For CIOs, a strong compliance stand can build boardroom credibility

For CIOs, a strong compliance stand can build boardroom credibility

Milwaukee, Wis.Sarbanes-Oxley, HIPPA, Gramm-Leach-Bliley, and other mandated fixes can strike fear into the hearts of technologists, especially when their organization is faced with an audit.
Yet compliance can be viewed as an opportunity for information technology directors to build credibility with upper management and, if they haven’t done so already, earn a seat in the boardroom. The cost and time consumed by the compliance is the first thought that comes to people’s minds, but savvy CIOs tout the many business benefits to viewing compliance in a different light.
It’s somewhat counterintuitive to view compliance as an opportunity rather than a burden, and advantage and not a hassle, but those who do are likely to reap some important benefits, according to legal and technology experts. The attitude is linked to an emerging set of best practices, the need to protect directors, and convince shareholders that financial reporting practices are sound.
For chief technologists, the link between compliance and technology provides an opening. “What they are trying to do is require companies to implement good controls from an IT perspective,” said Mark Garsombke, an attorney with Whyte Hirschboeck. “These are controls a company should have in place anyway.”
Enlightened cost-benefit analysis
That’s not always an easy sell when some large public companies are investing upwards of $3 million to comply with Sarbanes-Oxley, and even estimates released by the Securities and Exchange Commission put the average cost of compliance among public companies alone at $94,000.
French Caldwell, a vice president in Gartner Research, where he leads the compliance, governance and risk practice, said enlightened companies take the approach that compliance is an opportunity that forces them to improve their internal controls and the business processes around them.
Even unenlightened companies can go from kicking and screaming to recognizing that, in Caldwell’s words, “I cleaned up my room, and now I can find my toys.”
“I would say, initially, most of them take the approach that this is some other requirement that I have to meet,” he said, “but by going through the rigor of compliance with Sarbanes Oxley and other `onerous’ regulations, they realize they got some process improvement out of it.”
In the more enlightened companies he cites, a compliance requirement leads to a more proactive approach to compliance, and it has a positive impact on information technology governance. Once a compliance program has been completed, Caldwell said it’s natural for chief technology officers to wonder, “What else should I be doing?”
The snowball effect could lead to examinations of the organization’s information technology infrastructure library or the International Conference on Information Systems’ security standards. A typical pattern is to start out reactive, see the benefits, transition to a proactive approach, and then focus primarily on IT governance rather than compliance, Caldwell said.
“Look, if you’ve got good governance, compliance should be better,” Caldwell said. “That’s the kind of progression I’ve seen in a lot more of the enlightened companies.”
Business value
In making the case for a different mindset on compliance, CIOs can point to various business benefits.
Reluctant CIOs must understand that in the wake of corporate scandals, there is more business peer pressure on companies to comply. Dan Welytok, an attorney for Whyte Hirschboeck, said the scrutiny board of directors are under is an incentive for compliance.
“When a company has to comply, they work to put a positive spin on it, especially when the board of directors has to approve funding,” he said.
A proactive attitude toward compliance can also help a company in the following ways, Welytok said.
• Attract better board members because there is less opportunity for internal fraud, and the cost of compliance can be mitigated somewhat by lower insurance premiums for directors. “People asked to serve on board will turn it down because of the liability they are exposed to,” Welytok said, “so compliance does have its advantages.”
• Reassure vendors, whose pressure also plays a role in achieving compliance even with privately held companies that are not subject to all of Sarbanes-Oxley’s provisions. These companies can be bolstered by compliance with “Sarbox” because their vendors will look at their practices and ask for information of interest to purchasers.
• Improve the company’s profile as an acquisition partner. Privately held businesses that want to consider joint ventures will want to do so with a partner that is Sarbanes compliant – even if it isn’t required.
Tools of compliance
Caldwell, whose research includes the analysis of compliance technologies, said there are existing technology products – accounting software, for example – that are not compliance tools per se, but that are relevant to compliance.
There are a few direct automated compliance tools, but in his view they still are early in the market and are relatively immature.
In the future, Caldwell said they are likely to have control automation features that reduce the current dependence on manual process controls.
One example is GRC (governance, risk, compliance) management software that helps get a handle on the documentation associated with compliance, and helps to align policies to controls. Other tools, such as segregation-of-duties software, fall into the controls management category.
In contrast, Welytok believes available software is mature enough to start moving away from manual controls, including software that automates SOX compliance and can go a long way to reduce costs associated with errors.
Focus on IT governance
No matter what automation tools are under consideration, looking at compliance as a way to improve IT governance is perhaps the best selling point.
“I don’t see compliance as an advantage,” Caldwell said. “I see taking a more proactive approach to IT governance as an advantage. If I can make IT relevant to the goals of the business, isn’t that what I’m supposed to be doing in the first place?”
Related articles
CIO Leadership Series: WARF’s Patty Prime offers tutorial on e-discovery
Denis Collins: Enron’s dilemma: A corporate governance nightmare
Consultant says beware hidden costs of bad IT projects
Michael J. Weymier: Part 4 Project Performance – Get on the path to continuous improvement
Michael J. Weymier: Part 3 Project performance – Get on the path to continuous improvement