Compliance: Turning IT cost into benefit

Complying with legislation from financial regulations such as Sarbanes-Oxley to environmental laws such as the Waste Electrical and Electronic Equipment (WEEE) directive are placing an increasing burden on IT management and their budgets.

A recent survey by the Economist Intelligence Unit, Sustainable Compliance, revealed that complying with legislation was cited as one of the biggest issues facing the IT departments of more than 74 percent of all US companies and 45 percent of European companies. This probably has a lot to do with the penalties for those companies who neglect, or fail to understand how, to comply with legislation to the required standard. These can be extremely harsh, not only in terms of fines but also damage to brand image and customer and shareholder confidence. Failure to comply with some legislation can even result in prison sentences for senior executives — a big motivator to get the process the right.

For the full Webcast of this event click here.

However, increasingly companies are hoping that processes that have often been forced on them can actually have wider benefits for the organisation beyond merely avoiding penalties. Experts cite factors such as visibility of risk, increased accuracy of financial reporting, and better IT governance as side-effects of successful legislative compliance. And increasingly it appears that senior management are expecting to see tangible improvements from compliance and IT governance initiatives in addition to meeting responsibilities under the law.

However, realising these associated improvements requires careful planning and implementation. Factors such as the IT department's perceived lack of awareness of wider business issues and insufficient budgets to manage the process adequately are just some of the barriers preventing the loftier aims of some compliance projects from being achieved..

As part of an exclusive Webcast, ZDNet UK sat down with three leading experts in compliance and its impact on the IT department, to discuss the best strategies for IT management to employ when approaching compliance projects.

Representing the IT vendor was Margaret Brooks, vice-president of strategic solutions at CA. She has over 20 years of industry experience and has led the compliance software team at CA for several years.

Michael Colao is director of information management & head of information security, for investment bank Dresdner Kleinwort Wasserstein and is uniquely placed to hold forth on the impact complying with complex — and sometimes competing — international legislation has on the IT department of a multinational corporation.

Finally, Erol Mustafa, Ernst & Young partner with responsibility for the UK firm's IT Internal Audit services and Information Analysis solutions was on hand to provide the consultant's view. He has more than 15 years' experience in financial and IT audit, project management and information systems development.

Compliance is a word banded around at the moment but what does it actually mean and what role does IT have to play?
MB: Compliance is basically adherence to the regulations that different countries have. There are different kinds of regulations, most of them are around financial controls, things like Sarbanes-Oxley, Basel II. The other category is around privacy such as the EU Data Protection Act and the third area is around fraud such as anti-money-laundering legislation. The IT department really has two different roles in compliance, the first being that there is technology out there to enable people to adhere to compliance and make it easier and more productive. Also because IT is so pervasive in today's companies, it is inherent to have to deal with compliance because compliance effects all business.

Is the amount of legislation that European businesses have to deal with actually on the increase or is compliance something that companies always had to deal with?
EM: There has always been compliance requirements impacting on listed institutions. But certainly what we have seen is an increase in the complexity of IT requirements and the diversity of them. The impact of those two drivers on the IT department drives the need for a holistic and enterprise wide approach to dealing with that change.
MC: I would add to that there have been a lot of new laws, a lot of new complexity but the basic requirements remain the same. There is huge amounts of new legislation in the area of information security but if all that legislation vanished tomorrow, I wouldn't change the security posture of my bank. We run a secure operation not because some regulator requires it but because our customers expect us to run a secure bank. Most of these regulations stem from a very basic duty of care to all the stakeholders and customers and have been in the common law for a very long time.

What impact does the fact that senior managers are not personally liable if some regulatory responsibilities are not met adequately?
MC: There is an increased level of personal liability and personal requirements because the legislators found that it works. If you threaten to throw someone in jail they will do stuff. But I am convinced that increasingly that leads to a reduction in the quality of the decisions that are being taken. It used to be that if you had a decision to take that you would understand your industry, you'd understand your marketplace, you'd take a decision based on your personal experience. And that used to be good, and better often than what you are seeing today when you can go to prison if you can't justify the decision — which makes your knowledge and understanding of the market less important. In some cases we are seeing legislation that was brought in to raise the quality of decision making in regards to risk, actually resulting in worse decisions.

Are companies putting pressure on their IT departments not only to comply but to actually realise improvements/long term savings from compliance?
MC: They should. If you have an appropriate control structure in place, if you have an understanding of what your firm is doing and how your firm is doing it, then that information can be leveraged absolutely to business advantage.
EM: Overall it can be show that well controlled organisations are more profitable, which is one key measure of success.
MB: It comes down to operational efficiency — that's what it amounts to.