What is the upside of compliance? One consultant told me that compliance is great for his business. (“It’s like Y2K every year,” he explained.) But I’m convinced there are benefits for companies and customers as well—benefits that extend beyond keeping the CEO out of jail and off the front page.
You can find a wide range of estimates of the amount of time, money and resources required for corporations to comply with the Sarbanes-Oxley Act, HIPAA or emerging security regulations. I’ve seen estimates ranging from 2 to 10 percent of IT budgets being consumed by the compliance “tax,” as it has come to be known.
But if it is a tax, is there a way to make better use of those tax dollars within your company? I think so. The upside to compliance spending starts with taking a larger view of compliance. After all, you need some way to get a return on your investment, even if it was an investment that was forced on you and your company.
First of all, compliance shouldn’t be new to your company. The rules, regulations and procedures under which your company operates fall under the heading of compliance. But rules that carry penalties, such as those imposed by the government, are far more likely to be followed. The rules to which a company adheres are too often a hodgepodge of written and unwritten customs observed over time.
“What we should do is policy, and what we really do is practice,” said David Strauss, vice president of worldwide marketing and business development at Corticon Technologies.
Strauss contended that only about 5 to 10 percent of a company’s business rules and policies are automated. The reason for the low level of automation? The difficulty inherent in solidifying rules that change frequently and the traditional time lag between the need for rules change and getting those rules programmed into IT systems.
Strauss’ company is in the business of selling an easier way to build and maintain policies, but even with that bias in place, I think Corticon is on to something.
The discipline required to comply with external regulations and policies has a cost, but that same discipline applied to internal policies can have a benefit. Consider how often an approval process—for something as simple as replenishing a supply of pencils or as complex as a merger—is held up not for lack of approval but because it involves a mix of e-mail, phone calls and systems that simply don’t communicate with one another.
Developing a system that melds those business rules into an executive dashboard calls on all areas of company expertise. In the business world, banks probably win the award for confronting the most internal and external regulations.
Matt Feldman, chief risk officer at Federal Home Loan Bank of Chicago, is in the final stages of overseeing a project, based on technology from CXO Systems, to create an enterprise risk management executive dashboard. The project integrates technology with business processes, a move that is quickly becoming a hallmark of successful technology investment.
“It may be an overused expression, but we transformed data into information,” Feldman said. FHLB of Chicago is a large ($86 billion in assets) lender and purchaser of mortgages and securities, and it has to measure and monitor risk on a real-time basis both for internal operations and regulatory compliance.
“The dashboard forces us to get very, very focused on what really matters in the business. This is an enormously high-visibility project in this bank,” said Feldman.
While all that information used in the executive dashboard was already within the Chicago bank’s systems, it was contained in myriad resources not readily available.
The requirements for complying with federal, state and local regulations will become only more stringent. Companies that can find a way to take the effort associated with meeting those regulations and apply it to internal policy use will finally gain a full benefit from their compliance investment.
