Compliance, Convergence and How IT Fits

With compliance emerging as one of today’s most prevalent business issues, multiple corporate functions are beginning to converge in a federated approach to addressing quality, risk and overall compliance management. This convergence, though arguably a more efficient approach, may not be an intuitive state for policies and processes traditionally created in silos. Nor is convergence always a logical process for the people who operate, manage, and implement those policies and processes.

MORE Predictions

10 Virtualization Vendors to Watch in 2008

Five Key Technology Trends for 2008

Six Enterprise Application Trends to Watch in 2008

As the visibility of compliance continues to rise, there is a concurrent increase in the importance placed on information technology and the role of the CIO. Like other parts of the enterprise responsible for risk and compliance, IT’s mandate has expanded in the post-Sarbanes-Oxley (SOX) environment. Beyond the traditional charge that comprises the fundamentals of keeping the lights on and the company out of trouble, IT and the CIO now share responsibility for making the business better. Ironically enough, one of the most “siloed” of functions has become one of the most well-positioned to do just that.

A Look at the Compliance Landscape

Understanding how IT’s role is evolving comes best with an understanding of the compliance landscape. Every company operates with rules and regulations, which may vary by industry, geography, size or other factors or may even have been self-imposed in a proactive effort to improve operational efficiency. Historically, the majority of compliance criteria have centered on financial or environmental issues. Many were created and implemented in response to a particular issue; likewise, they may have been executed and monitored at the business-unit or departmental level via spreadsheets or other manual means.

As the regulatory environment continues to change with marked frequency and measurable complexity, so do the requirements for automated, repeatable controls and processes around the classic information compliance drivers—internal controls over financial reporting, controls to protect and govern the use of personal information, protection of intellectual property, records management and e-discovery rules. What’s more, the “shrinking earth” is giving rise to a set of standards that are global in scope, with SOX in the U.S. spawning similar legislation in Japan, Canada, Australia, France, Italy and the Netherlands. The U.K.’s Financial Services Authority’s foray into outcomes-based regulation has also sparked interest in a similar approach in other countries.

Legal risk and the implications of noncompliance are also expanding, with the potential for what could be called catastrophic consequences ranging from significant fines and irrevocable damage of company brand and reputation to jail time for executives. Information itself has become a regulated asset, with specific criteria for its protection, privacy, use and retention. Changes to the Rules of Civil Procedure regarding document retention are making it harder for companies to mount effective litigation defense. Where noncompliance with a given regulation is a cause of harm, the settlements may be even larger.

Inefficient processes, the increasingly complex regulatory and business environment, and shortage of talent are placing unprecedented demand on current systems and procedures. The “typical” organization has core compliance accountabilities for multiple functions and business units, with HR, security, finance, legal, risk, internal audit and others, each addressing compliance differently. Against the backdrop of this ever-expanding compliance environment and the increasing number of business functions and operational areas it encompasses come the growing expectations of stakeholders. They want not only effective compliance risk management and transparency in their strategies but also a reasonable return on the significant investments made in information technology, plus measurable means for improving the business overall.

The Convergence Conundrum

The proactive CIO can leverage IT capabilities to help achieve sustainable compliance by designing and implementing an effective, integrated program with built-in components to align and coordinate compliance functions, processes, and activities as well as provide adequate oversight and appropriate risk coverage. That, however, may be easier said than done.

In an effort to see how far the reality of convergence has gone and how companies operate in that environment, Ernst & Young chats with clients as well as conducting formal studies and surveys, such as the 10th annual “Global Information Systems Security Survey.” One such survey focused on the financial services industry, a group accustomed to and well entrenched in the process of operating in a highly regulated environment. While there was universal familiarity with the concept of streamlining governance, risk and control processes, most companies were in the early stages of the convergence process and their activities driven by short-term objectives. While improving efficiency and reducing costs were common goals, there were the opposing forces of a corporation’s natural tendency toward siloed infrastructures and people’s natural resistance to change, particularly around the highly sensitive areas of risk management and compliance.

IT As Enabler of the Convergence Conversion—A New Seat at the Table

So who can help? With so many interests, functions and entities trying to reach the goal of compliance and converging in the process, whether intentionally or not, it takes no great leap to envision overlaps, redundancies and conflicts. Also, with information as the common denominator, it’s easy to see the role of information management, IT and the CIO taking on new importance and new responsibility.

Leading companies are focusing resources on how they can better integrate compliance enterprisewide as a part of everyday business operations and decision making. Companies that once were more likely to invest in compliance programs because they had to are beginning to invest because they want to, seeing the value proposition in technology-enabled compliance measures that also improve business processes and performance. One of the drivers of this new mind-set—in fact, its primary enabler—is information technology.

IT is often the expert in a company at facilitating broad business process improvement because of its instrumental role in SOX compliance, ERP implementation or other transformational projects. That gives IT and the CIO a justifiable seat at the executive table when compliance strategy is planned and strategic business goals are set. One way IT can help is by cataloging what rules, regulations and laws specifically apply to the company. While obtaining this information may not be its sole and precise responsibility, IT can create a robust infrastructure and repeatable mechanism for identifying and tracking any overlaps, inconsistencies, and conflicts. Though no one department is responsible for companywide compliance, IT is unique in its ability to move well beyond the four walls of the data center in response to its expanded mandate to create value, rationalize costs and manage risk for the entire enterprise.

Conducting a risk assessment will help determine what regulations require full compliance, what’s most important in terms of the company’s definition of its own risk profile and where to focus corporate efforts in the expanding compliance universe. This will also determine the extent to which outcomes of the assessment are integrated into other business processes, such as strategic planning, internal audit or compliance training, and whether there are regulatory or compliance risks associated with doing business in other countries or other industries.

IT can also identify the current state of the company’s compliance controls, processes and capabilities. Many existing IT investments—ERP systems, reporting systems and controls monitoring systems implemented specifically to support SOX compliance—can be leveraged to improve the company’s overall compliance position.

Why It’s Worth the Effort

The objective of risk convergence is to establish an integrated approach and consistent set of processes that reduce redundant control activities, eliminate duplication in the business units, drive down costs and support strategic decision making. Convergence can reduce compliance gaps overall and risk management fatigue in the business units. It can facilitate a risk and control model that is more efficient and effective in supporting business needs, responding to regulatory change, and addressing demands for more granular risk-related disclosure. Both internal and external stakeholders will have greater confidence in the quality of the risk management, compliance and assurance model, with reduced remediation activities and positive external ratings reinforcing its value.

After all, the disparate kinds and sources of data notwithstanding, compliance mandates come down to the fundamental issues of integrity, availability, security, confidentiality and access. Expanding the overall charter and leveraging its potential for value delivery can establish IT as the center of excellence within the business, facilitating overall compliance and its resultant business process improvement. With IT at its best, risk convergence, although challenging, is possible. Choosing this path will reward the organization with a flexible, efficient, sustainable risk management framework that supports today’s business requirements and those of the future.

Matt Podowitz is an executive director in the Risk Advisory Services practice of Ernst & Young and is the firm’s global IT effectiveness leader. He has more than 16 years’ experience advising companies globally on strategic IT issues, including how to realize greater returns on their IT investments. Podowitz is also a Certified Information Systems Auditor and professional member of the Institute of Management Consultants.

Brian Tretick is an executive director in the Risk Advisory Services practice of Ernst & Young. He has more than 20 years’ professional experience in information security and has spent the past decade focused on privacy and data protection. Tretick also serves the IAPP as a regular member of the CIPP faculty.

The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young.