IT Governance and compliance management
Businesses today have multiple, often multi-jurisdictional, often over-lapping compliance management challenges, which primarily fall into 4 areas: governance, regulation, law and standards. Governance compliance is driven by the Combined Code, the Companies Acts and Sarbanes Oxley (as well as governance codes elsewhere); regulatory compliance drivers include data protection, privacy, occupational health and safety, the environment and the consumer, as well as government and industry bodies such as BIS, the FSA, the FDA, etc; there are multiple legal drivers, including copyright and employment law, and multiple standards, from industry-led Codes of Practice to international standards like ISO17799.
Sheer complexity increases the risk of compliance failure and, while compliance failures are more likely to be accidental than deliberate, the consequences for businesses (reputation, fines, diversion of effort) and individual directors (reputation, fines, diversion of effort) can still be devastating – particularly as shareholders and authorities expect boards to be pro-active in identifying risks and meeting compliance requirements. This makes strategic compliance management an important board responsibility, as well as a key executive business function
Executive roles
Information and information technology are fundamental to effective compliance, but this doesn’t mean that the CIO or CFO should be saddled with the compliance task. There is a clear argument, especially in larger organizations, for appointing a Corporate Compliance Officer (CCO). There is little point in such an appointment, though, unless the CCO can interact well with the CFO and the CIO and has the authority, staff, budget and board support to have an impact across the entire organization.
Successful compliance management is a major strategic objective of an IT governance framework. The CCO should have a board mandate to automate compliance management and this project – driven by a prioritised, cross-jurisdictional matrix and risk assessment of the whole enterprise compliance environment - should be integrated with every other future and ongoing IT project.
The major benefits of automated compliance management lie in cost and risk reduction. Manual compliance processes are disproportionately expensive and are insufficiently systematic to provide the board with assurance that all the requirements of a complex compliance matrix have been met. Automated compliance management, however, is inadequate on its own. Organizational culture must be aligned with the compliance objectives and performance benchmarking should be deployed to help turn the compliance program into a competitive advantage.
The first advantage is in ROI. Every business faces similar compliance demands to every other similar business. Those who most cost-effectively meet those demands, with the least diversion of management time and effort, are going to have a better return on their compliance management investment. This makes benchmarking a value-adding service: vendors like Benchmark Express, for instance, can identify the extent to which an organization’s total cost of ownership (TCO) of a particular software solution (such as SAP) deviates from best practice, as well as the extent to which it is actually delivering the compliance benefits expected of it.
The second advantage is in market share. Customers – both corporate and consumer - are increasingly building compliance profile into their choice of supplier. This gives those businesses that have built compliance into their fabric a competitive edge in winning new business.
The third advantage is in shareholder support. Governance and compliance are now part of almost every institutional investor’s assessment process. Those organizations that have a transparent governance and compliance regime have – all other things being equal – a significant advantage over those who don’t.
Your IT governance framework should provide a structured, coherent approach to this complex exposure. The same information that is the lifeblood of business management is also the subject of the compliance regime. The technology has to underpin delivery of ALL the strategic business objectives, from market share to cost reduction, and simultaneously ensure that the strategic compliance requirements are met. The board needs certainty in all these areas and that means it needs a transparent approach to IT governance.
A compliance strategy, executed within an IT governance framework, should also give board members enough comfort for them to again invest most of their time in driving the business forward.