Building a Compliance Framework

Computerworld - Do you break out in a cold sweat whenever you hear the phrase Section 404? When a co-worker mentions HIPAA, do you race back to your office to figure out the earliest possible date you can retire?

If so, we've got some bad news: The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the USA Patriot Act and other regulations of their ilk are just the beginning. For the foreseeable future, you can expect a steady flow of industry, state, federal and international mandates that codify the way businesses gather, store, manage and report information.

Naturally, IT will play a key role in compliance. But will that role be one of leadership or mere execution? Can IT create systems and processes that allow the corporation to easily comply with any new regulation it encounters, regardless of that regulation's specifics and origin? These are key questions, and millions of dollars ride on the answers.

Some doubt such preparedness is feasible. "Predicting the next big regulation is like trying to predict the weather," says Thomas Watson, information security project lead at West Haven, Conn.-based Bayer Pharmaceutical. "Who knows what's going to come down next?" Others, however, believe it's both possible and necessary to create a compliance management infrastructure and environment that can make future regulations less onerous to follow. Here's a look at the benefits of compliance management, the hurdles and the steps companies can take to get started.

Making Lemonade

The most persuasive reason to institute a compliance management culture is to reduce the cost of meeting individual regulations. A look at the price tag for Sarbanes-Oxley drives home the point. In a January 2004 survey of 321 companies, industry group Financial Executives International found that for large companies, the average cost of compliance with Section 404—Management Assessment of Internal Controls—was $4.6 million, including 35,000 hours of internal staff time, $1.3 million for consulting and software and $1.5 million in new audit fees.

Business Roundtable, an association of CEOs of U.S. companies, conducted another survey in July 2003 in which it polled 150 CEOs at large companies. Half said their compliance costs would range from $1 million to $5 million; some estimates topped $10 million.

The good news is that the cost of Sarbanes-Oxley compliance, along with that of HIPAA, can be used as a basis for meeting future regulations. According to Stamford, Conn.-based Gartner Inc., public companies that adopt a comprehensive compliance management architecture will spend 50% less per year than those that don't.

"In many organizations, the first reaction to a new regulation is to create a 'tiger team' " to address the issues, says Gartner analyst Lane Leskela. "But if you've got these teams for three or more regulations, the redundancy makes no sense."