IBM panelists cite regulatory compliance successes, challenges

Near-term compliance requirements prevent companies from transforming business processes

NEW YORK -- U.S. companies will invest billions of dollars this year in technologies and consulting services to help them comply with the Sarbanes-Oxley Act, HIPAA and other regulations, according to industry analysts.

But although there's an opportunity for companies to leverage those investments to automate and otherwise improve their business processes, few organizations have been able to do so because they're so focused on meeting rapidly approaching regulatory deadlines, said executives at an IBM compliance conference here yesterday.

For instance, most publicly held companies have until mid-November to document the internal controls they use to manage their finances under Section 404 of the Sarbanes-Oxley Act. Because companies are racing to meet this deadline, many are so "tactically focused" on this requirement that they haven't been able to make more far-reaching changes to their businesses, said Susanne Ruschka-Taylor, a partner and Americas leader for business risk management at IBM Consulting Services.

"If you're going to spend [billions of dollars] on these initiatives, you might as well get something out of it," said Adrian Bowles, director of education and research at the IT Compliance Institute in Westport, Conn.

But that's been tough for corporate officers wrestling with compliance deadlines for a slew or federal and industry regulations, including the USA Patriot Act and, for companies in the financial services industry, the New Basel Capital Accord. Known as Basel II, the New Basel Capital Accord is an international regulation that would require banks to tighten their integration of back-office systems and use more sophisticated risk management tools.

Regulatory experts said it makes more sense for companies to develop a compliance framework rather than installing stand-alone systems to support each regulation. Such a framework would provide them with an underlying set of technologies and monitoring tools that they can apply to all regulatory requirements.

"We're not that sophisticated yet, but it's something we're trying to work toward," said John Benninger, senior vice president of risk management and corporate governance at Huntington Bancshares Inc.

Columbus, Ohio-based Huntington Bancshares has set aside roughly $500,000 for Section 404 compliance, said Benninger. The bank is spending some of that money on the IBM Lotus Workplace for Business Controls and Reporting, a system from IBM for managing internal controls and data requirements under Section 404.

Huntington Bancshares began populating the IBM system in October and plans to put Version 2 of the software, which was announced here at the event, into production by the end of this month, said Benninger.

Other IBM customers who spoke at the event also acknowledged that they're making little progress in creating a compliance framework.

"I have to admit we have a lot of work ahead of us," said David Lindstrom, chief privacy officer at Penn State University. Students at the university's School of Information Sciences and Technology are developing a wireless system based on IBM's mobile database platform, DB2 Everyplace, to create, update and delete patient records securely from any location at the school's Milton S. Hershey Medical Center. The system is being used to meet the patient privacy requirements of HIPAA, or the Health Insurance Portability and Accountability Act.

Stan Aungst, assistant professor of information sciences and technology at Penn State, said the university hasn't decided when the wireless system will be put into place.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon