Our panel of experts offer advice on IT management
dilemmas
The issue: Can compliance be more than just a
bureaucratic burden?
The question: I am an IT director in the financial services
industry.
I would like to make compliance with burgeoning regulation more
than a box-ticking exercise, but my gut feeling is that all the
talk of using compliance to improve business efficiency is just
spin.
Am I missing a trick or is red tape just that and nothing
more?
Solution: Regulation is more than a matter of red
tape
Surely compliance is about ensuring greater transparency in the
way businesses operate and ensuring that proper and easily
traceable audit trails are in place. Given this, businesses ought
to become more efficient by adopting such practices.
What is certain is that compliance is not about to disappear, so
your role as an IT director in the financial services industry must
be to ensure that all your IT applications and operations are
designed to facilitate your company's compliance obligations. It
has to be more than ticking boxes and one only has to look at the
history that led to the development of compliance to appreciate
that it is much more than just "red tape".
Solution by Robin Laidlaw, President CW500 Club
Solution: Compliance breeds more confidence in your
clients
The IT director is faced with an ever increasing burden of
compliance, particularly in the "regulated" financial services
sector but increasingly across the board.
One approach is to do the minimum necessary to satisfy
regulators, remembering that a variety of audit regimes will be in
place. But there are opportunities.
Firstly, clients are increasingly concerned to know whether
suppliers are properly compliant, and being able to demonstrate
this will help woo corporate clients and instill confidence in both
corporate and consumer sectors. Conversely a failure in compliance
can, as well as exposing you to the risk of regulatory sanctions,
severely damage credibility.
Secondly, compliance can be used as a means of encouraging
business to adopt best practice - in security, for instance - where
the tendency may be to cut costs and corners.
It is also an opportunity for the IT director to demonstrate
awareness of the broader environment and also be business savvy -
"look we have these regulations, but we are able to comply at
minimum cost, and gain these advantages".
Personally, I remain unconvinced that compliance leads to
efficiency, but it does lead to rigour and good practice, and can
be turned to commercial advantage.
Solution by Ben Booth, chairman of BCS IT directors group
Elite
Solution: Embed compliance in your daily
processes
You are not alone - many of your peers are also suffering from
regulatory fatigue.
The good news is that many companies are demonstrating that real
cost and operational efficiencies can be achieved. From what you
have said, you are in an ideal place to now leverage your current
and future efforts and use regulatory compliance as a basis for
reviewing and enhancing your IT organisation.
Set an example by your positive attitude. Approaching regulatory
programmes from the outset by looking at the opportunities they
afford rather than just the need for compliance will help set the
right tone, as well as ultimately deliver greater efficiencies.
For example, one of the key ways regulatory programmes can
achieve greater efficiencies is by standardising your IT processes.
This has many benefits, including making regulatory compliance
easier and more cost effective.
Furthermore, standardisation will make it relatively easy for
you to optimise IT processes and deliver value to the business
through enhanced IT delivery quality, faster response times and
more integrated services.
To move away from a one-off "box-ticking" approach to
regulations, consider the value of embedding compliance in your IT
processes and daily activities. That way, rather than treating
regulatory compliance as a separate activity, you will be able to
start embedding it in your routine operations. This will also
provide a more sustainable solution for the long term.
Finally, a "box- ticking" approach often tackles each regulation
in isolation, which in itself is inefficient - you should view them
holistically.
Designing your IT processes to address similarities/overlaps in
regulations should help achieve more efficient coverage of
regulatory requirements and help avoid repeated effort to address
each regulation in isolation
Solution by Ali Kazmi, Ernst & Young Technology Security
and Risk Services team
Solution: Your investment priority should be value
creation
I think you are indeed missing a trick, but not the one you are
thinking of. It is vital to make investments from time to time in
order to stay compliant and the key strategic question is how much
of your total investment this should be.
Within your company's investment portfolio - and not
specifically for IT - you should be looking to strike the best
balance between value-protecting and value-creating
investments.
Investments that are driven by compliance are among those that
are about value protection, and it is better to admit this than
pretend otherwise. In principle, you should be looking to minimise
investment in value protection based on an acceptable level of
residual risk, so as to reserve as much investment as possible for
new value creation.
In practice, however, a fair slice of your total investment will
be for value protection, but you and your executive colleagues all
need to be satisfied that this is no more than is really
necessary.
