How to turn compliance into an opportunity to improve processes

Strategy clinic: Our panel of experts offer advice on IT management

Our panel of experts offer advice on IT management dilemmas

The issue: Can compliance be more than just a bureaucratic burden?

The question: I am an IT director in the financial services industry.

I would like to make compliance with burgeoning regulation more than a box-ticking exercise, but my gut feeling is that all the talk of using compliance to improve business efficiency is just spin.

Am I missing a trick or is red tape just that and nothing more?

Solution: Regulation is more than a matter of red tape

Surely compliance is about ensuring greater transparency in the way businesses operate and ensuring that proper and easily traceable audit trails are in place. Given this, businesses ought to become more efficient by adopting such practices.

What is certain is that compliance is not about to disappear, so your role as an IT director in the financial services industry must be to ensure that all your IT applications and operations are designed to facilitate your company's compliance obligations. It has to be more than ticking boxes and one only has to look at the history that led to the development of compliance to appreciate that it is much more than just "red tape".

Solution by Robin Laidlaw, President CW500 Club

Solution: Compliance breeds more confidence in your clients

The IT director is faced with an ever increasing burden of compliance, particularly in the "regulated" financial services sector but increasingly across the board.

One approach is to do the minimum necessary to satisfy regulators, remembering that a variety of audit regimes will be in place. But there are opportunities.

Firstly, clients are increasingly concerned to know whether suppliers are properly compliant, and being able to demonstrate this will help woo corporate clients and instill confidence in both corporate and consumer sectors. Conversely a failure in compliance can, as well as exposing you to the risk of regulatory sanctions, severely damage credibility.

Secondly, compliance can be used as a means of encouraging business to adopt best practice - in security, for instance - where the tendency may be to cut costs and corners.

It is also an opportunity for the IT director to demonstrate awareness of the broader environment and also be business savvy - "look we have these regulations, but we are able to comply at minimum cost, and gain these advantages".

Personally, I remain unconvinced that compliance leads to efficiency, but it does lead to rigour and good practice, and can be turned to commercial advantage.

Solution by Ben Booth, chairman of BCS IT directors group Elite

Solution: Embed compliance in your daily processes

You are not alone - many of your peers are also suffering from regulatory fatigue.

The good news is that many companies are demonstrating that real cost and operational efficiencies can be achieved. From what you have said, you are in an ideal place to now leverage your current and future efforts and use regulatory compliance as a basis for reviewing and enhancing your IT organisation.

Set an example by your positive attitude. Approaching regulatory programmes from the outset by looking at the opportunities they afford rather than just the need for compliance will help set the right tone, as well as ultimately deliver greater efficiencies.

For example, one of the key ways regulatory programmes can achieve greater efficiencies is by standardising your IT processes. This has many benefits, including making regulatory compliance easier and more cost effective.

Furthermore, standardisation will make it relatively easy for you to optimise IT processes and deliver value to the business through enhanced IT delivery quality, faster response times and more integrated services.

To move away from a one-off "box-ticking" approach to regulations, consider the value of embedding compliance in your IT processes and daily activities. That way, rather than treating regulatory compliance as a separate activity, you will be able to start embedding it in your routine operations. This will also provide a more sustainable solution for the long term.

Finally, a "box- ticking" approach often tackles each regulation in isolation, which in itself is inefficient - you should view them holistically.

Designing your IT processes to address similarities/overlaps in regulations should help achieve more efficient coverage of regulatory requirements and help avoid repeated effort to address each regulation in isolation

Solution by Ali Kazmi, Ernst & Young Technology Security and Risk Services team

Solution: Your investment priority should be value creation

I think you are indeed missing a trick, but not the one you are thinking of. It is vital to make investments from time to time in order to stay compliant and the key strategic question is how much of your total investment this should be.

Within your company's investment portfolio - and not specifically for IT - you should be looking to strike the best balance between value-protecting and value-creating investments.

Investments that are driven by compliance are among those that are about value protection, and it is better to admit this than pretend otherwise. In principle, you should be looking to minimise investment in value protection based on an acceptable level of residual risk, so as to reserve as much investment as possible for new value creation.

In practice, however, a fair slice of your total investment will be for value protection, but you and your executive colleagues all need to be satisfied that this is no more than is really necessary.

