IT and Compliance: Applying Lessons Learned
More regulations affecting continuity and security have been passed in the last three years than in the 20 years prior, and there'sno evidence to suggest that the pace will diminish in the near future. While this onslaught of regulations is complex, a disciplined approach is required to deal with it and will ultimately benefit individual businesses, as well as the economy at large. The inclusion of technology in operational risk discussions by business strategists helps bring the subject to the attention of the C-suite. But we also know that many organizations struggle with integrating IT into the governance, risk management, and compliance (GRC) equation. This article rounds up some of the trends we are seeing today.
Expect More, not Fewer, Regulations
Regulations are nothing new, but since September 11 they seem to be multiplying. Soon after those attacks, regulators were responding to terrorism-and focused on protecting our economic infrastructure and restoring investor confidence.
More recently, the focus has shifted to the risks inherent in new business models-such as Web-based self-service and offshore outsourcing. These new practices introduce heightened dependence on technology, as well as increasingly complex business and partner relationships. If you're like most, you're embracing these models to improve efficiency-and that makes it imperative for you to stay informed about associated risks and regulations. Consider, for example, California SB 1386 (effective 2002) and California AB 1950 (in effect in 2005.) Both laws pertain to identity theft and require companies to proactively inform customers when an information security breach occurs. There is still debate about the clarity of these laws-and exactly what consumers are supposed to do upon being notified of a breach. Other states are keeping a close eye on California initiatives and Sen. Dianne Feinstein (CA) has proposed national privacy protection legislation. If you're skeptical about the need for such laws, you must've missed recent news reports about ChoicePoint and the Seisnt unit of Reed Elsevier. ChoicePoint-the Atlanta-based firm that maintains databases of information on virtually every U.S. consumer- recently disclosed that personal information about some 145,000 individuals had been compromised. Data included names, addresses, Social Security numbers, credit reports, and more. Seisnt-a ChoicePoint competitor-has also been the victim of a similar security breach. The unit, based in Boca Raton, FL, reported in March that hackers compromised databases and stole information about 32,000 individuals. Thanks to breaches like those, the public is sure to demand better protection of personal information-fueling additional legislation.
Address IT's Role in Business Processes
Despite the continual creation of new regulations, many organizations have been focusing efforts on immediate compliance requirements-in 2004, Year One requirements for Sarbanes-Oxley (SOX). There's been extensive dialog between the CEO, CCO, CFO, and the board, with the most intense focus being on requirements for financial filings. But there has also been a lack of explicit communication with CIOs. As the specifics regarding IT's role in SOX compliance continue to evolve over the next year, more executive attention be paid to the issue of internal controls for technology. Without a thorough understanding of the role IT plays in a business, compliance efforts can cause confusion. For instance, one company's legal department mandated that IT establish 30- or 60-day time limits for keeping e-mail. That might look good on paper. But, when put under a requirements microscope, it could have spelled disaster. Why? Because when e-mail is used to support key business processes, it needs to be accessible much longer than 30 or 60 days. And, in this case, e-mail was indeed being used for contractual exchangesby the procurement and human resources departments, among others.
Clearly, IT must be involved in compliance discussions, so that the flow of business processes is truly understood. Then it is possible to create e-mail retention policies that effectively balance compliance risks against business needs. This company's experiences drive home the point that you cannot address regulations in a vacuum.
If Necessary, Force the Discussion
For the first time in history, CEOs are being held personally accountable for the financial statements of their companies, with penalties including personal fines and jail time. Likewise, CIOs can be indicted for not suitably reporting control breakdowns. Many IT professionals report that their companies are requiring formal internal controls attestations signed by the CIO. Failure to sign can result in termination. For the CIO, these requirements compound the pressure to maintain a position as strategic contributor to the business. If you haven't already, force the IT discussion and earn your spot at the C-level table. It's the only way to avoid the trap of a siloed approach to GRC. It's also the only way to ensure that your organization is adequately covering IT's role in creating-and mitigating-compliance risk.
Noncompliance Is More Costly than Compliance
Understandably, most businesses are focused on growth strategies and resent investments for the sake of regulatory compliance. There's no question that achieving and maintaining compliance doesn't come cheap, but the costs pale an comparison to the potential costs of noncompliance. And the fact is, by implementing effective GRC, an organization positions itself for improved performance and increased efficiency, among other benefits. Indeed, the Pricewaterhouse- Coopers annual CEO survey revealed that CEOs who view GRC as an investment see far better results from their efforts. (The survey also revealed that a majority of CEOs don't have a clear handle on just how much they're spending on compliance.) It is smart to focus on the business benefits of compliance-and the potential costs of noncompliance. A quick perusal of the SEC's press release Webpage reveals the potential of increased scrutiny, large fines, and reputational impacts. Your resources would end up diverted away from core business functions and, ultimately, productivity would be diminished. Compliance may be one area where Meskimen's Law-"There's never time to do it right; there's always time to do it over"-simply does not apply. When it comes to GRC, you really can't afford not to do it right the first time.
Once you've absorbed the requirements of the growing body of security and continuity regulations, it becomes clear that you need to approach compliance as a process-not as a series of one-time projects. In summary, the following is recommended:
- Set the right tone from the top down. Executive support is essential. And, it must reflect the full range of business processes, including IT and related interconnections and interdependencies to other parts of the organization. Make sure that your compliance team includes executives from all major areas of your business.
- Use a programmatic approach. When it comes to security and continuity, don't fall back on "tribal knowledge." Instead, rely on established standards, such as Control Objectives for Information and related Technology (COBIT) for internal controls and ISO 17799-best practices that will help you address the majority of regulatory requirements, even if you are subject to multiple agencies. And, be sure to document your approaches. Documentation not only keeps everyone in your organization on track; it's also critical for demonstrating your efforts to achieve compliance.
- Build awareness throughout your organization. Compliance isn't just the purview of the board or the legal department. Compliance must be an integral part of your organizational culture-with all employees aware of their roles in delivering optimal security and continuity.
- Take quality to the next level. For years, the Federal Financial Institutions Examination Council (FFIEC) has been auditing continuity testing. Organizations accustomed to FFIEC oversight now face even greater scrutiny.
It's no longer sufficient to provide evidence of a test. Now organizations must also explain the test objectives, exposures that were identified as a result of the test-and plans for addressing those areas going forward. Testing is only one example of areas where quality improvement will prove beneficial.
- Measure your performance and track it over time. Metrics are of great value in compliance efforts. Without them, an IT department is likely to see continued dissatisfaction from the CEO and, more often, the CFO, who will be looking for quantitative evidence of internal control efficiency. Regulations-including requirements for continuity and security-aren't going away. Savvy businesses recognize that an enterprisewide, holistic approach is the best (and most cost-effective) means of achieving compliance. And, in today's environment of technology dependence, the biggest lesson is that IT must be part of the compliance discussion.
Patricia McAnally is senior director with SunGard Availability Services (Wayne, PA). She can be reached at (484) 582-5785.