Compliance offers the opportunity for IT directors to overhaul business processes, make major savings and increase efficiency. Lindsay Nicolle reports on the upside to being more tightly regulated.
Regulatory compliance is fast becoming another Y2K for IT users, with millions of pounds being spent on systems to tighten up and secure financial controls, and formalise document and information management.
Spending levels for global compliance programmes are expected to dwarf those for Y2K and the introduction of the euro. Industry analyst Meta Group states that a typical large bank will need to assign between £15m and £25m to IT-related compliance programmes, and that this will probably need to be supplemented with additional programmes worth £30m-£100m between 2004 and 2007.
Up to 90 compliance requirements affect UK businesses, spread across all industry sectors. Some 25 of the most burdensome materialised after the Enron and Worldcom scandals and the terrorist attacks on the World Trade Center. Nearly all are focused on corporate accountability, risk management and financial reporting. The two currently making most users squeal are Sarbanes-Oxley and Basel 2. The bill for these extravaganzas is causing an outcry among large companies, especially those with shares listed on US stock exchanges.
General Electric has suggested that complying with just one paragraph in Sarbanes-Oxley - the section that deals with the audit and testing of internal financial controls - will cost the company about £17m. Nearer home, financial giant HSBC has given a precise indication of the mounting costs of compliance with different regulatory directions across the globe. Its regulation "tax" amounts to 3.125% of Ebitda (earnings before interest, taxes, depreciation and amortisation).
BP, too, has complained that compliance with new corporate governance rules, mainly Sarbanes-Oxley, will cost it about £71m.
One company has even blamed compliance work for missing its quarterly earnings.
But however high the sums go, non-compliance is simply not an issue. Senior staff face prison if their companies are found wanting. Non-compliance also risks exposing weaknesses in the business that could damage the brand and send share prices into freefall. In the US, companies have been fined between $10m and $100m for not having adequate information retrieval procedures in place. UK fines for similar issues are smaller but rising, currently ranging from £1.2m to £2m.
So, what technologies do you need to deploy to comply with all this red tape, and how can you turn an unwelcome additional IT cost into a business opportunity?
Compliance solutions can be grouped into three categories: information management, information analysis and information security. For UK companies, the essential technologies required to achieve key legislative compliance include systems that address business process management, business intelligence and analysis, activity management, network security, storage, e-mail management and archiving, policy and records management and retrieval and search facilities.
All of these technologies should be aimed at improving information lifecycle management. Dealing with information from creation, through storage, retrieval and analysis to eventual destruction, is the dish of the day.
Every IT supplier is jumping on the compliance bandwagon, so expect to see old and new systems being marketed as ideal solutions. However, there is no single IT solution or supplier that holds all the answers.
Indeed, analysts at Gartner warn that most Sarbanes-Oxley-targeted solutions bought this year will have to be retired or replaced by the end of 2005.
"Enterprises that choose one-off solutions for each regulatory challenge they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach," says Gartner's research vice-president, French Caldwell.
Lots of companies are developing separate compliance programmes for every regulatory regime, but Caldwell warns that this only eats into profits.
With global banks squaring up to approximately 370 regulators, it makes more sense to devise a comprehensive, compliance programme composed of common technology frameworks to cover overlapping areas.
For example, the fundamentals of an information lifecycle management systems strategy will ensure compliance with Sarbanes-Oxley, the Securities and Exchange Commission rules and the UK's Data Protection and Freedom of Information Acts. By addressing the bedrock of compliance in this way, users could save money and be more efficient as well as improve performance.
Nevertheless, the capital outlay required to achieve any compliance is causing some users to strive to achieve only the absolute minimum required by the legislation and regulations. This is short-sighted, say analysts.
"We've been told that compliance is just like the Y2K issue, when millions was invested but there was minimal noticeable benefit," says Mike Davis, senior research analyst at Butler Group. "Well, compliance could be like that, but only if one has a complete lack of vision and ignores the underlying drivers of the legislation and regulation - to make businesses serve their customers, shareholders, and even society better. In reality, compliance undertaken positively with a vision for the business strategy is a chance to run a better organisation. Those that do it well will have significant competitive advantage."
Indeed, 40% of UK compliance and IT heads cite operational efficiency improvements as the principal business benefits gained from compliance, according to research by Datamonitor on behalf of enterprise content management provider FileNet UK. "Compliance should be seen as an opportunity rather than as a threat," says Ian Black, managing director of communications management software and compliance specialist Aungate.
"Compliance is, after all, a measurement of performance and is an opportunity to measure the effectiveness of the business process. Effective compliance technologies inherently enable the collection and analysis of the metrics that can play a positive role in benchmarking business processes."
There are also important business gains for any organisation that has systems that can quickly collate and aggregate all of the information relating to a single person. In a financial environment it enables a more accurate assessment of credit risk. In retail it holds out the prospect of additional sales opportunities, while in healthcare organisations can avoid potentially life-threatening situations such as giving a patient inappropriate medication.