Engaging with your senior colleagues about the relative levels of investment in value protection versus value creation helps to expose them to a high level of IT transparency, strategic maturity and ownership.

To return to the original thrust of your question, any additional discussions about how to exploit compliance-driven investments to create new business value would be the icing on the cake.

Solution by Chris Potts, director at consultancy Dominic Barrow

Solution: Identify the costs and the benefits of compliance

We are seeing an increase in regulation and compliance in a variety of forms, ranging from directives like Sarbanes Oxley, to focused IT service initiatives like ISO 20000. Some are mandatory and some optional all demand that you comply to some extent with a set of standards that could be described as a "box-ticking" exercise.

The choice usually exists of undertaking the minimum to satisfy the criteria, or doing rather more and securing additional benefits. To make this decision you need to know the additional costs and additional benefits of undertaking the more exhaustive change programme.

To begin with, you need to define a broad domain in which this change is to be focused and secure input from all involved - including both the business and IT - to ascertain what additional benefits are available.

From there, a statement of additional tasks to deliver the benefits can be developed. A variety of approaches exist to support this thought process.

Bear in mind that creating enthusiasm to pursue an initiative that appears to do little other than secure compliance - particularly if such compliance is seen as unnecessary - will prove troublesome.

Maybe adding some focused and clear organisational benefits will encourage the execution of the programme to a successful conclusion.

Solution by Chris Edwards, professor of information systems at Cranfield School of Management

Solution: Unstructured data key to lowering compliance cost

The first question you may want to ask your colleagues is whether they see the level of compliance decreasing in the future. Their answer may influence how much effort should be put into responding to compliance demands.

Assuming the response to this question is likely to be in the negative, you need to consider how you can help them cope with or even take advantage of this trend.

There is a key opportunity in your domain and that is information management. Historically, IT has focused on the management of structured data. However, increasingly the focus is on all the unstructured data held in documents, e-mails and web pages.

So, to what extent can you help to reduce the cost of compliance by improving the behaviours, processes and tools associated with unstructured information?

There is also the link to consider between compliance and governance. Using information-based tools such as business intelligence and company scorecards, what additional services can you provide to your colleagues?

It is unlikely that these challenges and opportunities will disappear in the near future.

You may wish to start an early stakeholder dialogue with the director responsible for risk management in your organisation to map out an appropriate plan. This is a particularly important consideration if you have strong competing demands for your resources.

Solution by Sharm Manwani, head of information management at Henley Management College

Solution: Beware missing out on related benefits

Metrics and measurement are increasingly a requirement in both the public and private sector. External scrutiny has increased as a result of cases of malpractice that have resulted in overspend, fraud and poor service. The natural reaction of the authorities is to add process, with the objective of avoiding these problems.

Often regulation is viewed as an unnecessary burden that stifles flexibility and progress. The counter-argument is that too much flexibility results in high-profile disasters and scandal.

In many cases, compliance is not a choice it is something you simply have to do. In that case, you need to see how these requirements can be aligned to a business need.

Rather than treating the exercise as a standalone function, you need to, where useful, build regulatory compliance into your business process. You may need to add to the requirements, but if they provide value this will be a sound investment.

A good example has been the requirements arising from the Freedom of Information Act. If it adopts them correctly, an organisation can transform its information management, improving the efficiency of its business process. If they are regarded as an intrusive burden, considerable effort may be spent with no gain.

In the financial services industry there is an increasing requirement to demonstrate strong security to both external audit and prospective customers.

Compliance with standards such as ISO 27001 (Information Security) is becoming considerably more important in a competitive environment. Compliance - with certification - is a strong way to demonstrate that this is proactively managed and that the investment a customer will make is in safe hands.

With regulation that you feel is of no value, determine how to deliver the metrics with the minimum effort necessary to satisfy the requirements. Do, however, double check that you are not missing out on a benefit.

Solution by Roger Rawlinson, director of IT consultancy at NCC Group

Catch up with strategy clinic

Ask the experts

Computer Weekly has put together a panel of experts whose specialist knowledge you can draw on to solve a problem. E-mail your questions (or your solution to this question) to [email protected]

Next Steps

Aligning IT and compliance procedures is an increasing business priority 

Read more on IT governance