European securities legislation to increase CIOs' personal compliance accountability

Far reaching financial regulations to further complicate business management.

Far reaching financial regulations to further complicate business management.

If you are the CIO of a large corporation, you will probably have had to budget this year for the complexities of the global regulatory agenda in relation to the requirements of the Sarbanes-Oxley Act or, if you are in the financial services industry, Basel 2.

Alongside these, you may also have heard of the evolving European regulation called the Markets in Financial Instruments Directive (MiFID), which will be delivered in less than two years if, as expected, the European Parliament puts out an approved version of the directive's wording before Christmas.

What you may not yet realise is how far this regulation reaches.

MiFID will introduce a single European securities market for all financial instruments. It means big changes for businesses and for CIOs.

Across 73 articles, this extensive regulatory framework will change the way business is done in a bid to make Europe "the most dynamic and competitive knowledge-based economy in the world" by 2010.

You can read all about the new rules, but what does MiFID mean in practice for those running a financial services firm's IT?

The legislation is very explicit about controls, organisation structures, reporting lines and business continuity plans, all of which must now be visible to a much wider group than in the past. It is also clear that senior management will be responsible for compliance and compliance policies. Failure to conform will leave the firm open to being fined or sued, plus the threat of jail for anyone found culpable of grievous mismanagement.

MiFID increases the company's dependency on IT not only to support the business, but just to stay in business. If a price goes stale, an application goes offline, a message is formatted incorrectly, the invisible hands of the market - or the visible hands of the regulators and the European Courts of Justice - may intervene. Never before has an industry that is so profitable for so many been so dependent on so few.

Will the IT leadership rise to the challenge? If you use the past as a guide, the answer is not clear. For decades IT organisations have been discussing how to "align with the business" and "run IT like a business".

File drawers are full of conference materials and consultant presentations on service catalogues, service level agreements, quality metrics and risk measures. Guidelines for best practice, enterprise programme management and balanced scorecard projects are obligatory.

Despite these efforts, few IT leaders would say that they have put in place the right culture within IT to have true "peer-to- peer" relationships across the business. And fewer still would be able to point to joined-up leadership across IT and the rest of the back office.

Successful IT managers operating in the MiFID landscape will need to take on new levels of personal accountability. If you want to be one of the winners, start managing IT as if you need to be personally accountable for everything that enables your firm to make money.

With this mindset you will drop the notion that someone else working for the firm - for example, in the compliance or legal departments - is going to mitigate your personal risk by telling you what to do.

You will engage directly with the regulatory agenda and work collaboratively with the internal business units and your colleagues in infrastructure to confront your business management challenges. You will stop worrying about the regional regulations and start worrying about whether you can prove that everything works the way it should. And you will actively engage the others through collaborative working groups such as the MiFID IT Joint Working Group.

By doing all this, you will earn the respect of the business by quantifying the materiality and consequences of potential IT strategies and speaking confidently about the right direction. The future IT agenda will be yours to define. You can stop worrying about managing IT as a business and actually start to manage it.

Think this sounds interesting but irrelevant? I would counter that even if you are not sitting in a financial institution you ignore MiFID at your peril. Remember, if your organisation manages IT well, your people will be targeted by institutions that can spend up to an order of magnitude more on technology than you.

One way or another, I believe a new breed of IT manager will be on your doorstep by 2010, exactly as they planned it in Brussels.

PJ Di Giammarino is co-chair of the MiFID IT Joint Working Group and was formerly global IT chief operating officer at Barclays Capital


Read more on IT legislation and regulation