Compliance: Turning IT cost into benefit

Complying with legislation is often seen as a cost and even a distraction from growth but can meeting regulatory requirements actually have benefits for IT departments and the businesses they serve?

Complying with legislation from financial regulations such as Sarbanes-Oxley to environmental laws such as the Waste Electrical and Electronic Equipment (WEEE) directive are placing an increasing burden on IT management and their budgets.

A recent survey by the Economist Intelligence Unit, Sustainable Compliance, revealed that complying with legislation was cited as one of the biggest issues facing the IT departments of more than 74 percent of all US companies and 45 percent of European companies. This probably has a lot to do with the penalties for those companies who neglect, or fail to understand how, to comply with legislation to the required standard. These can be extremely harsh, not only in terms of fines but also damage to brand image and customer and shareholder confidence. Failure to comply with some legislation can even result in prison sentences for senior executives — a big motivator to get the process the right.

For the full Webcast of this event click here.

However, increasingly companies are hoping that processes that have often been forced on them can actually have wider benefits for the organisation beyond merely avoiding penalties. Experts cite factors such as visibility of risk, increased accuracy of financial reporting, and better IT governance as side-effects of successful legislative compliance. And increasingly it appears that senior management are expecting to see tangible improvements from compliance and IT governance initiatives in addition to meeting responsibilities under the law.

However, realising these associated improvements requires careful planning and implementation. Factors such as the IT department's perceived lack of awareness of wider business issues and insufficient budgets to manage the process adequately are just some of the barriers preventing the loftier aims of some compliance projects from being achieved..

As part of an exclusive Webcast, ZDNet UK sat down with three leading experts in compliance and its impact on the IT department, to discuss the best strategies for IT management to employ when approaching compliance projects.

Representing the IT vendor was Margaret Brooks, vice-president of strategic solutions at CA. She has over 20 years of industry experience and has led the compliance software team at CA for several years.

Michael Colao is director of information management & head of information security, for investment bank Dresdner Kleinwort Wasserstein and is uniquely placed to hold forth on the impact complying with complex — and sometimes competing — international legislation has on the IT department of a multinational corporation.

Finally, Erol Mustafa, Ernst & Young partner with responsibility for the UK firm's IT Internal Audit services and Information Analysis solutions was on hand to provide the consultant's view. He has more than 15 years' experience in financial and IT audit, project management and information systems development.

Compliance is a word banded around at the moment but what does it actually mean and what role does IT have to play?
MB: Compliance is basically adherence to the regulations that different countries have. There are different kinds of regulations, most of them are around financial controls, things like Sarbanes-Oxley, Basel II. The other category is around privacy such as the EU Data Protection Act and the third area is around fraud such as anti-money-laundering legislation. The IT department really has two different roles in compliance, the first being that there is technology out there to enable people to adhere to compliance and make it easier and more productive. Also because IT is so pervasive in today's companies, it is inherent to have to deal with compliance because compliance effects all business.

Is the amount of legislation that European businesses have to deal with actually on the increase or is compliance something that companies always had to deal with?
EM: There has always been compliance requirements impacting on listed institutions. But certainly what we have seen is an increase in the complexity of IT requirements and the diversity of them. The impact of those two drivers on the IT department drives the need for a holistic and enterprise wide approach to dealing with that change.
MC: I would add to that there have been a lot of new laws, a lot of new complexity but the basic requirements remain the same. There is huge amounts of new legislation in the area of information security but if all that legislation vanished tomorrow, I wouldn't change the security posture of my bank. We run a secure operation not because some regulator requires it but because our customers expect us to run a secure bank. Most of these regulations stem from a very basic duty of care to all the stakeholders and customers and have been in the common law for a very long time.

What impact does the fact that senior managers are not personally liable if some regulatory responsibilities are not met adequately?

