CIO — Companies that have deployed new systems to comply with government regulations such as the Sarbanes-Oxley Act are finding these investments can do double duty by helping them to improve business processes, according to a survey of 332 companies by AMR Research. Nearly 75 percent of respondents plan to use their compliance investments to support other activities, such as streamlining business processes.
John Hagerty, vice president of research with AMR, says regulatory mandates have put a new spotlight on IT as a means to mitigate business risk. Prior to these mandates, risk management didn’t get executive attention. CEOs and boards were reluctant to invest in technology to combat risk, he says. But Sarbanes-Oxley especially has made them more attuned to the technology underpinnings that compliance requires. “So you see the board open its wallet to fund some of these programs,” says Hagerty.
One area where compliance mandates have prompted support is for security and identity management. Sarbanes-Oxley, for example, requires appropriate access controls to corporate systems so that an employee cannot change data unless he is authorized to do so. And so, CIOs have permission to deploy access management systems and procedures that they may have been unable to justify previously.
Meanwhile, Hagerty adds, the emphasis of Sarbanes-Oxley on process controls fosters greater awareness of quality assurance. The required reviews prompt companies to examine processes that are not working well or controls that are failing.
Sarbanes-Oxley has also provided support for business process management (BPM).
Sarbanes-Oxley compliance depends on standardizing processes so that points of failure are minimized. BPM technology supports this standardization across a company.
Best Practices:
Compliance comes first. Focus on what is absolutely required to satisfy the regulatory mandate. Determine what types of training, new business processes and software you will need to meet the requirements.
Indentify double-duty investments. CIOs have a global view of the company that other business leaders do not, says Hagerty. Use that knowledge to target compliance investments toward processes that need improvement. Because other business leaders will likely view compliance spending as an expense, explaining the business benefits can help make the case for investment in new technology.
Watch for overlap. Many regulations have common business requirements, such as managing documents and records, standardizing business processes, creating reports, managing risks, and implementing security and audit controls. You may be able to use the same applications to comply with multiple regulations.
