With compliance emerging as one of today's most prevalent business issues, multiple corporate functions are beginning to converge in a federated approach to addressing quality, risk and overall compliance management. This convergence, though arguably a more efficient approach, may not be an intuitive state for policies and processes traditionally created in silos. Nor is convergence always a logical process for the people who operate, manage, and implement those policies and processes.

As the visibility of compliance continues to rise, there is a concurrent increase in the importance placed on information technology and the role of the CIO. Like other parts of the enterprise responsible for risk and compliance, IT's mandate has expanded in the post-Sarbanes-Oxley (SOX) environment. Beyond the traditional charge that comprises the fundamentals of keeping the lights on and the company out of trouble, IT and the CIO now share responsibility for making the business better. Ironically enough, one of the most "siloed" of functions has become one of the most well-positioned to do just that.

A Look at the Compliance Landscape

Understanding how IT's role is evolving comes best with an understanding of the compliance landscape. Every company operates with rules and regulations, which may vary by industry, geography, size or other factors or may even have been self-imposed in a proactive effort to improve operational efficiency. Historically, the majority of compliance criteria have centered on financial or environmental issues. Many were created and implemented in response to a particular issue; likewise, they may have been executed and monitored at the business-unit or departmental level via spreadsheets or other manual means.

As the regulatory environment continues to change with marked frequency and measurable complexity, so do the requirements for automated, repeatable controls and processes around the classic information compliance drivers—internal controls over financial reporting, controls to protect and govern the use of personal information, protection of intellectual property, records management and e-discovery rules. What's more, the "shrinking earth" is giving rise to a set of standards that are global in scope, with SOX in the U.S. spawning similar legislation in Japan, Canada, Australia, France, Italy and the Netherlands. The U.K.'s Financial Services Authority's foray into outcomes-based regulation has also sparked interest in a similar approach in other countries.

Legal risk and the implications of noncompliance are also expanding, with the potential for what could be called catastrophic consequences ranging from significant fines and irrevocable damage of company brand and reputation to jail time for executives. Information itself has become a regulated asset, with specific criteria for its protection, privacy, use and retention. Changes to the Rules of Civil Procedure regarding document retention are making it harder for companies to mount effective litigation defense. Where noncompliance with a given regulation is a cause of harm, the settlements may be even larger.

Inefficient processes, the increasingly complex regulatory and business environment, and shortage of talent are placing unprecedented demand on current systems and procedures. The "typical" organization has core compliance accountabilities for multiple functions and business units, with HR, security, finance, legal, risk, internal audit and others, each addressing compliance differently. Against the backdrop of this ever-expanding compliance environment and the increasing number of business functions and operational areas it encompasses come the growing expectations of stakeholders. They want not only effective compliance risk management and transparency in their strategies but also a reasonable return on the significant investments made in information technology, plus measurable means for improving the business overall.