There is no out of the box IT solution to compliance. Technology has a role to play, but only in supporting business specific objectives not enforcing a generic compliance strategy. Using standard business tools to automate the collection of key business information, organisations can achieve rapid visibility of their risk exposure and avoid the dangers associated with business change that can rapidly undermine compliance procedures, argues Tim Considine, Managing Director of First Option.
Has UK business learnt nothing from its past mistakes? Ten years ago, quality was heading the agenda and organisations were falling over themselves to achieve ISO9000 certification. To what end? Most organisations now admit that these investments delivered little business value when viewed against their implementation costs.
Now, it is compliance. Again the focus is on demonstrating compliance, generally by taking an archive everything approach, rather than achieving quantifiable business benefits. And, each time, IT vendors are circling like vultures, looking for an opportunity to repackage existing technology, at a premium, to deliver a solution to this pressing concern.
Whatever the bandwagon jumping IT industry may attest, there is no single compliance solution. Compliance objectives, just like business continuity requirements, are business specific. That does not mean technology cannot ease the compliance process but it can only support an organisations compliance processes through automation, not define and prescribe an entire compliance strategy.
Organisations are under huge pressure, from legislators and shareholders alike, to achieve compliance to a range of new regulations. Yet in the blind panic that has ensued, many have forgotten their past mistakes. Remember quality and the rush to achieve the ISO9000 stamp? And the money spent on documentation and storage?
It transpired, of course, that documenting the production of garbage makes no difference to the quality of the end product. And, several years on, todays quality initiatives now focus less on documentation and more on improving processes, and hence quality.
Unfortunately, few organisations appear to have learnt the lessons of such expensive mistakes. When it comes to compliance, there is a growing trend towards adopting a template model, based on all encompassing archive and audit policies, that is contributing significantly to business cost and delivering no business value.
Obviously the world is still acclimatising and adjusting to the implications of todays regulation led business practice. Indeed some 80% of organisations are still attempting to ascertain the implications of compliance, from FSA regulations to health and safety and employment laws.
But, to be frank, it is becoming apparent that managing compliance requirements and conducting profitable business are mutually exclusive. How can so many companies opt to shut down business for two weeks to carry out a Sarbanes Oxley audit? This is simply madness and will undoubtedly be recognised as such in a couple of years. But at what cost to the business in the interim?
And, at the same time, the IT industry purports to offer a compliance panacea, from an archive all strategy that is boosting the coffers of the storage vendors to complete compliance solutions that make no allowances the risks, processes and challenges of each organisation. Where is the compliance and, more crucially, where is the business value?
Yes, it is possible to buy a quality manual but if staff do not understand the philosophy, if it does not flow through the organisation, it will deliver no value. And the same applies to compliance: not only is the cost of an off the shelf compliance programme huge but the compliance policies delivered are more than likely to be flawed because an IT vendor cannot possibly understand the intricacies and risk points of each, highly unique operation.
Just as organisations have recognised that, while each industry has its own set of quality standards, tangible improvements can only be achieved by applying those standards specifically to each business, a similar approach must be adopted for compliance.
Indeed, there are clear benefits to be attained from transparent business processes that deliver visibility to an organisation and highlight areas of risk. And technology has a key role to play in simplifying and supporting those processes. But there is no off the shelf solution to compliance.
Organisations have to take internal control over the key factors influencing their compliance requirements. Once those processes have been defined it is then simple to use existing technology, including even the Microsoft Office suite, to automate the collection of cross-organisational information to support the management of compliance.
Replacing the manual collection of information from the business with streamlined processes that automatically email existing information to key personnel for updating at regular intervals, simplifies the provision of up to date information for business managers. This information is then automatically repopulated into the database and analysed for changes that may impact key compliance or business continuity thresholds.
For ease of use, this information is then presented via a management console, using traffic lights to demonstrate the level of compliance across different business areas, thus enabling the organisation to establish risk and prioritise potential reparatory plans.
These compliance thresholds must, of course, be defined by each organisation in line with policies, procedures and appetite for risk. By automating the process of information collation and analysis, organisations now have a simple and effective way of monitoring the effectiveness of existing processes, such as updating and communicating information on new disciplinary procedures, and assessing the impact of business change on these compliance processes.
Indeed, by automating organisations are also significantly reducing the business risk associated with out of date information. Typically, collecting and collating the key data that can support both compliance and business continuity strategies, takes several months. By the time it has been analysed to understand the implications for business risk there is a potential, six, nine or 12 month lag.
Given the constant level of business change and evolving compliance requirements, this time delay creates significant business risk. Furthermore it undermines an organisations ability to confidently proclaim its level of compliance to financial markets and shareholders. Taking an automated approach this process is significantly streamlined, providing monthly, if required, status visibility across the entire organisation.
Key to this approach is the simplicity of the technology deployed. Compliance is a major business concern today, hence the circling of the IT vultures. Technology obviously has an important role to play in supporting organisations in their compliance activities. But it is a supporting, not a starring role a fact that organisations worldwide will do well to remember.
Tim Considine joined First Option in 1991 as a consultant and became the Managing Director in 2000. His background is in banking and management consultancy, rather than IT. However, it was whilst working in banking that he developed an interest in IT and started to develop his own IT systems for arbitrage and credit analysis.