Engaging with your senior colleagues about the relative levels
of investment in value protection versus value creation helps to
expose them to a high level of IT transparency, strategic maturity
and ownership.
To return to the original thrust of your question, any
additional discussions about how to exploit compliance-driven
investments to create new business value would be the icing on the
cake.
Solution by Chris Potts, director at consultancy Dominic
Barrow
Solution: Identify the costs and the benefits of
compliance
We are seeing an increase in regulation and compliance in a
variety of forms, ranging from directives like Sarbanes Oxley, to
focused IT service initiatives like ISO 20000. Some are mandatory
and some optional all demand that you comply to some extent with a
set of standards that could be described as a "box-ticking"
exercise.
The choice usually exists of undertaking the minimum to satisfy
the criteria, or doing rather more and securing additional
benefits. To make this decision you need to know the additional
costs and additional benefits of undertaking the more exhaustive
change programme.
To begin with, you need to define a broad domain in which this
change is to be focused and secure input from all involved -
including both the business and IT - to ascertain what additional
benefits are available.
From there, a statement of additional tasks to deliver the
benefits can be developed. A variety of approaches exist to support
this thought process.
Bear in mind that creating enthusiasm to pursue an initiative
that appears to do little other than secure compliance -
particularly if such compliance is seen as unnecessary - will prove
troublesome.
Maybe adding some focused and clear organisational benefits will
encourage the execution of the programme to a successful
conclusion.
Solution by Chris Edwards, professor of information systems
at Cranfield School of Management
Solution: Unstructured data key to lowering compliance
cost
The first question you may want to ask your colleagues is
whether they see the level of compliance decreasing in the future.
Their answer may influence how much effort should be put into
responding to compliance demands.
Assuming the response to this question is likely to be in the
negative, you need to consider how you can help them cope with or
even take advantage of this trend.
There is a key opportunity in your domain and that is
information management. Historically, IT has focused on the
management of structured data. However, increasingly the focus is
on all the unstructured data held in documents, e-mails and web
pages.
So, to what extent can you help to reduce the cost of compliance
by improving the behaviours, processes and tools associated with
unstructured information?
There is also the link to consider between compliance and
governance. Using information-based tools such as business
intelligence and company scorecards, what additional services can
you provide to your colleagues?
It is unlikely that these challenges and opportunities will
disappear in the near future.
You may wish to start an early stakeholder dialogue with the
director responsible for risk management in your organisation to
map out an appropriate plan. This is a particularly important
consideration if you have strong competing demands for your
resources.
Solution by Sharm Manwani, head of information management at
Henley Management College
Solution: Beware missing out on related
benefits
Metrics and measurement are increasingly a requirement in both
the public and private sector. External scrutiny has increased as a
result of cases of malpractice that have resulted in overspend,
fraud and poor service. The natural reaction of the authorities is
to add process, with the objective of avoiding these problems.
Often regulation is viewed as an unnecessary burden that stifles
flexibility and progress. The counter-argument is that too much
flexibility results in high-profile disasters and scandal.
In many cases, compliance is not a choice it is something you
simply have to do. In that case, you need to see how these
requirements can be aligned to a business need.
Rather than treating the exercise as a standalone function, you
need to, where useful, build regulatory compliance into your
business process. You may need to add to the requirements, but if
they provide value this will be a sound investment.
A good example has been the requirements arising from the
Freedom of Information Act. If it adopts them correctly, an
organisation can transform its information management, improving
the efficiency of its business process. If they are regarded as an
intrusive burden, considerable effort may be spent with no
gain.
In the financial services industry there is an increasing
requirement to demonstrate strong security to both external audit
and prospective customers.
Compliance with standards such as ISO 27001 (Information
Security) is becoming considerably more important in a competitive
environment. Compliance - with certification - is a strong way to
demonstrate that this is proactively managed and that the
investment a customer will make is in safe hands.
With regulation that you feel is of no value, determine how to
deliver the metrics with the minimum effort necessary to satisfy
the requirements. Do, however, double check that you are not
missing out on a benefit.
Solution by Roger Rawlinson, director of IT consultancy at
NCC Group
Catch up
with strategy clinic
Ask the experts
Computer Weekly has put together a panel of experts whose
specialist knowledge you can draw on to solve a problem. E-mail
your questions (or your solution to this question) to
computer.weekly@rbi.co.uk