There is no way for IT directors to avoid the impact of regulation. Suppliers are of limited help but careful planning can reduce workloads without sacrificing quality
All organisations, whether private or public sector, are subject to corporate governance regulations and legislation, with significant implications for IT systems. The main challenges for IT directors are the forthcoming Freedom of Information Act, the Basel 2 Accord and the US Sarbanes-Oxley Act.
In June, Barclays group chief technology officer Kevin Lloyd said regulatory compliance programmes took up to 40% of the bank's IT investment spend. Last month a CBI report warned of a "tidal wave" of regulations affecting UK financial services firms that could undermine the industry's contribution to the economy.
With so much at stake, IT directors need to prioritise their compliance projects, stick to budgets and meet the deadlines.
This is no easy matter, said Denise Plumpton, who chairs the Corporate IT Forum user group. "Knowing how to plan compliance projects can be a nightmare," she said.
This is partly because compliance requirements vary across companies and industries. "Instead of prioritising by business need, legal requirements must be prioritised because of the penalties for non-compliance," she said. "So the challenge is not about whether to comply, it is about to what extent one has to comply, and that can vary from the absolute minimum through to the gold-plated standard."
According to Plumpton, public sector organisations veer towards full implementation, and private sector firms focus on doing the minimum that is necessary.
Malcolm Marshall, partner in charge of technical advisory services at consultancy KPMG, said IT directors should focus on the essentials of compliance projects. "With Sarbanes-Oxley, for instance, the impact will be limited to systems with a clear effect on financial reporting," he said. "It does not affect all systems."
One of the problems for IT directors is that compliance projects are generally run by managers in the finance and audit departments, making it difficult for IT directors to evaluate the full extent of the impact on systems at an early stage.
Appointing a someone with responsibility for IT risk is a necessity. "Large organisations should have a full-time person responsible for risk, which should include compliance, reporting directly to the CIO," Marshall said.
The real challenge for many firms is that they are not starting from the right place. "In the past, people have tended to add another layer when dealing with compliance, rather than designing things in from the beginning," said Marshall.
Paul Williams, head of architecture at airline Virgin Atlantic, said corporate governance should be taken into account at all times. "Things like the Data Protection Act have to be taken into account all the way through," he said.
Fran Howarth, practice leader at market analyst Bloor Research, agreed. "The Data Protection Act may have been around for some time, but companies have to ensure their whole organisation is included. There is no point in doing things piecemeal," she said.
The Freedom of Information Act is also likely to have considerable impact. Many public sector bodies are having to re-evaluate their information infrastructure to cope with the Act, and this can involve high levels of spending in areas such as document management systems. Public sector research firm Kable estimated the typical cost of a document management system in the public sector in 2002 was between £80,000 and £500,000.
With that in mind, more IT suppliers are claiming that their products can help with compliance projects.
"Information about the Freedom of Information Act and Sarbanes-Oxley are generating more queries on our website than our actual products," said Mike Rae, sales manager at software firm Avanquest.
He said IT directors in general were still not fully aware of their obligations. "The organisation needs to prove it has a document, can retrieve it and can verify when it was sent," he said. "It is all about audit trail and tracking, and sender authentication."
But some senior IT users remain sceptical about the claims made by suppliers that they can sooth compliance headaches. "I cannot think of a single supplier who has mentioned compliance. I am still getting the traditional sell," said Plumpton.
How to make compliance easy
- Get involved early. Make sure the IT department is fully briefed by the finance and audit teams about all compliance projects
- Take the initiative. Getting existing IT platforms into shape will help ease the pain of compliance, particularly in relation to storing, auditing and accessing data
- Take an integrated approach. Implementing a single system for each compliance project will drain resources and end up costing more
- Evaluate outsourcing options. Outsourcing can, in some instances, enable the compliance burden to be shifted over to the supplier
- Take a positive approach. Cleaning up systems for compliance can provide significant competitive advantage.
The hit-list for compliance regulations
There is a long list of regulations with which UK organisations must comply, but these are the big ones:
Data Protection Act
Regulator: Information commissioner
Came into force: 1998 Impact: It has been around a long time, but still requires a great deal of work to ensure all information held is within the law.
Regulator: the US Securities and Exchange Commission
Came into force: 15 November 2004 for US public companies; 15 July 2005 for smaller and foreign companies I
mpact: Huge. Oil multinational BP alone has estimated that compliance will cost it about £71m. Companies have to verify information held in disparate systems is correct; there must be controls to prevent unauthorised access; and there must be an audit trail of any changes.
Regulator: Basel Committee on Banking Supervision, comprising banks and authorities in the G10 countries
Comes into force: End of 2006 Impact: IT spending on compliance by European banks could reach £1bn by 2005, said Datamonitor. Firms must ensure they store and track financial information and prevent unauthorised access to provide the information on their financial position under the Basel 2 rules on capital and risk management.
Freedom of Information Act
Regulator: Information commissioner
Comes into force: 1 January 2005 Impact: The Department for Constitutional Affairs forecasts that implementing systems to comply with the Act could cost £125m a year.