Compliance, Convergence and How IT Fits

There are more government rules for companies to follow, more departments required to follow them, and more legal risks for not doing so. Proactive executives can use IT to design and implement an effective compliance program to coordinate an organization's various compliance processes.

1 2 3 Page 3
Page 3 of 3

Why It's Worth the Effort

The objective of risk convergence is to establish an integrated approach and consistent set of processes that reduce redundant control activities, eliminate duplication in the business units, drive down costs and support strategic decision making. Convergence can reduce compliance gaps overall and risk management fatigue in the business units. It can facilitate a risk and control model that is more efficient and effective in supporting business needs, responding to regulatory change, and addressing demands for more granular risk-related disclosure. Both internal and external stakeholders will have greater confidence in the quality of the risk management, compliance and assurance model, with reduced remediation activities and positive external ratings reinforcing its value.

After all, the disparate kinds and sources of data notwithstanding, compliance mandates come down to the fundamental issues of integrity, availability, security, confidentiality and access. Expanding the overall charter and leveraging its potential for value delivery can establish IT as the center of excellence within the business, facilitating overall compliance and its resultant business process improvement. With IT at its best, risk convergence, although challenging, is possible. Choosing this path will reward the organization with a flexible, efficient, sustainable risk management framework that supports today's business requirements and those of the future.

Matt Podowitz is an executive director in the Risk Advisory Services practice of Ernst & Young and is the firm's global IT effectiveness leader. He has more than 16 years' experience advising companies globally on strategic IT issues, including how to realize greater returns on their IT investments. Podowitz is also a Certified Information Systems Auditor and professional member of the Institute of Management Consultants.

Brian Tretick is an executive director in the Risk Advisory Services practice of Ernst & Young. He has more than 20 years' professional experience in information security and has spent the past decade focused on privacy and data protection. Tretick also serves the IAPP as a regular member of the CIPP faculty.

The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young.

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Survey says! Share your insights in our 19th annual State of the CIO study