"Compliance regimes are forcing companies to adopt formal business processes and reporting so they now have an opportunity to spot inefficiencies, overlaps and duplications of effort," says Adrian Wright, managing director of policy authoring and awareness specialist, Secoda Risk Management, and former head of IT security at Reuters Group.
"This is a great moment for rationalisation and economies of scale, but I doubt the IT department headcount will be on the front line as so much responsibility for managing compliance rests in their hands."
The information and IT function is now at the centre of users' efforts to improve business performance. It is also central to keeping senior managers out of prison since it is responsible for deploying systems that ensure legislative and regulatory compliance. Maybe compliance could finally ensure that IT managers and CIOs gain the respect they deserve, and that coveted seat on the board - something Y2K singularly failed to achieve.
Case study: Barclays
Barclays spends 40% of its IT investment budget on regulatory compliance programmes, but the move is generating millions of pounds worth of savings for the banking group.
"Regulatory controls take up a sizeable proportion of spend," says Barclays' group chief technology officer, Kevin Lloyd. "Basel 2 and Sarbanes-Oxley compliance is chewing up 40% of investment spend. The regulations mean that the federated businesses struggle to become compliant at a competitive cost, which encourages them to come to the centre."
Nevertheless, regulatory pressures encouraging IT consolidation have helped to cut Barclays' operating costs by £500m over the past five years. During this time, Barclays has raised the proportion of company-wide IT processing done centrally from 45% to 80%. The bank is currently running at 99.7% system availability.
Barclays has also saved money by developing defined standards and processes, which have helped with management decision making.
Benefits of compliance for financial services organisations
Compliance may be a bitter pill to swallow, but many companies hope to emerge from the process as stronger, healthier businesses, according to a global survey of 116 senior executives in financial services organisations by the Economist Intelligence Unit, on behalf of project portfolio management specialist Changepoint. When asked if they expected to achieve side benefits from their compliance programmes, respondents replied:
Greater trust in your brand as a result of compliance:
Yes 66% No 31%
Improved process efficiency: Yes 55% No 42%
Reduced risk to business continuity: Yes 75% No 22%
Better quality services/products: Yes 45% No 52%
Improved shareholder value: Yes 59% No 38%
There is less clarity over whether the new regulatory regimes represent good or bad news for profits. The optimists outweigh the pessimists on this point, but 47% of executives believe profitability will be unaffected.
Case Study: Luton Borough Council
Luton Borough Council has used regulatory standards to help make its information and IT services equal to the best in the private sector.
Becoming compliant with ISO 9000, the quality standard relating to information processes and procedures, and BS 7799, the standard for information security, has enabled the council to reduce the cost and time it takes for external auditors to review the IT function. It now takes two days instead of one week, says Chris Kadwill, the council's acting head of IT.
Luton is also now more efficient and effective in its dealings with the public since it is confident in its ability to meet the Subject Access demands of the Data Protection Act 1998.
To meet BS 7799 requirements, the council developed two data centres to ensure resilience, a storage area network to hold and secure its data and implemented various policies, procedures and security technologies.
The council also identified that effective e-mail management was essential to tackling many of its regulatory priorities. In order to enable citizens to request services via e-mail, Luton had to meet BVPI 157 required processes for tracking such requests to resolution.
The council undertook a change management process in parallel to the implementation of an e-mail management system to ensure both staff and systems had the capacity to deal with such requests.
Today, the council's e-mail management has reduced e-mail traffic from 30,000 messages to less than 20,000 a day, freeing up physical bandwidth, storage and employee time in dealing with queries. It also takes fewer staff to meet Subject Access requests under the Data Protection Act.
Luton has also implemented a 65-seat call centre, supported by a one-stop service shop and 200 public booths for internet use, to help it achieve compliance with both BVPI 157 and the Disability Discrimination Act.
The Council also has an on-going agenda to meet the Freedom of Information Act 2000 requirements. An analysis of the three million files held on the San identified that 1.5 million have not been modified for four years.
Reviewing and cleaning up the data may be time-consuming and costly, but Luton has proved that when it comes to compliance, it is not afraid of a challenge.
Lest we forget...
Key legislation, regulations and standards affecting UK businesses
Access to Health Records Act 1990 l Basel 2 (international)
BVPI 157 (electronic message tracking standard)
Companies (Audit, Investigations and Community Enterprise) Bill
Data Protection Act 1998
Disability Discrimination Act
E-Government Interoperability Framework (e-GIF)
E-Government Meta Data Framework (e-GMF)
Electronic Commerce (EC Directive) Regulations 2003
Electronic Communications Act 2000
Electronic Signature Regulations 2002
Freedom of Information Act 2000
Human Rights Act 2000
International Accounting Standards (IAS)
ISO 9000 (quality standard)
ISO 15489 (international records management standard)
ISO 17799 (information security standard)
Money Laundering Regulations 2003
Privacy and Electronic Communications (EC Directive) Regulations 2003
Proceeds of Crime Act 2002 l Public Records Office 11
Regulation of Investigatory Powers Act 2000
Regulation of Investigatory Powers Act (Communications Data) Order 2003
Sarbanes-Oxley Act 2003
The Patriot Act