As words go, “compliance” is not one to light up the imagination or put fire in the belly of the team. It suggests a dreary adherence to the rule book, with the added implications of auditing followed by penalties applied if you are found out to be non-compliant. Once the air begins to thicken with terms such as Sarbanes-Oxley Clause 303, HIPAA, BS7799, BS15000 and Basle II, management eyes tend to glaze over and weary arms reach in the direction of the little black book containing the phone numbers of consultants.
To paraphrase the title of one of the more widely quoted papers on the subject, Enron was the bankruptcy heard around the world, and Sarbanes-Oxley was the ricochet. Enough was enough, said the lawmakers: no more denial of responsibility by senior management of what’s going down on their watch, and certainly no more feeding of vital paper trail information to the shredders. In a nutshell, management must know what’s going on, and data must be stored responsibly.
SOX
Sarbanes-Oxley was brought into force in the US during 2002. The legislation was imposed to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Since its inception much of the legislation has left a great deal of confusion on the path of companies that cross it.
Properly termed the US Public Company Accounting Reform and Investor Protection Act and more informally known as SOX, Sarbanes Oxley defines what company records should be stored and for how long. It has an impact across company departments but has put increasing pressure on IT and networking departments as they are now faced with the challenge of creating and maintaining electronic corporate archives that satisfy US legislation.
As part of the act, section 404 requires a management assessment of internal controls within a company’s annual reporting, providing a statement for the responsibility for these controls and demonstrating that the controls are adequate for accurate and complete financial reporting. A large part of internal control is documenting details about the use of and investment in assets. Assets that are misrepresented in accounting audits but have a significant impact on revenue and operational expenditure which, when all things are considered, can seriously affect both the balance sheet and income statement.
The challenge for CTO/CIOs is no longer just to keep the IT systems running but to ensure that every piece of business information is maintained with integrity and transparency. IT compliance is no longer “just a financial auditor’s problem”, but impacts the whole of the organisation. And ultimately, it is signed off by the CEO and board.
Responsibility
Raymond Magourty of Version 1 Software notes that “the responsibility for IT systems integrity filters down through the IT section and managers and IT team members have important roles to play in assuming responsibility for ensuring and maintaining compliance.
Although SOX is US legislation, like all corporate standards, it tends to push out into the wide world of companies doing business in America, or with American companies – which tends to include many large companies in other economies, who in turn insist on compliance from their vendors.
Commenting on this trend, Padraic Minto of one of Ireland’s flagship US-owned operations, Xilinx, notes, “for suppliers to American companies like Xilinx, there are implications. Because Xilinx is SOX-compliant, we have formal processes and authorisation procedures before we can deal with suppliers or sub-contractors. Companies have to ensure that they can comply with our own financial controls – all the way down to a simple function like purchase order numbers!”
In short, SOX is a compliance standard that displays viral behaviour.
By contrast, the other major compliance standard, Basle II, is defined by a central authority, the Basle Committee on Banking Supervision (BCBS) in Basle, Switzerland, and applies to financial institutions. The driving force here was that banks in different countries took different ways to answer the fundamental question that underpins all banking: how exposed are we? It could be argued that various methods of calculating risk were unduly optimistic – or pessimistic – but the key point is that they were different, and this did not create an environment conducive to international banking.
Three pillars
To bring stability to the international financial system Basle II refers to the “three pillars” – risk appraisal and control, supervision of assets and monitoring of financial markets. Implementing Basle II involves identifying credit risk, market risk, operational risk, and various other risk factors and then allocating sufficient capital to cover the estimated potential loss. The jargon includes terms such as PD (probability of default), EL (expected loss), and EAD (exposure at default), and calculating them fairly inevitably involves IT investment in hardware, software, and high priced consulting.
Cheshire case study
A case study of Basle II adoption is provided by the Cheshire Building Society, which provides mortgages, savings and investments to the UK public and has 52 branches across North West England. Like other financial institutions in the UK, it must comply with regulations formulated by the Financial Services Authority (FSA). In 2004, it became particularly aware of the implications of the FSA’s interpretations of the Basle II guidelines, in addition to the opportunities for enhanced risk management arising from developing risk measurement techniques within financial services firms globally.
