Rules, regulations and laws designed to help organisations do business with each other have been with us for centuries. But over the last few years there has been a growing emphasis on regulatory compliance, brought about in part by the changes in the ways companies do business, by the growing importance of technology and by companies being caught with poor or fraudulent accounting systems.
The roles and responsibilities for those who head organisations, and in particular CEOs and CFOs, now include ensuring the organisation is compliant with the regulations that govern its business – and ignorance is no longer an excuse for non-compliance. Although some executives in heavily regulated industries are aware of their responsibilities, many have still not upped their game and organised their management teams to adequately address the problem.
Susan Clarke, senior research analyst at Butler Group says that for many UK companies regulatory compliance is still not a huge priority. “The financial services companies, pharmaceuticals and the public sector with its freedom of information remit are all well aware of their obligations, while international banks and companies listed in the US will have had regulatory compliance on its radar but for the rest compliance isn’t a huge issue.”
This may be because the term compliance has been bandied about to cover everything from sorting out corporate data to wearing a hard hat on a building site but since the Enron and WorldCom scandals it has more usually meant obeying laws that ensure good corporate governance.
Analyst company Gartner defines compliance as ‘the process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements or external laws, regulations, standards and agreements.’
It is the external law that has been making the management headlines. Gartner again: ‘Regulatory compliance is concerned with laws that a business must obey, or it risks legal sanctions… What free markets were unable to accomplish – ethical behaviour, good corporate governance and financial transparency – are now being driven by legislative mandate.’
Good corporate governance, where risk management is controlled to acceptable levels, seems a sensible idea and one that all companies should have been trying to achieve. Clarke says that many organisations are not really tuned in to compliance, even though legislation like the US-based Sarbanes-Oxley law has been heavily publicised on both sides of the Atlantic. “Regulatory compliance isn’t something that is being mentioned particularly, even though with both the New York Stock Exchange and NASDAQ showing interest in the London Stock Exchange Sarbanes-Oxley may eventually affect even UK listed companies,” she says. However, what is beginning to focus their attention is the threat of litigation. “The risk is there and is increasing,” says Clarke. “It is mainly because the threat of litigation is higher that compliance has become more of a priority for some organisations. Retaining information in case of litigation covers many of the same areas. Effective record keeping makes sure that the organisation has got, say, International Accounting Standards right, and is adhering to them. If the records are right then the incidents of potential litigation become less.”
Although the threat of litigation and prison, ultimately hangs over the heads of the CEO and CFO, for larger organisations it is not something that they can possibly handle on a day-to-day basis.
Regulatory compliance permeates every part of an organisation’s business. Compliance should encompass the whole organisation and as information and data lie at the core of any organisation’s operations, responsibility has often been passed to the IT department.
"We are really having to be careful. We do find things that don’t work but the whole bureaucracy of Sarbanes-Oxley is distracting. There must be a better way of balancing it all"
Kevan Moorcroft, vice-president regional IT Services, EMEA, Avon
Although CIOs are adept at formulating strategic systems and procedures, compliance touches every aspect of a business, from HR to finance to supply chains. This means that there is a good argument for appointing a dedicated chief compliance officer or an information team that reports into the CEO. Avon, the world’s leading direct seller of beauty and related products with an annual turnover of $7.7 billion, hired a compliance officer when Sarbanes-Oxley was introduced.
“Governance and compliance have gone from being in the background, to being part of everything we do,” says Kevan Moorcroft, vice-president regional IT Services, EMEA for Avon.
The company has handled regulatory compliance in a methodical way, which is not easy given its market coverage. “We hired a full time person to deal with Sarbanes-Oxley, because it is extremely complex for us as we operate in more than 30 different markets.”
Moorcroft says the goalposts for Sarbanes-Oxley have changed each year. “2004 was the first year, 2005 it was better and by 2006 the workshops had different templates. It is somehow turning into a repeatable process,” he says.
“Despite that we are really having to be careful. We do find things that don’t work but the whole bureaucracy of Sarbanes-Oxley is distracting. There must be a better way of balancing it all. It is doing some good but sometimes we feel like we are being hit with a blunt edged instrument.”
Butler Group’s Clarke believes that firms need a dedicated compliance officer. “For larger organisations compliance is not something CEOs or CFOs should handle. It is all about retaining information and working to regulations. I think all organisations from the medium size up that have to comply should have a dedicated compliance officer.” Records management has become an increasingly important area if a company is to adhere to regulatory compliance, says Clarke. “Responsibility for policies like email archiving, the retention of information and the responsibility for records management are obviously key. These should work alongside security, which is monitoring the information that comes in and out of the organisation.”
Compliance officers should be making sure that their organisations follow the rules and if there are breaches they need to be identified, dealt with and the proof of this recorded, says Clarke. “In the public sector records management has become key to them adhering to the Freedom of Information Act. There are now many effective records management officers working in the public sector. In the past, records managers were not that well paid, but this is changing fast and there are also a few university courses on offer to gain records management qualifications.”
Going on record
A compliance officer who reports to senior executives has to be supported by a team that covers all the fundamental procedures and policies, says Paul Dodgeson, director and executive secretary of the Records Management Society (RMS). He believes compliance is a by-product of good records management.
