Compliance and Office Politics

While much of the heavy lifting for compliance work falls to the CIO and the IT department, it's corporate leadership and the internal financial auditors whose butts are really on the line. That naturally leads to some tension within organizations. Managing that tension so that organizations can take advantage of the benefits of compliance is an important part of the process.

I was reminded of this listening to the first half of Dan Farber's interview with Trent Henry of the Burton Group. Trent really nails a number of key insights about compliance. Here are a few of my notes from that audiocast:

In many organizations there's a chief risk officer, who in the past had more to do with financial risk. Now we see them very much involved in regulatory risk. Other organizations are employing chief privacy officers, to not only focus on privacy of employee records but also customer records, which we're very much now required to protect adequately.

One thing that's very important is for IT organizations to form relationships with their audit teams. Many times in the past we've seen a bit of an adverse relationship between our internal auditors and the IT teams. Now we really need to come together as a team, both to understand the fundamental requirements in order to design the controls in the organization before the auditors step in -- and to design the testing and assessment of controls over time.

We're understanding how to speak each others' lanugage. We understand we can't just lob bombs back and forth. When I talk to large organizations, they concur that they're working more closely with the audit and security teams, they're able to cooperate and succeed when the regulations come down the pipeline.

In many ways, that cooperation is key to realizing the very substantial benefits of applying compliance goals and controls throughout the organization.