Compliance and IT

When neither the auditors nor top management understand that IT can greatly reduce certain classes of compliance risk, it's up to us to take that ball and run with it - to bigger budgets, greater executive credibility, and better run businesses.

Some common wisdom:

  • Legal defense costs aren't IT costs. For example, a discovery requirement initiated as part of a lawsuit over a non IT related matter can create huge staff and legal costs but can't be attributed to IT.

  • A regulatory, court, or government mandated product recall that has nothing to do with IT isn't chargeable to IT. For example a fourteen million pound hamburger recall imitated because it can't be shown that no material from a diseased animal was ever allowed into or near the production process is not attributable to IT.

  • personal costs incurred by employees because a third party lost a laptop full of personnel data aren't attributable to IT. For example, the internal IT people can't be held responsible if the treasury department hired a name brand accounting firm to review its pensions management options and one of that firm's professionals lost a laptop loaded with employee payroll data.

In all three cases the common wisdom is dead wrong - these are all IT failures. More subtly, these all resulted from failures by top management to tell their IT people to do the right things to avoid these problems - and arguably, therefore, these are the fault of the IT people who didn't successfully sell top management on the need to authorize and fund appropriate pre-emptive measures.

The first one's easy: every document, every record from the phone switch to board minutes, should go on a write once device, be duplicated once, with both copies stored separately on removable media tracked using standard chain of evidence methods. For Intel the costs wouldn't have amounted to a million a year - and for the average company with three or four sites and a few thousand employees it's typically in the hundred thousand a year range.

The second one depends on what's installed at the packing plants. Fundamentally it's not hard to track most cuts from the animal to the retailer, but things get rather more difficult on standardized, higher volume, composite products like hamburger and sausages where the right answer involves breaking production into batches separated by environmental and machine testing. That's practical with modern automated gear but impractical with older stuff - so if you've got older gear and manual processes remediation starts with plant floor change, but all of it gets driven from IT abilities to limit the costs of compliance.

The third one is the most directly IT related - and correspondingly easy to deal with: a matter of getting top level management to accept and enforce sensible policies on data access.

Notice that all three examples, (and as many more as you may want to come up with) require top management to either take, or agree to and enforce, IT action. To get them to do it, focus on the cost of litigation and related insurance, and go from there to whatever intangible costs - like loss of market credibility for them as well as the company - apply in your business.

Now as far as I know - which isn't very far given that I'm distant from these kinds of discussions - no major insurer currently focuses on positive IT action in terms of risk reduction and loss prevention, but all of the majors have people who provide risk reviews and offer to help customers understand and mitigate risk. So talk to your own senior managers first, then get your insurer involved - because the bottom line is simple: it can't hurt to do your homework and you could end with some additional budget and a lot more credibility in the executive suite.