“Records management predates compliance,” he says. “The Data Protection Act of 1998 and the Freedom of Information Act of 2000, as well as Basel II and Sarbanes-Oxley, all focused on the need for effective records management.
“For example, the Financial Services Authority (FSA) needs evidence that an organisation is complying with regulations and is managing its risk effectively. The evidence needed to provide this relies on good records management and the use of effective meta data and classification systems.”
Dodgeson believes that an information management team is the best option for organisations trying to get to grips with compliance. “Good records management is the key to compliance and a significant business discipline in its own right. If there is no records management, there is no discipline and organisations that do not have effective records management systems are realising that the business is suffering because of it.”
He believes that organisations should adopt an information management team approach because of the way that information touches every part of the business. “Don’t underestimate the extent of the problem of records management and don’t consider it an unnecessary cost,” he says. “The return on investment is better control over records and the reduction in administration costs, as well as being able to comply with regulations.”
Ready for regulations
Gartner says those industries that have been highly regulated for some time, like financial services and pharmaceuticals, have formalised the role of chief compliance officers. Even those companies that have not been heavily regulated in the past, are assigning individuals to be responsible for compliance issues. A survey carried out by Gartner last year found that 75 per cent of organisations had at least one IT person dedicated to compliance management and 76 per cent had corporate executive level compliance office or governance councils.
Although IT departments have, for obvious reasons, borne the responsibility for much of the technical work of compliance, the implications of compliance are far more wide reaching than just the IT department alone.
“The climate has changed and more parts of a business need to comply with regulations,” says Dodgeson. “But organisations are gearing up to what needs doing. They have realised that businesses will suffer if they cannot keep track of their data and this adds to the urgency.” Some vendors and services suppliers have tried to take advantage of the situation, and sell products and services on to the back of worries about compliance.
Clive Longbottom, a service director at research and analysis company Quocirca, says that it is not simply enough just to stick in a bit of extra IT kit and hope for the best. “There’s a lot of rubbish being talked about specific solutions for Sarbanes-Oxley, Basel II, the Data Protection Act and so on, but if companies take a siloed approach, each ‘solution’ may well break the ‘solutions’ that went before. This means that there needs to be a cohesive, coherent approach to compliance at the infrastructure level, not at the solutions level.”
Compliance initiatives have to be enterprise-wide in remit and require sponsorship from senior management if they are to stand a chance of working. They also need to be looked after by a broad-based compliance, corporate governance or risk management team, which is independent and has teeth enough to manage its own budget. This team, in turn, should be headed by a dedicated compliance officer to ensure accountability and staffed by high-ranking representatives from key functional areas such as IT, legal, human resources and facilities management. This is to ensure that the initiative covers all aspects of the business and that it is sustainable into the long term.
Whether a team or a single executive takes on the bulk of the responsibility for compliance work, a change in the reporting structure is going on. Prior to Sarbanes-Oxley, compliance officers often reported to legal departments in organisations. Today many report straight to the CEO.
It seems the threat of prison or at least a massive fine has focused attention at the top. The CEO may have the ultimate responsibility for compliance but they are investing in support from specialists to help them achieve compliance.
Generally speaking, regulatory compliance has been seen as a burden that businesses can do without – more red tape and an onerous interference for an already put-upon management team to deal with. There is no doubt that ensuring regulatory compliance is a taxing and difficult process but organisations are beginning to appreciate the benefits and many large businesses have admitted that they have a far better understanding of their processes and systems because of it. Some, including BT and Corus, say they have turned the compliance requirements into positive strategic actions. The new regulations ask for a methodical and measured approach and can offer a different, business process driven approach to the organisation.
For many companies regulatory compliance is now part of everything they do. It has allowed executives to understand exactly what resources and processes an organisation has and to begin to increase efficiency and throughput as a result. It is too soon to tell whether the compliance laws will achieve what they were designed for but they are already offering organisations unexpected benefits.
Public sector best practice
Private companies can also learn from teams working in the public sector. Dodgeson believes that the Freedom of Information Act was a sea change for the public sector. “We had to be able to find data easily, using more intelligent searching. Also classification has become even more important in allowing the public access to information.”
Without it, trawling through paper files was very difficult but if anything, technological shortcomings made things even worse initially. In the public sector this means providing poor services to a disgruntled public. With the additional legislation in the private sector there are more and more regulations to comply with, so this is a critical time for organisations, and they are realising business suffers without good data and records management.
The public sector is achieving good results now because of its effective management of data and records, and Dodgeson believes it is well ahead of the private sector. “It is achieving good results through excellent records management and this is often achieved through a constructive partnership with different functions within an organisation.”
Butler’s Clarke agrees that records management in the public sector especially has become an increasingly important task and is leading the way in compliance.
Of course, some organisations believe they have always been ahead of the pack when it comes to effective data management. HSBC believes technology is the least important part of corporate governance and that it is function and data that are really important, especially the data. Its data management discipline is very deep and sustained and it has only one customer number across the group of businesses.
IBM has stated that HSBC has the best customer data in the UK, because forced good data management has been going on for at least 10 years. The basics have far more impact than anything technical, but they take much longer to achieve.
Opportunity not burden
If organisations stopped seeing compliance as a burden but rather an opportunity to restructure their company and unlock operational value, they would reap benefits and could even see a significant return on investment, according to the RMS’ Dodgeson. Imagine the vast amount of customer data BT handles. It has been trying to deal with the huge hurdles put in place over the last few years by regulator Ofcom, leading to a situation that Maria Pardee, CIO of BT Retail, describes as “like Sarbanes-Oxley on steroids”. But she says the company is using it to its advantage: “We are turning the compliance requirements into something positive. We adhere to the law but we also get to rethink the way we are delivering service. We’re taking a methodical and measured approach to compliance.”
In many cases compliance demands create a single view of the customer from all points in the organisation, which can lead to a better understanding of their requirements. This, in turn, can result in increased loyalty and retention rates and has the potential to boost cross and up-selling sales opportunities. As a result, the UK telco has embarked on various transformational projects, one of which includes implementing an extensive CRM system. “We’re adding value through the infrastructure and want the experience for customers to be pleasant and easy, whichever service they’re using,” says Pardee.
"Don’t underestimate the extent of the problem of records management and don’t consider it an unnecessary cost"
Paul Dodgeson, director and executive secretary, Records Management Society
Another common supplementary advantage of compliance consists of improved data-sharing between different departments. This can boost internal efficiency by helping to break down internal information silos and by linking the people and teams with the information they require to do their jobs more effectively.
For some time now, rightly or wrongly, compliance has been seen as a technology issue and it is certainly one of the top concerns for IT directors and CIOs.
Overall there seems to have been a positive response to compliance from IT directors. They are being seen as the experts in many organisations, and are getting involved in strategic planning to make sure their companies comply with the laws, and in many cases are reporting directly to the CEO. But the nature of compliance means that it cannot be a purely technical process. Gartner’s definition of compliance includes the interpretation of government regulations, contractual terms and internal policies together with understanding where the organisation stands in terms of those requirements.
The process also includes documenting a plan for meeting those conditions and executing it, as well as devising measures and controls to prove that the plan has been implemented and then documenting those as well. This covers the whole remit of the organisation, not just the data processing controls and, as such, needs a broader sweep than a purely technical approach. Although initially onerous, once a compliance process is in place, organisations should see increasing returns on their investment and in the long run, should be able to improve their bottom line.
All in it together
Compliance is a process, not a project and it involves everyone in an organisation, from board members to employees. Most companies have realised that compliance is an ongoing process and that by formalising compliance functions, they are better positioned to reduce risk and anticipate future compliance requirements. Companies that apply an integrated strategy towards compliance will get the most business value from their compliance investments.
Process, people and technology form the basis for all compliance efforts. By formalising the compliance function and clarifying the reporting relationships, companies will be better-positioned for current compliance requirements, to reduce risk and anticipate impending compliance requirements, according to Gartner Group.
"Get on with compliance now. It is becoming increasingly important to investors that they can see regulatory compliance is being met and risks managed, as well as to auditors"
Fiona Sheridan, business risk partner, Ernst & Young
It is no surprise that the introduction of Sarbanes-Oxley, along with other corporate governance regulations, has in many cases coincided with the consolidation of systems, processes and infrastructure refreshes in many organisations. The two lend themselves to each other. In order to comply with new regulations organisations have to know what their operations, assets and procedures are – and in many cases they did not.
The overall climate at board level illustrates how the risk landscape is changing with a large number of regulations and standards being introduced, according to Fiona Sheridan, business risk partner at Ernst & Young. In terms of managing risk, if companies address compliance first so they have a stable platform, they can turn their attention more effectively to performance related risk. “Changing accounting standards and governance requirements for operations in multiple geographies means that compliance is getting more and more complex and organisations have to spend a lot of time on that,” she says.
Her advice is not to wait to be asked: “Get on with compliance now. It is becoming increasingly important to investors that they can see regulatory compliance is being met and risks managed, as well as to auditors. There has to be demonstrable commitment right through the organisation.”
Enterprise risk management is becoming more relevant again, according to Sheridan. “As there are more changes to regulations, companies have to continue to ask is what we have still appropriate’. What can we learn from Sarbanes-Oxley in that sense? There are lots of definitions and ways of evaluating risk. But look at best practise risk management for achieving compliance and improving performance.”
Effective risk has to be tailored to each individual company or organisation but Sheridan believes there are some common themes like clarifying processes and communicating them effectively both internally and also externally to the investor community.
“You have to have active board involvement and clear communications for external stakeholders. The investor view is that they aren’t risk averse – they know there has to be some risk involved to improve production, but they want to be able to see how the process is being managed.” In the past enterprise risk management tended to look at business as usual, but organisations should also consider business as unusual, because business is constantly changing and organisations should be evolving and reinventing things. Whatever framework is being used has to be flexible enough to handle the change.
“Companies need to consider compliance first and then address any risks to the performance of the firm,” Sheridan comments.