It engaged with HP partner Quadrant, a specialist risk management consultancy. Quadrant helped it to install an Enterprise-wide Risk Data Repository (ERDR) based on a pre-designed physical data model and a Basle II analytical engine, both developed by Quadrant. The ERDR acts as the foundation for a truly integrated risk management approach that will give the Society “one version of the truth” in respect of its risk exposures. This will assist greatly with the ongoing development of best-practice risk-modelling and measurement.
In the project’s first phase, the ERDR was populated with all the data on the building society’s prime retail mortgage portfolio. Quadrant then used the analytical engine to build models for probability of default, loss given default and exposure at default, the risk factors an organisation needs to model risk in a robust, statistical way and achieve consent from the regulator to use an internal ratings based approach (IRB).
Balanced combination
Over and above the compliance requirement, these disciplines help financial institutions to manage and price their products and risk portfolios not simply on the basis of risk or of return, but a balanced combination of both. Cheshire will benefit from the creation of ratings systems for both its prime portfolio and for its corporate and specialised lending portfolio.
Quadrant is also helping the Society to build a risk adjusted pricing methodology to help it comply with the Use and Experience Tests outlined in Basle II. The regulation says organisations need to demonstrate that the models are but one of the methods used to price in accordance with risk exposures and to forecast and plan for future capital requirements.
The gurus of both SOX and Basle II share a common theme: you can either be dragged kicking and screaming into compliance, or you can embrace it as an opportunity to fine tune your management and operational efficiency. Much as with a good accountant, the bill for a competent compliance consultant should be covered many times by the improved financial picture.
At the same time, it cannot be denied that the spectre of the judge has a bracing effect on the move to compliance. According to Steve Tongish, director of marketing EMEA at Plasmon, “Recent court cases have squarely placed the responsibility of transparent record management on the shoulders of corporations and organisations. Judges have instructed juries to assume fraud and mismanagement if there is no structured record management system in place. By contrast, if a structure with documented processes can be demonstrated, the lack of key records can not be held against a company if their destruction was in line with defined procedures.”
However, it’s always a much better story if the motivation is positive and financial-benefits driven, rather than fear of the dock. As Jeremy Seligman, director of business development at Moresoft tells it, “Many of our clients started out with the goal of avoiding the dreaded knock on the door that is a compliance audit only to find that the continuing benefits of having proper IT governance in place greatly enhances their business.”
Driving value
Robert Lanigan of SAS Ireland agrees, “Organisations addressing these challenges break into two broad categories – those who seek ‘minimum cost of compliance’, and those who seek to turn compliance initiatives into value driving exercises. In our experience organisations driving value from compliance take a more holistic approach by incorporating changes to business processes with best practice and flexible solutions. These are the organisations that we see reaping tangible rewards, not only by achieving compliance, but more importantly through efficient internal processes and a better understanding of their customers.”
In a great example of a vendor practising what it preaches, Oracle chose Ireland as the location for the EMEA Shared Services Centre (SSC) based on its attractive and business friendly attitude to multinational companies. The SSC opened in Dublin in 1999 to provide finance and administration infrastructure for Oracle business units across its Europe, Middle East, and Africa region (EMEA). Oracle’s aim was to achieve greater efficiencies and economies of scale, and reduced finance and administration costs, to allow local country finance managers to concentrate on more value-add sales and business activities instead of transaction processing. Oracle’s goal was to move from 52 disparate instances of the database to a global single instance and in so doing to significantly simplify and reduce IT maintenance and upgrade costs. As anticipated, the move greatly improved management reporting and operational efficiency, and contributed to substantial savings across the company.
Reduced costs
From the perspective of meeting SOX compliance, the definition and implementation of standardised financial processes meant that audit costs were reduced and operating reviews were conducted more effectively, making operating reviews and audits easier.
