down to the same basic issues. It’s necessary to demonstrate that the organisation is being adequately transparent in its activities and that the information coming out of this enables stakeholders to evaluate how well risk is being managed.”

And it is this management of risk that is key to getting compliance right. While technology can help organisations conform to certain legislative elements or enable them to generate reports that are useful for auditing purposes, there is no such thing as out-of-a-box compliance and there are definitely no technology-based silver bullets – despite what the vendors may imply.

An eye on the future

“The useful products are the ones that help reduce the most significant risks, but risk differs from organisation to organisation and there’s no one-size-fits-all. My recommendation is not to focus on individual regulations or technologies at all, but to concentrate on process and manage that with an eye to the future, not the past,” Heiser says.

This is because focusing on processes enables CIOs to understand any risks to the business on an ongoing basis and to manage them appropriately as necessary. Heiser explains: “You can’t possibly anticipate all eventualities. I’ve spoken to people who are trying to meet regulatory requirements as a standalone entity, but therein madness lies,” he adds.

As a result, he recommends devising a risk management framework that covers all key processes from across the enterprise. As a first step this involves defining what risks the organisation faces, particularly in relation to achieving its business goals.

Next it is necessary to plan how to mitigate such risks, before working out how to manage them. Control and monitoring functions as well as incident management procedures play a key role here.

The second stage involves deploying suitable compliance-enabling mechanisms and this is where technology can come into play. For example, introducing report-writing tools to work against financial applications can be useful in ensuring that relevant information is readily available to decision-makers and stakeholders.

The final phase entails creating a feedback loop so that processes can be continually improved upon.

So is the risk management message one that CIOs are listening to? In financial services at least, the most heavily regulated sector, this is undoubtedly the case, with compliance being treated in the main as ‘business as usual’.

Stephen Ashton, global IT business manager at Dresdner Kleinwort Wasserstein, a European investment bank based in London and Frankfurt that employs 6,000 staff, indicates that corporate governance is “the bedrock of our reasoning”, although he dismisses the ‘CEO will go to prison’ argument as sheer hyperbole.

“It’s always been the case that if you’re negligent, you face legal strictures – we’re very aware of the serious fines environment,” he says. “You can’t blame IT vendors for looking for some leverage with points such as the Sarbanes-Oxley ‘baseball bat', but it’s not a reason for an organisation like us to ‘do compliance’ – or even buy more storage.”

Instead he advises striving for excellence in governance and control structures, which should be based on industry standards, as this will not only support compliant behaviour, but also promote best practice.

"You can’t blame IT vendors for looking for some leverage with points such as the Sarbanes-Oxley ‘baseball bat’, but it’s not a reason for an organisation like us to ‘do compliance"

– Stephen Ashton, global IT business manager, Dresdner Kleinwort Wasserstein

A systems analyst at another large financial organisation, who requested anonymity, believes, however, that while companies in the financial services sector have always focused on compliance because the industry they operate in is so heavily regulated, things now may have gone a bit far.

“There are certainly bits of information you want to keep, but some of this stuff is using a sledgehammer to crack a nut,” he says.

But that is not to say that CIOs in this sector are not taking the issue seriously. In fact, a study released in March by British research firm Freeform Dynamics, indicated that almost nine out of 10 believe that complying with regulations is crucial to their business.

And this is not likely to change any time soon, not least because of the up-and-coming Markets in Financial Instruments Directive (MiFID), which will be one of around 42 new regulations to hit the industry between 2005 and 2008.

"It really comes down to understanding the business you’re in to pick out the appropriate legislation and see how it affects the organisation"

– Andy Kellet, a senior research analyst, Butler Group

International borders

MiFID is considered important because it is a big step on the road to a single European market for financial instruments such as equities and derivatives. The aim is to provide a homogenous framework for investment services to make it as simple to trade securely across national borders as it is to do so in individual countries.

But compliance is expected to cost a typical medium-sized European broker about $22 million and the industry about $1 billion worldwide in terms of IT upgrades alone.

So how are other sectors viewing the compliance issue? In a MIS UK poll of IT director’s concerns published this year, compliance had moved two places up the agenda to number six and so appears to be growing in importance.

But as Colin Clark, business control executive at retailer Somerfield Stores, concludes: “Compliance as a reason to buy storage, for example, is something dreamed up by storage suppliers. But storage is storage is storage. Compliance is really just good business practice and there’s no need to add another layer. Just remember that enforced compliance is submission.”