The prospect of prosecution or even jail time is focusing many CIOs’ attention on compliance software to meet new regulations

There are many myths bandied around about regulatory compliance, not least those by IT vendors trying to play on the fear factor to make unsuspecting CIOs part with their money.

As a result, the ‘if you don’t buy this software, your CEO will go to prison’ line is repeated with tedious regularity, even though such a scenario is unlikely ever to take place.

Although based on a grain of truth, this particular stick to beat IT directors with is associated with the US’ stringent Sarbanes-Oxley Act and only affects specific kinds of companies. Such organisations include those
that report their financials in the US, are listed on one of the US stock exchanges or have more than 300 US holders of their equity.

But Kit Burden, a partner at law firm DLA Piper, believes that ending up with a prison sentence is much less likely than it used to be. “It is theoretically true that executives could face actual jail time because of compliance issues. But that is less likely now than when the temperature was so high, post-Enron, and it’s currently much more likely, I think, to be a financial sanction,” he says.

But that is not to say that CIOs should not take the compliance issue seriously. Financial penalties can be heavy as was the case in December 2002, for example, when the US Securities and Exchange Commission, New York Stock Exchange and National Association of Securities Dealers jointly sanctioned five securities firms.

"Most people haven't got the foggiest idea of what something like BaseI II is, but they still want to know you comply with it, and it looks like you can't manage the business if you don't"

– Neil Hershaw, information management officer, M&S Money

A high price to pay

Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney and US Bancorp
Piper Jaffray each had to pay $1.65 million for violating regulations requiring them to maintain email communications for specified periods of time and be in a position to make them available on demand.

But problems do not stop with financial sanctions. Corporate credibility, brand and reputation can also literally be destroyed overnight, particularly because of the high profile given to such cases by the media.

Neil Hershaw, information management officer at M&S Money, explains: “It’s a brand issue and it’s not going to look good for any financial organisation if they fail to get it right. The question that they’ll be asked is ‘why not?’. Most people haven’t got the foggiest idea of what something like Basel II is, but they still want to know that you comply with it, and it looks like you can’t manage the business if you don’t.”

Moreover, building a respected, trusted brand takes many years of effort and in many cases huge amounts of money, and as such is a valuable corporate asset. Brands reflect the trust that customers place in them, which means that if they become tarnished, public trust is likely to be diminished. This tends to lead to customer defections and may eventually damage an enterprise’s ability to acquire new ones.

But dealing with the compliance challenge is made tricky by the fact that the word itself covers a multitude of sins. At best, it is a catch-all term, with individual vertical markets, geographical areas and class of company and each subject to their own rafts of specific regulations and legislation.

As a result, as Andy Kellet, a senior research analyst at Butler Group, points out: “It really comes down to understanding the business you’re in, to pick out the appropriate legislation and then see how the laws affect the organisation.”

Identify potential risks

Nevertheless, there are certain rules of thumb when trying to understand what compliance means and how it can be achieved. Jay Heiser, a research vice president at Gartner, explains: “Most legislative requirements boil down to the same basic issues. It’s necessary to demonstrate that the organisation is being adequately transparent in its activities and that the information coming out of this enables stakeholders to evaluate how well risk is being managed.”

And it is this management of risk that is behind the secret of hitting compliance goals. While technology can help organisations conform to certain facets of legislation or enable them to generate reports that are useful for auditing purposes, there is no such thing as out-of-a-box compliance and there are definitely no technology-based silver bullets – despite what the vendors may imply.

“The useful products are the ones that help reduce the most significant risks, but risk differs from organisation to organisation and there’s no one-size-fits-all. My recommendation is not to focus on individual regulations or technologies at all, but to concentrate on process and manage that with an eye to the future, not the past,” Heiser says.

This is because focusing on processes will enable CIOs to understand the risks to the business on an ongoing basis and will make it easier to manage them appropriately. Heiser explains: “You can’t possibly anticipate all eventualities. I’ve spoken to people who are trying to meet regulatory requirements as a standalone entity, but therein madness lies.”

To ensure that risk management initiatives work, however, responsibility has to be assumed by the people at the top of the business to ensure that such projects are handled in a coherent enterprise-wide fashion rather than introduced in a fragmentary and piecemeal way.

A useful tool here is to create a broad-based, independent risk management team, which is given enough power to manage its own budget. The team should be headed by a dedicated compliance officer to ensure accountability and staffed by high-ranking representatives from key functional areas such as IT, legal, human resources and facilities management to ensure that the initiative covers all aspects of the business and is sustainable into the long-term.

Another goal is to embed a risk management culture into the organisation so that compliance becomes part of a ‘business as usual’ approach, rather than being viewed as an inconvenient add-on or an overhead.

"The useful products are the ones that help reduce the most significant risks, but risk differs from organisation to organisation and there’s no one-size-fits-all"

– Jay Heiser, research vice president, Gartner

In practical terms, this means creating a risk register by identifying any potential risks the organisation faces, particularly in relation to achieving its business goals, before prioritising them in terms of potential threat.

The next step involves creating a risk management framework that covers all key processes across the enterprise. The aim here is to define what would happen if a problem occurred in order to plan how to mitigate and manage it. Control and monitoring functions as well as incident management procedures play a key role here.

The second phase involves deploying relevant mechanisms to help minimise risk and this is where security and other technologies can come into play.

The final stage, meanwhile, entails creating a feedback loop so that processes can be tweaked or revamped as necessary and continually improved upon.

"We'd tried to put a business case together to improve data quality prior to Basel II, but we didn't quite have enough to convince our executives to invest in it. So with Basel II, it was a bit of a bonus as it gave us the final driver we needed"

– Neil Hershaw, information management officer, M&S Money

While this may all sound like a lot of work and effort to already over-stretched CIOs, especially as they tend to be the first port of call for business executives worrying about the issue, there is a silver lining.

Apart from the obvious risk mitigation that compliance projects offer, if organisations look on them as an opportunity to put their corporate house in order, they can generate a raft of spin-off benefits, many of which come from adopting good corporate and IT governance practices. Moreover, shrewd CIOs can even exploit the compliance bugbear by positioning it as an additional driver for justifying valuable initiatives that have gone onto the back-burner for various reasons.

As M&S Money’s Hershaw explains: “We’d tried to put a business case together to improve data quality prior to Basel II, but we didn’t quite have enough to convince our executives to invest in it. So with Basel II, it was a bit of a bonus as it gave us the final driver we needed.”

What this all means is that, while tackling the seemingly endless amounts of regulation and legislation may be neither easy nor cheap, adopting a proactive strategy to cope makes sense.

Because, into the long-term, it should improve how the organisation operates, which can only be a good thing.