Why businesses need to consider regulatory pressures sooner rather than later
IT Managers need to step up to the plate and actively seek guidance on the compliance regulations that affect their organisations argues Justin Opie, Event Director, Technology for Compliance 2005. Those failing to understand the implications will see already strained relationships with the board further eroded by the introduction of external providers.
The raft of compliance requirements now facing UK business is a minefield for the IT expert. For IT Managers, many already suffering strained relations with the board, compliance represents a significant challenge. With IT providers still assimilating the issues, traditional reliance on vendors for advice and best practice is simply not viable. But with company directors facing severe fines and even prison sentences for non-compliance, avoiding the issue is plainly not an option. IT Managers have got to learn the language of compliance and discover fast just which of the many requirements, from anti money laundering to Freedom of Information, are most relevant to each organisation.
Only once the implications of compliance are understood can a company prioritise requirements and seek out point technology solutions, from security to storage, to meet objectives. Those IT managers failing to step up to the plate will find external compliance experts putting a further wedge between IT and the board as budgetary control is wrested.
But the good news for switched on organisations is that compliance is not all about soured relationships and high costs. As Gartner recently asserted: successful compliance is slowly and painfully emerging as a key competitive differentiator for business entities. Those organisations that take responsibility for understanding compliance can implement IT solutions that not only meet regulatory requirements but also leverage improved information lifecycle management to attain significant commercial value.
The challenges of new compliance legislation are grabbing the headlines – and, in the main, the story is far from positive. With publicly quoted US organisations believed to be investing an average $1.5 million on Sarbanes Oxley compliance alone, the cost of compliance is perceived to be, potentially, a major business disadvantage, reallocating budget from other investments that could deliver quantifiable business value.
Furthermore, analysts such as Gartner have real fears that much of this investment will be wasted. "Enterprises that choose one-off solutions for each regulatory challenge that they face will spend ten times more on compliance projects than their counterparts that take a proactive approach," said French Caldwell, research vice president at Gartner. "Although there may be times when adopting a "quick and dirty" solution may be necessary to meet deadlines, enterprises should avoid committing too much time, effort or data to such systems."
This is hardly surprising, given that many IT vendors have been caught on the hop and are still struggling to deliver solutions that support customers' specific compliance requirements. Without good internal compliance understanding and expertise, simply interpreting the guidelines has been a challenge – and turning that interpretation into viable technology solutions has taken time.
This delay combined with a widespread acknowledgement amongst organisations that vendors cannot deliver the level of expertise required is set to turn the relationship between IT vendors and customer on its head. For the first time IT vendors are no longer in the driving seat and cannot dictate terms as they have in the past; terms that have enabled them to walk away scott free from even the most disastrous implementations.
This shift changes the onus for IT Managers, however. For years, organisations have relied on the advice of specific vendors to address key issues – from accounting changes to the introduction of new technologies such as eprocurement or CRM. But compliance legislation cannot be addressed on a departmental basis, it affects every aspect of the business.
For example, if the accounting vendor introduces an upgrade to support International Accounting Standards – what is the implication for the organisation's approach to Data Protection or Freedom of Information? How will that solution be incorporated into the processes required for anti-money laundering legislation?
One of the major problems is that different organisations face different compliance issues – and different regulations require different solutions. Organisations need to get a handle on their own compliance requirements, preferably within a forum that supports shared experiences between companies. This is key, since similar organisations will face similar compliance requirements – there is no need to reinvent the wheel. Once the implications are understood it will be far easier for IT Managers to identify the relevant point solutions – such as security, storage or information retrieval tools – that are required to achieve compliance objectives.
Taking ownership of compliance in-house, rather than relying on the less than convincing arguments of an IT vendor, not only reduces the risks associated with interpreting compliance legislation within each vertical sector but also enables organisations to leverage the growing awareness that compliance can deliver significant commercial benefits – as demonstrated by the increasing number of non publicly quoted organisations in the US opting to implement Sarbanes Oxley to attain the benefits inherent within improved information lifecycle management.
This attitude is certainly at odds with that endemic across the UK where a lacklustre acceptance combines with a cynicism about the rigours of the monitoring process to push compliance back down the corporate agenda.
And there are realistic concerns that relevant authorities will have neither resources nor commitment to police compliance. But compliance is not a goal in its own right it is designed to prevent inappropriate activity: should an organisation that has eschewed its compliance requirements find itself in court for any reason – from fighting an employee claim for unfair dismissal onwards, a lack of compliance will result in significant penalties.
Furthermore, stakeholders – from suppliers to customers and shareholders – will increasingly demand a demonstration of compliance. No merger or acquisition activity will be viable without it; and many suppliers are increasingly insisting on compliance to the PAS56 business continuity standard at the very least before entering into a partnership.
And, as US companies demonstrate, compliance can represent a significant advantage. While UK and European banks are complaining about the price of compliance to the BASEL II banking standard due in 2006, US banks view compliance as an opportunity for significant competitive differentiation. At the same time many UK organisations are actively ignoring the International Accounting Standards due in January, despite widespread adoption throughout Europe.
Compliance is not an option – it is an obligation. And it has many hidden benefits from improved information flows and automation to a shift in the customer/vendor relationship. Those organisations that take responsibility for understanding their own compliance requirements will be well placed to exploit the new relationship to drive improved Service Level Agreements and attain a level of responsibility from vendors that is unprecedented in this industry.
Justin Opie is Event Director for Technology for Compliance 2005