Compliance, Convergence and How IT Fits

There are more government rules for companies to follow, more departments required to follow them, and more legal risks for not doing so. Proactive executives can use IT to design and implement an effective compliance program to coordinate an organization's various compliance processes.

1 2 3 Page 2
Page 2 of 3

The Convergence Conundrum

The proactive CIO can leverage IT capabilities to help achieve sustainable compliance by designing and implementing an effective, integrated program with built-in components to align and coordinate compliance functions, processes, and activities as well as provide adequate oversight and appropriate risk coverage. That, however, may be easier said than done.

In an effort to see how far the reality of convergence has gone and how companies operate in that environment, Ernst & Young chats with clients as well as conducting formal studies and surveys, such as the 10th annual "Global Information Systems Security Survey." One such survey focused on the financial services industry, a group accustomed to and well entrenched in the process of operating in a highly regulated environment. While there was universal familiarity with the concept of streamlining governance, risk and control processes, most companies were in the early stages of the convergence process and their activities driven by short-term objectives. While improving efficiency and reducing costs were common goals, there were the opposing forces of a corporation's natural tendency toward siloed infrastructures and people's natural resistance to change, particularly around the highly sensitive areas of risk management and compliance.

IT As Enabler of the Convergence Conversion—A New Seat at the Table

So who can help? With so many interests, functions and entities trying to reach the goal of compliance and converging in the process, whether intentionally or not, it takes no great leap to envision overlaps, redundancies and conflicts. Also, with information as the common denominator, it's easy to see the role of information management, IT and the CIO taking on new importance and new responsibility.

Leading companies are focusing resources on how they can better integrate compliance enterprisewide as a part of everyday business operations and decision making. Companies that once were more likely to invest in compliance programs because they had to are beginning to invest because they want to, seeing the value proposition in technology-enabled compliance measures that also improve business processes and performance. One of the drivers of this new mind-set—in fact, its primary enabler—is information technology.

IT is often the expert in a company at facilitating broad business process improvement because of its instrumental role in SOX compliance, ERP implementation or other transformational projects. That gives IT and the CIO a justifiable seat at the executive table when compliance strategy is planned and strategic business goals are set. One way IT can help is by cataloging what rules, regulations and laws specifically apply to the company. While obtaining this information may not be its sole and precise responsibility, IT can create a robust infrastructure and repeatable mechanism for identifying and tracking any overlaps, inconsistencies, and conflicts. Though no one department is responsible for companywide compliance, IT is unique in its ability to move well beyond the four walls of the data center in response to its expanded mandate to create value, rationalize costs and manage risk for the entire enterprise.

Conducting a risk assessment will help determine what regulations require full compliance, what's most important in terms of the company's definition of its own risk profile and where to focus corporate efforts in the expanding compliance universe. This will also determine the extent to which outcomes of the assessment are integrated into other business processes, such as strategic planning, internal audit or compliance training, and whether there are regulatory or compliance risks associated with doing business in other countries or other industries.

IT can also identify the current state of the company's compliance controls, processes and capabilities. Many existing IT investments—ERP systems, reporting systems and controls monitoring systems implemented specifically to support SOX compliance—can be leveraged to improve the company's overall compliance position.

1 2 3 Page 2
Page 2 of 3
7 secrets of successful remote IT teams