Internal auditors travel less because they conduct most of their initial investigations online and now spend more time monitoring internal controls. The Sarbanes-Oxley Act became a reality during Oracle’s consolidation project. Oracle attributes the ease with which it gained 404 compliance to the implementation of standardised and fully documented processes.
Shaun Fothergill, security and IT strategist, UK and Ireland, Computer Associates, compares a sound attitude towards adopting a compliance strategy in terms of improving a company’s genetic code, “Business requires a framework, a baseline of IT controls and an enterprise wide management structure to keep it that way. How many businesses have not taken the advantages of common control requirements across a range of IT compliance issues? Process, access control, identity management, configuration and storage management are core components of any compliance DNA – a DNA that can be used to support a range of compliance and governance issues.”
Standards
A standard that is showing up increasingly on Irish management radar screens is BS 15000. As a British standard it is likely to crop up in negotiations with British-based enterprises. This has the same viral qualities as SOX, and the same agenda of becoming a global standard. The goal of the standard is to provide a framework with worldwide relevance to IT service management. It has a focus on IT supporting the business through clearly defined service level agreements (SLAs) and operational level agreements (OLAs).
It is basically an integrated set of management processes for the effective delivery of services to the business and its customers. There is a formal specification that defines the requirements together with a code of practice, which is based on best practices. The standard is issued by the British Standards Institute (BSI) and the formal certification process is managed by IT Service Management Forum (itSMF).
Martin Farrelly, practice manager at OSL summarises the intent of the standard, “There is a requirement to meet with your customers regularly to review the service offering. A process improvement plan must also be implemented whereby improvements are identified and a plan of execution put in place. This plan needs to be reviewed regularly to ensure that appropriate action and progress is delivered.”
Compliance return
Supporters of BS 15000 make the same point as the SOX people that doing an implementation well is not just a matter of ticking boxes, but of saving real money, and they point to Gartner measurements that show that the overall results of moving from “no adoption” of IT service management to “full adoption” can reduce an organisations total cost of ownership by as much as 48%.
As well as staying on the right side of regulators, IT management can use any compliance driver as a means of improving operations. For example, it is far better to reduce operational risk instead of just reporting it. This protects brand reputation, reduces insurance costs, and improves the cost structure across the board. If operational failures and loss events are minimised, the organisation doesn’t need to spend resources fixing mistakes after they’ve had an impact. They can focus on customer service because processes are working as they should.
Another BS standard gaining momentum because it provides coverage to a wide range of compliance requirements is BS7799 (now recognised as an Irish standard, IS7799). A mature standard that has been around since 1996, it specifies a range of controls that are not only comprehensive but by and large common sense. For instance, an organisation should have an Information Security Policy, specify appropriate content and Internet/e-mail use, explain policy to the users, put in the technical enforcement tools such as Internet site blocking, anti-virus scanning for Internet, and regularly audit and monitor the results. This formalised approach to IT risk management puts a company in good shape to address the strictures of Sarbanes-Oxley and Basle II.
Angela Madden of security specialist Rits comments, “A lot of organisations see legal and regulatory compliance as a large task to undertake and one that potentially could require a significant monetary spend. What I would suggest is that, in our experience, organisations are usually not as bad as they think and that if they undertook an initial gap analysis to identify where they sit in relation to a standard such as 17799, they would be in a better position to determine their legal and regulatory compliance stance. From here it is then possible to identify the necessary tasks and processes to achieve compliance. Tasks and processes can be prioritised, put in a project plan with resources assigned and you are now on the way to compliance but more importantly a good secure business environment protecting both the organisation and your employees.”
Conclusions
The best conclusion to draw from a review of compliance standards is that what appears like a mess of alphabet soup in fact shares a lot of overlap and by and large can be swiftly grasped in terms of common sense. As pointed out by Madden, a lot of the brickwork may already be in place, and a focused gap analysis can soon lead to a workable plan that can see your organisation in good shape to greet the compliance auditors with a smile.
Subscribers 0
Fans 0
Followers 0
Followers