Building a Compliance Framework
As the flow of mandates continues, CIOs who can integrate corporate compliance efforts will be ahead of the pack.
July 5, 2004 12:00 PM ETComputerworld -
Do you break out in a cold sweat whenever you hear the phrase Section 404? When a co-worker mentions HIPAA, do you race back to your office to figure out the earliest possible date you can retire?
If so, we've got some bad news: The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the USA Patriot Act and other regulations of their ilk are just the beginning. For the foreseeable future, you can expect a steady flow of industry, state, federal and international mandates that codify the way businesses gather, store, manage and report information.
Naturally, IT will play a key role in compliance. But will that role be one of leadership or mere execution? Can IT create systems and processes that allow the corporation to easily comply with any new regulation it encounters, regardless of that regulation's specifics and origin? These are key questions, and millions of dollars ride on the answers.
Some doubt such preparedness is feasible. "Predicting the next big regulation is like trying to predict the weather," says Thomas Watson, information security project lead at West Haven, Conn.-based Bayer Pharmaceutical. "Who knows what's going to come down next?" Others, however, believe it's both possible and necessary to create a compliance management infrastructure and environment that can make future regulations less onerous to follow. Here's a look at the benefits of compliance management, the hurdles and the steps companies can take to get started.
Making Lemonade
The most persuasive reason to institute a compliance management culture is to reduce the cost of meeting individual regulations. A look at the price tag for Sarbanes-Oxley drives home the point. In a January 2004 survey of 321 companies, industry group Financial Executives International found that for large companies, the average cost of compliance with Section 404Management Assessment of Internal Controlswas $4.6 million, including 35,000 hours of internal staff time, $1.3 million for consulting and software and $1.5 million in new audit fees.
Business Roundtable, an association of CEOs of U.S. companies, conducted another survey in July 2003 in which it polled 150 CEOs at large companies. Half said their compliance costs would range from $1 million to $5 million; some estimates topped $10 million.
The good news is that the cost of Sarbanes-Oxley compliance, along with that of HIPAA, can be used as a basis for meeting future regulations. According to Stamford, Conn.-based Gartner Inc., public companies that adopt a comprehensive compliance management architecture will spend 50% less per year than those that don't.
"In many organizations, the first reaction to a new regulation is to create a 'tiger team' " to address the issues, says Gartner analyst Lane Leskela. "But if you've got these teams for three or more regulations, the redundancy makes no sense."
IT Management
Additional Resources



White Papers & Webcasts
Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!
Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?
Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.
IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers
Download this Resource Now!
HP Technology Guide for Scalable Business Solutions
Download This Resource Now!
Mitigate Risk, Lower Costs and Improve Network Efficiency
Create a stable IP network that not only meets today's challenges, but is flexible enough to also meet future demands.