MC: There is an increased level of personal liability and personal requirements because the legislators found that it works. If you threaten to throw someone in jail they will do stuff. But I am convinced that increasingly that leads to a reduction in the quality of the decisions that are being taken. It used to be that if you had a decision to take that you would understand your industry, you'd understand your marketplace, you'd take a decision based on your personal experience. And that used to be good, and better often than what you are seeing today when you can go to prison if you can't justify the decision — which makes your knowledge and understanding of the market less important. In some cases we are seeing legislation that was brought in to raise the quality of decision making in regards to risk, actually resulting in worse decisions.

Are companies putting pressure on their IT departments not only to comply but to actually realise improvements/long term savings from compliance?
MC: They should. If you have an appropriate control structure in place, if you have an understanding of what your firm is doing and how your firm is doing it, then that information can be leveraged absolutely to business advantage.
EM: Overall it can be show that well controlled organisations are more profitable, which is one key measure of success.
MB: It comes down to operational efficiency — that's what it amounts to.

How much hype is there surrounding compliance? Are vendors and consultants guilty of overplaying the issues?
MC: There are two issues at stake here. One is are they over-hyping compliance? I honestly don't think they are. Compliance is a real issue and a significant challenge facing all of our organisations — that is real. However there a number of vendors who have seen that companies have to spend money for compliance — it is not discretionary spend — and have seen this as this great marketing tool and package whatever it is they sell as a compliance tool. I have seen the equivalent of, “This puts a clock in the upper left hand-side of your screen — this will help you with your Sarbanes-Oxley requirements”. Virtually every vague product on the market is seeing a compliance angle as a way of increasing the opening of wallets.

What about those companies that think they can just buy in some kind of quick fix as far as compliance goes?
MC: There is no quick fix. Not every company has the same attitude to risk, have the same risks, have the same processes, and if that is true, how are you going to have a single silver bullet compliance product? It doesn't exist. Talking to Margaret, I found out from her that it can be a real challenge with new sales people to get them to realise that there isn't a compliance product that you go outside and sell. There are a variety of products that support compliance and work around compliance but I think we see this in every industry but particularly in the IT industry when so much is tied to flogging this bit of kit to do this particular task.

EM: We have conducted a survey of the IT security agenda globally for more than eight years. In the last year we talked to about 1300 organisations in about 50 countries and for the first time in those eight years we found our customers telling us that regulatory compliance was the top driver to them ahead of achieving business objectives. So that was really telling me that this is an important issue regardless of whether there is hype or lack of clarity.

Should technology companies be taking a more proactive approach to compliance and try to encourage regulators to think in terms of IT impact when formulating new legislation?
MC: That is an interesting question. Yes and no. I don't think anyone goes into business to run a lobbying outfit — though most of us are members of various trade organisations or industry groups which do get involved in lobbying. However there is some value in this process. Ensuring that the regulations are going to be accurate and enforceable is important. For example it has been a long term worry that in the UK, a distributed denial of service attack is not actually illegal under the Computer Misuse Act. It is an unfortunate thing and probably vandalism but its not actually illegal. That is a classic example where some more technology lobbying or people actually commenting when legislators open up for comment on draft laws. However I don't think we are lobbyists and there is a very different approach to sitting down with regulators around the world.

MB: I would say that the consumer has had impact on this issue recently. For example in banks, tapes get transferred all the time, but now if they were to be lost that would end up in the media because the consumer is so much more aware of their privacy and their data. That is influencing the legislators of some of the laws dealing with consumer information.

Are companies considering how to manage unstructured data such as instant messages and emails when it comes to compliance?
MB: Email is definitely part of compliance and IM is also. Storing email lots have people have been doing for years. Storing the email is not the issue — it's storing it and protecting it, and being able to retrieve it when you need it is the issue. When you get to an investigation for instance you need to be able to retrieve that mail. IM is now a business record — even though people may not see it that way, it is. IM is becoming very similar. There are two theories on IM: either you turn it on and store it or you turn it off.

EM: One of the issues is the difference between data and information and the gulf between the two. I am not sure than many organisations are able to reconcile the two with ease. There is too much data out there and sometimes only a limited amount of information. Put against that backdrop, the need to retain data because of legislative requirements, and offer up that data as meaningful information for the business and that causes some challenges in a global environment.