Building a Compliance Framework

As the flow of mandates continues, CIOs who can integrate corporate compliance efforts will be ahead of the pack.

Do you break out in a cold sweat whenever you hear the phrase Section 404? When a co-worker mentions HIPAA, do you race back to your office to figure out the earliest possible date you can retire?

If so, we've got some bad news: The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the USA Patriot Act and other regulations of their ilk are just the beginning. For the foreseeable future, you can expect a steady flow of industry, state, federal and international mandates that codify the way businesses gather, store, manage and report information.

Naturally, IT will play a key role in compliance. But will that role be one of leadership or mere execution? Can IT create systems and processes that allow the corporation to easily comply with any new regulation it encounters, regardless of that regulation's specifics and origin? These are key questions, and millions of dollars ride on the answers.

Some doubt such preparedness is feasible. "Predicting the next big regulation is like trying to predict the weather," says Thomas Watson, information security project lead at West Haven, Conn.-based Bayer Pharmaceutical. "Who knows what's going to come down next?" Others, however, believe it's both possible and necessary to create a compliance management infrastructure and environment that can make future regulations less onerous to follow. Here's a look at the benefits of compliance management, the hurdles and the steps companies can take to get started.

Making Lemonade

The most persuasive reason to institute a compliance management culture is to reduce the cost of meeting individual regulations. A look at the price tag for Sarbanes-Oxley drives home the point. In a January 2004 survey of 321 companies, industry group Financial Executives International found that for large companies, the average cost of compliance with Section 404—Management Assessment of Internal Controls—was $4.6 million, including 35,000 hours of internal staff time, $1.3 million for consulting and software and $1.5 million in new audit fees.

Business Roundtable, an association of CEOs of U.S. companies, conducted another survey in July 2003 in which it polled 150 CEOs at large companies. Half said their compliance costs would range from $1 million to $5 million; some estimates topped $10 million.

The good news is that the cost of Sarbanes-Oxley compliance, along with that of HIPAA, can be used as a basis for meeting future regulations. According to Stamford, Conn.-based Gartner Inc., public companies that adopt a comprehensive compliance management architecture will spend 50% less per year than those that don't.

"In many organizations, the first reaction to a new regulation is to create a 'tiger team' " to address the issues, says Gartner analyst Lane Leskela. "But if you've got these teams for three or more regulations, the redundancy makes no sense."

A compliance strategy can also provide a competitive edge. If your business can respond quickly to new regulations while others in your industry remain stuck in tiger-team mode, the advantage goes to you.

Spearheading

While it's tough to anticipate future regulations, it's a sure bet that data-gathering will be a critical component of compliance. That's why it makes sense for CIOs to lead the charge.

"When business leaders look at compliance, they look at the letter of the law, not repeatability," says John Hagerty, an analyst at Boston-based AMR Research Inc. "IT can say, 'Here's how we can automate so it's not such a pain next time.' " Technologists can lead the compliance effort because they can ignore departmental and line-of-business barriers and comprehend the big picture regarding data and data flow.

It's also important to lead externally by leaning on software vendors to more fully develop their offerings so that there are fewer security vulnerabilities and less reliance on patches. Experts say today's premature commercial software rollouts and subsequent frequent patching make it difficult for companies to vouch for the integrity of their systems. Where data integrity and security are concerned, "IT must say to suppliers that it cannot live with unsafe technology," says Alan Paller, director of research at the SANS Institute in Bethesda, Md. "Today, there's not sufficient pressure; IT groups are allowing vendors to sell them systems full of holes."

Elements

So how do you create systems with an eye toward compliance? Gradually, for starters; nobody expects IT groups to toss their infrastructures overboard and start from scratch. John Mancini, president of industry group AIIM International in Silver Spring, Md., says one digestible approach is to keep in mind a regulation that you know is pending. Then, when you upgrade a technology component that will be affected by that regulation, shop accordingly. For example, a business that's heavily affected by HIPAA should consider that regulation when exploring access-control offerings.

AMR's Hagerty agrees. "You can't buy a compliance architecture; they don't exist," he says. "So you look at hot buttons for your company to see what you must handle first, and use that to decide what architecture pieces you must put in place first."

Myriad technologies play a role in compliance support:

  • Business process management applications, for both reporting and risk forecasting.
  • Enterprise resource planning, to ensure that controls are in place.
  • Search and retrieval, for information discovery and communications monitoring.
  • Storage (software and hardware), to protect and retain data.
  • Security, to control access, protect data and ensure that systems are auditable.
  • Content management, to control access and handle document compliance efforts.
  • Records management and e-mail archiving, to meet retention regulations.
  • Data and application integration, to make unstructured data usable and ensure the data's reliability.
  • Business process automation, to monitor key processes and define relationships among data.

In addition, vendors have begun to roll out general-purpose compliance management applications (as opposed to applications focused on a single regulation). Axentis Inc., IBM, Documentum and FileNet Corp. have fielded products, and many others are expected to follow suit.

Challenges

IT managers who attempt to raise company consciousness about compliance shouldn't necessarily expect a hero's welcome. According to Gartner's Leskela, too many corporations still approach regulations the way they did when Sarbanes-Oxley became an issue: "Businesses decided this was an issue for finance, and finance said to IT, 'You'll get involved when we say you'll get involved,' " he says.

Leskela adds that in interviews with many of the largest, best-managed companies in the U.S., Gartner found a dispiriting number of process management silos preventing legal, financial audit and IT audit groups from working together. "Organizations just don't connect senior management of business divisions to [corporate] legal, IT and finance groups," he says.

Making these connections is the first challenge, and a prickly one at that. Volunteering to lead the company's compliance management program is sure to be viewed by some as a power grab. Nevertheless, it's worth the effort.

Ulfelder is a Computerworld contributing writer in Southboro, Mass. Contact him at sulfelder@charter.net.

Technologies Involved in Compliance

SARB-
OX
HIPAA GRAMM-
LEACH-
BLILEY
SEC 17A-4 21 CFR PART 11 BASEL II USA PATRIOT ACT CALIF. SB 1386
Financial compliance and BPM/analytical apps
blue_bullet.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
ERP
blue_bullet.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
Business intelligence and data warehousing
blue_bullet.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
Content/document management and search
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
Data/app integration
blue_bullet.gif
1pixclear.gif
1pixclear.gif
1pixclear.gif
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
Business process automation
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
1pixclear.gif
Records management and e-mail archiving
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
blue_bullet.gif
1pixclear.gif
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
Storage SW/HW
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
1pixclear.gif
Security
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
blue_bullet.gif
















































































































Source: IDC, 2004













5 power user tips for Microsoft OneNote
  
Shop Tech Products at Amazon