Corporate data is the lifeblood of any organisation, therefore it goes without saying that such information is equally central to enterprise regulatory compliance efforts.
But one of the problems many companies are facing in this regard is the amount of data they have to deal with is growing at an exponential rate. In fact, a study by the School of Information Management and Systems at Berkeley University in California came up with the startling revelation that more data was created between 2000 and 2003 than in the previous 40,000 years of recorded history.
This information not only takes the form of structured data, which is found in traditional corporate applications such as enterprise resource planning and customer relationship management, but also increasingly of unstructured data such as emails and word processing documents.
While the reasons for this information explosion relate primarily to increased automation and the growing use of the internet as a tool for doing business, the whole issue of regulatory compliance is, in its turn, exacerbating the situation.
Legislation such as the US’ Sarbanes-Oxley and the UK’s Companies (Audit, Investigations and Community Enterprise) Act 2004 have expanded the amount and nature of business data that has to be both retained and retrievable on demand.
Taking a broad view
Despite this, Clive Longbottom, a service director at Quocirca, points out that it is not simply enough just to stick in a bit of extra storage capacity and hope for the best. In fact, in a broader sense, if compliance projects are to succeed, it is no longer adequate to take such a siloed approach to IT infrastructure at all.
This is because functional areas such as storage, applications, security and so on are all interlinked and all have a role to play in the lifecycle of corporate information. Therefore, they cannot be treated in splendid isolation.
Longbottom explains: “There’s a lot of rubbish being talked about specific solutions for Sarbanes-Oxley, Basel II, the Data Protection Act and so on, but if companies take a siloed approach, each ‘solution’ may well break the ‘solutions’ that went before. This means that there needs to be a cohesive, coherent approach to compliance at the infrastructure level, not at the solutions level.”
As a result, compliance initiatives have to be enterprise-wide in remit and require sponsorship from senior management if they are to stand a chance of working. They also need to be looked after by a broad-based compliance, corporate governance or risk management team, which is independent and has teeth enough to manage its own budget.
"There needs to be a cohesive, coherent approach to compliance at the infrastructure level, not at the solutions level"
– Clive Longbottom, service director, Quocirca
Dedicated to the task
This team, in turn, should be headed by a dedicated compliance officer to ensure accountability and staffed by high-ranking representatives from key functional areas such as IT, legal, human resources and facilities management. This is to ensure that the initiative covers all aspects of the business and that it is sustainable into the long-term.
Longbottom explains: “A lot of companies tend to take the easy option – just put a compliance officer in place and say ‘that’ll do’. But that doesn’t provide the full picture and no one person has all the brain-power required. You need a compliance group that can look at all the issues and that doesn’t just mean IT or
line of business.”
Jay Heiser, research vice president at Gartner, meanwhile, believes that a high-level, possibly non-IT executive has to be brought in to head up the team to ensure that it has the power to act as a clearing house for ideas and to set up a suitable organisational framework to push those ideas through.
But he also acknowledges that many CIOs come under huge amounts of pressure to handle the compliance challenge alone, a situation that he describes as somewhat of “a cop out” and one which results from “a certain amount of passing the buck, the idea being if you keep throwing the compliance hot potato, it won’t burn you”.
On the other hand, Heiser warns, CIOs should also be wary of embracing compliance as a means of gaining more power and influence, not least because they can end up becoming scapegoats if things go wrong.
In reality, to make such initiatives work, the responsibility has to be assumed by the people at the top of the business and by means of a risk management culture embedded in the organisation so that compliance becomes part of a ‘business as usual’ approach rather than an add-on or an overhead.
"A lot of companies tend to take the easy option – just put a compliance officer in place and say ‘that’ll do’. But that doesn’t provide the full picture and no one person has all the brain power required"
– Clive Longbottom, service director, Quocirca
Identifying potential risks
In practical terms, this means creating a risk register by identifying any potential risks the organisation faces, particularly in relation to achieving its business goals, before prioritising them in terms of potential threat.
The next step involves creating a risk management framework that covers all key processes across the enterprise. The aim here is to define what would happen if one of the problems occurred and to plan how to mitigate and manage them. Control and monitoring functions as well as incident management procedures play a key role here.
The second phase involves deploying relevant mechanisms to help minimise risk and this is where security and other technologies can come into play. The final stage, meanwhile, entails creating a feedback loop so that processes can be tweaked or re-vamped as necessary and continually improved upon.
But another focus for the compliance, risk management or corporate governance team is ensuring data quality and integrity, with activities such as managing, manipulating, cleansing and transforming data likely to consume between 60 to 70 per cent of any project in this area.
Linked to this is ensuring that control and auditing processes around corporate data are effective, not only so that managers and stakeholders have access to accurate information, but also to make it possible to demonstrate compliance to third parties such as auditors.
HSBC, for example, has always prided itself on the integrity of its master data and data management techniques and, as a result, claims it has had fewer problems meeting compliance demands than other companies. It uses one customer number across all its businesses and attests that it has been focusing on data management issues for as many as 10 years.
Part of this data management process, however, includes laying down clear enterprise-wide rules about how to manage the entire lifecycle of information from creation to destruction, and defining how long different types of records and documents need to be kept. After these policies have been set, the compliance team then needs to undertake an audit of what information the business generates and whether the mechanisms used to deliver this data to where it is required are adequate or not. European best practice standards for IT service management such as ITIL are useful here.
"If you implement best practice, you shouldn’t end up a cropper. If you do, it might not be a get-out-of-jail-free card, but you can always argue that you were doing what the experts thought best"
– Danny Dresner, group standards manager, National Computing Centre
Weighing up the needs
The second step is to establish how much of a gap there is between the data delivery mechanisms that are currently in place and what is required to conform to risk management and compliance strictures. The third stage is to rework any business processes to make them fit for the purpose, while the third is to work out how to fill any holes, again perhaps by deploying certain technologies.
Banks preparing to conform to the Basle II risk management accords, for example, have found that data warehouses can act as a key compliance tool.
This is because, under the regulations, banks’ minimum capital requirements relate to the size and quality of their assets, so the better a bank can manage its assets, the lower its minimum capital requirements will be.
Data warehouses are useful in this context because they can store huge amounts of information about borrowers, but can also be used in conjunction with analytics and reporting tools to undertake credit scoring and work out customer risk.
For those organisations that are not confident as to whether they have done enough, however, it is always possible to invite in a third party auditing organisation to undertake a dry run.
Fitting the strategy
Another option for CIOs is to base any compliance work on standards such as BS7799 for security management and the IT Governance Institute’s Control Objectives for IT (Cobit), even if the company decides not to go for full certification. Cobit provides a framework for ensuring that IT decisions fit in with an organisation’s business strategy and desired risk profile, providing it with a means of balancing the need to be compliant with cost.
As Danny Dresner, group standards manager at the National Computing Centre concludes: “If you implement best practice, you shouldn’t end up a cropper. If you do, it might not be a get-out-of-jail-free card, but you can always argue that you were doing what the experts thought best.”